Contract
Between
the Driver and Vehicle Licensing Agency, on behalf
of the Secretary of State for Transport (the “DVLA”)
and
Marston (Holdings) Limited
For The Provision of Vehicle Keeper Data using the
Keeper at Date of Event (KADOE) Service
KADOE Commercial Customer Contract V11 May 2018 ©Crown copyright 2018
The following handling instructions apply to this document:
• Handle, use and transmit with care;
• Take basic precautions against accidental compromise,
opportunist or deliberate attack;
• Dispose of sensibly by destroying in a manner to make
reconstruction unlikely.
1
link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 6 link to page 7 link to page 7 link to page 7 link to page 7 link to page 7 link to page 7 link to page 7 link to page 8 link to page 8 link to page 8 link to page 8 link to page 19 link to page 19 link to page 19 link to page 19 link to page 19 link to page 19 link to page 20 link to page 20 link to page 20 link to page 20 link to page 20 link to page 20 link to page 21 link to page 21 link to page 21 link to page 21 link to page 22 link to page 22 link to page 22 link to page 22 link to page 22 link to page 22 link to page 22 link to page 22 link to page 23 link to page 23 link to page 25 link to page 25 link to page 25 link to page 25 link to page 25 link to page 25 link to page 25 link to page 25 link to page 28 link to page 28 link to page 28 link to page 28
CONTENTS
PART A
GENERAL PROVISIONS
A1
Parties to this Contract
A2
Purpose of this Contract
A3
Effective Date of the Contract
A4
The Customer’s Status
A5
The DVLA’s Obligations
A6
Compliance with the Law and Industry Best
Practice
A7
Notices
A8
Conflicts of Interest
A9
Definitions and Interpretation
PART B
THE PROVISION OF DATA UNDER THE CONTRACT
B1
The DVLA’s Legal Powers to Share the Data
B2
Purpose For Which Data Is Provided
B3
The KADOE Service
B4
Link Providers
B5
Time Limits for Data Requests
B6
Requirements for Requests for Data
B7
Accuracy of the Data
B8
Geographical Extent of the Data
B9
Data That Is Not Available Via Any Electronic
Service
B10
Technical Requirements for Secure Transmission
of the Data
B11
Commencement of the KADOE Service
PART C
MANAGEMENT OF THE CONTRACT
C1
The Customer’s Key Staff
C2
The DVLA Representative and Points of Contact
C3
Reviews and Meetings
PART D
DATA PROTECTION
D1
Data Protection Legislation
2
link to page 29 link to page 29 link to page 30 link to page 30 link to page 30 link to page 30 link to page 31 link to page 31 link to page 32 link to page 32 link to page 32 link to page 32 link to page 32 link to page 32 link to page 33 link to page 33 link to page 33 link to page 33 link to page 33 link to page 33 link to page 34 link to page 34 link to page 36 link to page 36 link to page 36 link to page 36 link to page 36 link to page 36 link to page 37 link to page 37 link to page 37 link to page 37 link to page 38 link to page 38 link to page 38 link to page 38 link to page 38 link to page 38 link to page 39 link to page 39 link to page 39 link to page 39 link to page 39 link to page 39 link to page 41 link to page 41 link to page 41 link to page 41 link to page 43 link to page 43 link to page 43 link to page 43 link to page 43 link to page 43 link to page 45 link to page 45 link to page 45 link to page 45 link to page 46 link to page 46
D2
Data Security
D3
Malicious Software
D4
Transfer of the Data outside the UK
D5
Restrictions on Disclosure of the Data
D6
Retention of Data and Evidence
D7
The Customer’s Vetting and Disciplinary Policies
D8
The Customer’s Internal Compliance Checks
D9
Audits and Reviews
D10
Incidents
D11
Inspection by the DVLA
D12
Action on Complaint
PART E
PAYMENT
E1
Payment
E2
The Customer or its Link Provider’s Failure to Pay
E3
Fee Review by the DVLA
E4
Deductions
PART F
STATUTORY OBLIGATIONS
F1
Prevention of Corruption
F2
Prevention of Fraud
F3
Discrimination
F4
The Contracts (Rights of Third Parties) Act 1999
F5
Health & Safety
PART G
PROTECTION OF INFORMATION
G1
Confidential Information
G2
Publicity and Media
G3
Intellectual Property Rights
G4
Crown Copyright and Publication
PART H
CONTROL OF THE CONTRACT
H1
Transfer and Sub-Contracting
H2
Insolvency
3
link to page 48 link to page 48 link to page 48 link to page 48 link to page 49 link to page 49 link to page 49 link to page 49 link to page 50 link to page 50 link to page 50 link to page 50 link to page 51 link to page 51 link to page 51 link to page 51 link to page 51 link to page 52 link to page 52 link to page 52 link to page 52 link to page 52 link to page 52 link to page 53 link to page 53 link to page 55 link to page 55 link to page 55 link to page 55 link to page 55 link to page 55 link to page 55 link to page 56 link to page 56 link to page 56 link to page 56 link to page 57 link to page 57 link to page 57 link to page 57 link to page 58 link to page 58 link to page 59 link to page 59 link to page 59 link to page 59 link to page 59 link to page 60 link to page 60 link to page 62 link to page 62 link to page 62 link to page 62 link to page 62 link to page 62 link to page 66 link to page 66
H3
Change of Control
H4
Waiver
H5
Variation
H6
Severability
H7
Remedies Cumulative
H8
Entire Agreement
PART I
LIABILITY, INDEMNITY, MITIGATION AND
INSURANCE
I1
Liability
I2
Indemnity
I3
Mitigation
I4
Insurance
I5
Warranties and Representations
PART J
DEFAULTS, DISRUPTION, SUSPENSION &
TERMINATION
J1
Break
J2
Termination for Material Breach
J3
Suspension of the KADOE Service
J4
Effect of Suspension
J5
Insolvency
J6
Other Termination Rights
J7
Consequences of Suspension and Termination
J8
Supply of Data to Related Persons After
Termination
J9
Disruption
J10
Force Majeure
PART K
LAW AND DISPUTE RESOLUTION
K1
Governing Law and Jurisdiction
K2
Dispute Resolution
PART L
SIGNATURES
4
link to page 67 link to page 67 link to page 71 link to page 71 link to page 76 link to page 76 link to page 76 link to page 81 link to page 81 link to page 85
SCHEDULE 1
FEES
SCHEDULE 2
MINIMUM DATA SECURITY REQUIREMENTS
SCHEDULE 3
REQUIRED TERMS FOR CONTRACTS WITH SUB-
CONTRACTORS
ANNEX A
PERMITTED PURPOSE(S)
ANNEX B
CUSTOMER’S KEY STAFF
5
link to page 66 link to page 66 link to page 66 link to page 55 link to page 55
PART A
GENERAL PROVISIONS
A1.
Parties to this Contract
A1.1. This Contract is made between the Parties:
(1) the
Secretary of State for Transport acting through the
Driver and
Vehicle Licensing Agency, whose principal office is at Longview
Road, Morriston, Swansea SA6 7JL (the “DVLA”); and
(2)
Marston (Holdings) Limited a company registered under company
number 04305487 whose registered office is at Rutland House, 8th
Floor, 148 Edmund Street, Birmingham, B3 2JR (the “Customer”).
A2.
Purpose of this Contract
A2.1. The purpose of this Contract is to set out the basis upon which the DVLA
agrees to provide Data regarding the keeper of a vehicle at the date of
an event to the Customer, on request, using the electronic service
detailed in the KADOE External Interface Specification, and the
Customer agrees to pay the DVLA for that service.
A3.
Effective Date of the Contract
A3.1. This Contract shall commence upon dated signature by DVLA
in PART
L (SIGNATURES), and will remain in force subject to termination or
break in accordance with clause
s J1 and J2. This will be known as the
Effective Date of the Contract.
A4.
The Customer’s Status
A4.1. At all times during the term of this Contract the Customer shall be an
independent customer and nothing in the Contract shall create a
contract of employment, a relationship of agency or partnership or a joint
venture between the Parties and accordingly neither Party shall be
6
authorised to act in the name of, or on behalf of, or otherwise bind the
other Party save as expressly permitted by the terms of the Contract.
A5.
The DVLA’s Obligations
A5.1. Save as otherwise expressly provided, the obligations of the DVLA
under the Contract are obligations of the DVLA in its capacity as a
contracting counterparty and nothing in the Contract shall operate as an
obligation upon, or in any other way fetter or constrain the DVLA in any
other capacity, nor shall the exercise by the DVLA of its duties and
powers in any other capacity lead to any liability under the Contract
(howsoever arising) on the part of the DVLA to the Customer.
A5.2. The DVLA is an executive agency of the Department for Transport and
has no separate legal entity from that Department.
A6.
Compliance with the Law and Industry Best Practice
A6.1. The Customer shall at all times comply with Law and Industry Best
Practice in carrying out its obligations under the Contract.
A7.
Notices
A7.1. Except as otherwise expressly provided within the Contract, no notice
or other communication from one Party to the other shall have any
validity under the Contract unless made in writing by or on behalf of the
Party concerned.
A7.2. Any notice or other communication which is to be given by either Party
to the other shall be given by letter, sent by hand, first class post,
recorded delivery or special delivery or by electronic mail. Such letters
to the DVLA shall be written on the Customer’s headed paper and
addressed to the DVLA Representative. Such letters to the Customer
shall be addressed to the Commercial Manager listed in
ANNEX B at
the Customer’s registered office. Provided the relevant communication
is not returned as undelivered, the notice or communication is deemed
to have been given 2 Working Days after the day on which the letter
7
was received, or 4 hours in the case of electronic mail, or at such earlier
time as the other Party acknowledges receipt of such letters or items of
electronic mail.
A7.3. If the Customer intends to change its company name or its registered
office address as recorded at Companies House, or intends to use a
different trading name, the Customer’s Commercial Manager shall give
the DVLA notice of the change in writing on the Customer’s headed
paper.
A8.
Conflicts of Interest
A8.1. The Customer shall take appropriate steps to ensure that neither the
Customer nor any Customer’s Staff is placed in a position where, in the
reasonable opinion of the DVLA, there is or may be an actual conflict,
or a potential conflict, between the pecuniary or personal interests of the
Customer and the duties owed to the DVLA under the provisions of this
Contract. The Customer shall disclose to the DVLA full particulars of
any such conflict of interest which may arise.
A8.2. The DVLA reserve the right to terminate the Contract immediately by
notice in writing and/or to take such other steps it deems necessary
where, in the reasonable opinion of the DVLA, there is or may be an
actual conflict, or a potential conflict, between the pecuniary or personal
interests of the Customer and the duties owed to the DVLA under the
provisions of the Contract. The actions of the DVLA pursuant to this
clause shall not prejudice or affect any right of action or remedy which
shall have accrued or shall thereafter accrue to the DVLA.
A9.
Definitions and Interpretation
A9.1. In this Contract unless the context otherwise requires the following
provisions have the meanings given to them below:
“Annex” means an annex attached to, and forming part of, the Contract.
8
link to page 23 link to page 23 link to page 23
“Business to Business Gateway” means the DVLA system that delivers a set of
electronic message based services for all high volume business to business
transactions and is housed in a secure environment that adheres to the e-
Government Information Framework (“e-GIF”) standards.
“Commencement Date” means the commencement date of the KADOE Service
notified to the Customer under clause
B11 (Commencement of the KADOE
Service).
“Commercial Manager” shall have the meaning given in clause C1.2a).
“Confidential Information” means any information which has been designated
as confidential by either Party in writing or that ought to be considered as
confidential (however it is conveyed or on whatever media it is stored) including
information the disclosure of which would, or would be likely to, prejudice the
commercial interests of any person, trade secrets, Intellectual Property Rights
and know-how of either Party and all “Personal Data” within the meaning of
Data Protection Legislation. Confidential Information shall not include
information which:
i)
was public knowledge at the time of disclosure (otherwise than by breach
of clause G1 (
Confidential Information));
ii)
was in the possession of the receiving Party, without restriction as to its
disclosure, before receiving it from the disclosing Party;
iii)
is received from a third party (who lawfully acquired it) without restriction
as to its disclosure;
iv)
is independently developed without access to the Confidential
Information;
v)
is agreed by the Parties in writing not to be confidential.
“Contract” means this written agreement between the DVLA and the Customer
consisting of these clauses and any attached Schedules and Annexes.
9
“Contracting Authority” means any contracting authority as defined in
Regulation 2 of the Public Contracts Regulations 2015 (as amended).
“Conviction” means, other than for minor road traffic offences, any previous or
pending prosecutions, convictions, cautions and binding-over orders (including
any spent convictions as contemplated by section 1(1) of the Rehabilitation of
Offenders Act 1974 (as amended) by virtue of the exemptions specified in Part
II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order
1975 (SI 1975/1023) (as amended) or any replacement or amendment to that
Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable
Groups Act 2006 (as amended).
“Crown” means the government of the United Kingdom (including the Northern
Ireland Executive Committee and Northern Ireland Departments, the Scottish
Executive and the National Assembly for Wales), including, but not limited to,
government ministers, government departments, government and particular
bodies and government agencies.
“Data” means data from the vehicles register described in the KADOE External
Interface Specification, including in response to each request the name and
address listed on the vehicles register as the name and address of the
registered keeper of the vehicle on the relevant date. The Data includes
Personal Data as defined by Data Protection Legislation.
“Data Controller” has the meaning given to that term (or the term ‘Controller’) in
Data Protection Legislation, means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of Personal Data; where the purposes
and means of such processing are determined by Union or Member State law,
the controller or the specific criteria for its nomination may be provided for by
Union or Member State law.
“Data Manager” shall have the meaning given in clause C1.2.b)
10
“Data Processor” has the meaning given to that term (or the term ‘Processor’)
in Data Protection Legislation means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller.
“Data Protection Legislation” means:
(i)
the General Data Protection Regulation (Regulation (EU) 2016/679),
the Law Enforcement Directive (LED) and any applicable national
implementing Laws as amended from time to time;
(ii)
the Data Protection Act 2018 (as amended) [subject to Royal Assent]
to the extent that it relates to processing of personal data and privacy;
(iii)
all applicable Law about the processing of personal data and privacy.
“Data Subject” has the meaning given to that term in Data Protection
Legislation, means an identified or identifiable natural person directly or
indirectly through Personal Data.
“Data Subject Access Request” means a request made by, or on behalf of, a
Data Subject in accordance with rights granted pursuant to the Data Protection
Legislation to access their Personal Data.
“Days” shall mean calendar days, save where the context otherwise requires.
“Debt Assignment” means when debt and Data related to a Permitted Purpose
(listed in
ANNEX A) is assigned or sold to a third party debt collector who
becomes the legal owner of such debt. For the avoidance of doubt, the
disclosure of Data to third parties as part of a debt assignment agreement is
not permitted.
“Default” means any breach of the obligations of the relevant Party (including
but not limited to fundamental breach or breach of a fundamental term) or any
other default, act, omission, negligence or negligent statement of the relevant
Party or the Staff in connection with or in relation to the subject matter of the
Contract and in respect of which such Party is liable to the other.
11
link to page 66 link to page 66
“Dispute” means any dispute, difference or question of interpretation arising
out of or in connection with this Contract, including any dispute, difference or
question of interpretation relating to the KADOE Service or protection of the
Data or any matter where this Contract directs the Parties to resolve any issue
by reference to the Dispute Resolution Procedure.
“DVLA” means the Secretary of State for Transport, his Department,
Executive Agencies of the Department and persons authorised to act on their
behalf.
“DVLA Chosen Supplier” means the person that provides the line installation
and configuration which enables connection to the DVLA’s Business to
Business Gateway, through which the Data is requested from the DVLA and
transmitted to the Link Provider.
“DVLA Representative” means a competent person appointed by the DVLA to
be its representative in relation to the performance of the Contract.
“Effective Date” means the date this Contract becomes effective upon dated
signature by DVLA in accordance with
PART L –
(SIGNATURES).
“Equipment” means the Customer’s equipment, plant, materials and such
other items used by the Customer in the performance of its obligations under
the Contract, or otherwise used to access or store Data.
“FOIA” means the Freedom of Information Act 2000 (as amended) and any
subordinate legislation made under this Act from time to time together with
any guidance/and or codes of practice issued by the Information
Commissioner or relevant government departments in relation to such
regulations.
“Force Majeure” means any cause affecting the performance by a Party of its
obligations arising from acts, events, omissions, happenings or non-
happenings beyond the reasonable control of the Party concerned and which
is not attributable to any act or failure to take preventative action by that Party.
Such causes include fire; flood; violent storm; earthquake; pestilence;
12
explosion; malicious damage; riots; war or armed conflict; acts of terrorism;
nuclear, biological or chemical warfare; or any other disaster, natural or man-
made.
“Fraud” means any offence under Laws creating offences in respect of
fraudulent acts or at common law in respect of fraudulent acts in relation to
the Contract or defrauding or attempting to defraud or conspiring to defraud
the Crown.
“GDPR” means the General Data Protection Regulation (Regulation (EU)
2016/679).
“Industry Best Practice” means at any time the exercise of that degree of skill,
care, diligence, prudence, efficiency, foresight, standards, practices, methods,
procedures and timeliness which would be expected at such time from a
leading and expert company within the industry, such company seeking to
comply with its contractual obligations in full and complying with all applicable
Laws.
“Intellectual Property Rights” means patents, inventions, trade marks, service
marks, logos, design rights (whether registrable or otherwise), know how,
confidential information, trade marks discoveries, inventions, applications for
any of the foregoing, copyright, database rights, domain names, trade or
business names, moral rights and other similar rights or obligations whether
registrable or not in any country (including but not limited to the United
Kingdom) and the right to sue for passing off. In each case it includes these
rights and interests in every part of the world for their full terms, including any
renewals and extensions, and the right to receive any income from them and
any compensation in respect of their infringement.
“KADOE Customer Code” means the code allocated to the Customer by DVLA
as part of the technical set up process for the KADOE Service. The KADOE
Customer Code is specific to the Customer, and will identify the Customer on
DVLA’s systems.
13
link to page 25
“KADOE External Interface Specification” means the specification provided by
the DVLA to the Customer pursuant to clause B3.1.
“KADOE Link Code” means the code allocated by DVLA to the Customer as
part of the technical set up process for the KADOE Service. This is allocated
by DVLA when the Customer is a Link Provider, or if the Customer has its own
direct link with the DVLA via the Business to Business Gateway. The KADOE
Link Code will identify the Customer on DVLA’s systems.
“KADOE Service” means the provision of Data regarding the keeper of a
vehicle at the date of an event using the electronic service detailed in the
KADOE External Interface Specification electronic service.
“Key Staff” means those persons listed in the list completed by the Customer
in accordance with clause
C1.1
“Law” means any law, statute, subordinate legislation (as amended) within the
meaning of Section 21(1) of the Interpretation Act 1978 (as amended), bye-
law, exercise of the royal prerogative, enforceable community right within the
meaning of Section 2 of the European Communities Act 1972 (as amended),
regulatory policy, guidance or industry code, judgement of a relevant court of
law, or directives or requirements or any Regulatory Body which the Customer
is bound to comply.
“Link Provider” means the person that provides the secure technical link to the
DVLA’s Business to Business Gateway for the Customer, through which the
Data is requested from the DVLA and transmitted to the Customer. Where the
Customer has its own direct link with the DVLA Business to Business
Gateway, the Customer is acting as its own Link Provider.
“Loss” of any Data means any instance where the Data has been lost,
compromised, misplaced or destroyed, where unauthorised persons have
gained or been allowed access to the Data, or where, due to the breakdown
of, or failure to comply with protective security policies or measures including
technical and procedural measures, there is a potential that unintended or
unauthorised access to the Data may be possible.
14
link to page 19
“Malicious Software” means any software program or code intended to
destroy, interfere with, corrupt, or cause undesired effects on program files,
data or other information, executable code or application software macros,
whether or not its operation is immediate or delayed, and whether the
malicious software is introduced wilfully, negligently or without knowledge of
its existence.
“Material Breach” means a breach (including an anticipatory breach) which is
not minimal or trivial in its consequences to the other Party. In deciding
whether any breach is material no regard shall be had to whether it occurs by
some accident, mishap, mistake or misunderstanding.
“Month” means calendar month.
“Party” or “Parties” means a party to the Contract.
“Personal Data” means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
“Personal Data Breach” means any event that results, or may result in a breach
of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, Personal Data transmitted, stored or
otherwise processed.
“Permitted Purpose” means the purpose for which the Data is provided by the
DVLA to the Customer via the KADOE service as stated in clause
B2 and
ANNEX A of this Contract.
“Premises” means the location where the Data is to be supplied to the
Customer, or accessed, stored or destroyed by the Customer.
“Processing” has the meaning given to that term in Data Protection Legislation
(and related terms such as ‘Process’ have corresponding meaning)
15
Processing means any operation or set of operations which is performed on
Personal Data or on sets of Personal Data, whether or not by automated
means, such as collection, recording, organisation, structuring, storage,
adaption or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
“Related Persons” means the Customer, its directors, the Commercial
Manager, the Data Manager and the other Key Staff.
“Relevant Conviction” means a Conviction which the Customer, acting
reasonably and in accordance with Industry Best Practice, deems to preclude
a person from being involved in any way with use of the Data or lawful debt
collection on behalf of the Customer;
“Removable Media” means all physical items and devices that can carry and
transfer electronic information. Examples include but are not limited to DVDs,
CDs, floppy disks, portable hard disk drives, USB memory sticks, flash drives,
portable music and video players including mobile phones, hand held devices
such as Smartphones and Personal Digital Assistants.
“Schedule” means a schedule attached to, and forming part of, the Contract.
“Staff” means all persons employed by the Customer to perform its obligations
under the Contract together with the Customer’s servants, agents, suppliers
and sub-contractors used in the performance of its obligations under the
Contract.
“Sub-Contracting” means the Customer appointing a third party to provide
services on behalf of the Customer providing an appropriate Sub-Contracting
agreement is in place. The Customer will retain Data Controller responsibilities
while the Sub-Contractor is a Data Processor. Debt Assignment to a third party
company, which is not permitted under this agreement, does not constitute
Sub-Contracting. The Customer shall be responsible for the acts and
omissions of its Sub-Contractors as though they are its own.
16
link to page 49 link to page 49
“Sub-Contractor(s)” means a third party appointed by the Customer to provide
services on behalf of the Customer. The Customer will retain Data Controller
responsibilities while the Sub-Contractor is a Data Processor.
“Variation” has the meaning given to it in clause
H5 (Variation).
“VAT” means value added tax in accordance with the provisions of the Value
Added Tax Act 1994 (as amended).
“Working Day” means a day (other than a Saturday or Sunday) on which
banks are open for general business in the City of London.
A9.2. The interpretation and construction of this Contract shall be subject to
the following provisions:
a)
words importing the singular meaning include where the context so
admits the plural meaning and vice versa;
b)
words importing the masculine include the feminine and the neuter;
c)
reference to a clause is a reference to the whole of that clause unless
stated otherwise;
d)
reference to any statute, enactment, order, regulation or other similar
instrument shall be construed as a reference to the statute, enactment,
order, regulation or instrument as amended by any subsequent
enactment, modification, order, regulation or instrument as subsequently
amended or re-enacted;
e)
reference to any person shall include natural persons and partnerships,
firms and other incorporated bodies and all other legal persons of
whatever kind and however constituted and their successors and
permitted assigns or transferees;
f)
the words “include”, “includes” and “including” are to be construed as if
they were immediately followed by the words “without limitation”; and
17
g)
any obligation on a Party to do any act or thing includes an obligation to
procure that it be done and any obligation on a Party not to do any act or
thing includes an obligation not to allow that act or thing to be done and
to use its best endeavours to prevent such act or thing being done by a
third party; and
h)
headings are included in the Contract for ease of reference only and shall
not affect the interpretation or construction of the Contract.
18
link to page 81 link to page 81
PART B
THE PROVISION OF DATA UNDER THE CONTRACT
B1.
The DVLA’s Legal Powers to Share the Data
B1.1. The DVLA has the legal power, under regulation 27 of the Road
Vehicles (Registration and Licensing) Regulations 2002 (as amended),
to: “make any particulars contained in the vehicle register available to
authorised organisations for any purpose connected with the
investigation of an offence, or of a decriminalised parking
contravention.”
B2.
Purpose For Which Data Is Provided
B2.1. The DVLA shall provide each requested item of Data to the Customer
via the KADOE Service solely for the Permitted Purpose(s) stated in
ANNEX A (PERMITTED PURPOSE(S)). The Customer must adhere to
Data Protection Legislation when such information is exchanged.
B2.2. The Customer shall use each item of the Data only:
a)
for the Permitted Purpose for which it was provided and in accordance
with its obligations under Data Protection Legislation; and
b)
in relation to the particular date, event and purpose for which it was
requested.
B2.3. Before making each request for Data, the Customer shall gather
evidence to demonstrate and ensure that it has justification to request
that Data. This evidence may include scans, images, photographs,
correspondence and any other evidence that the Customer may rely on
to show its compliance with the requirements of this Contract.
B2.4. The Customer shall hold the Data on only one database and shall not
copy the Data nor link it to another database without the prior written
permission of the DVLA. This requirement does not apply to the Data
stored for backup or disaster recovery purposes.
19
link to page 30 link to page 49
B2.5. The requirements of clause
D4 (
Transfer of the Data outside the UK)
apply to the Customer’s backup or disaster recovery sites.
B2.6. The Customer shall use the Data only for its Permitted Purpose as
stated in
ANNEX A. No enquiries can be submitted for additional
purposes without a contract variation in accordance with clause
H5, and
formal written approval from DVLA.
B3.
The KADOE Service
B3.1. The DVLA shall provide to the Customer a copy of the KADOE External
Interface Specification, which describes:
a)
the technical requirements for the secure link to the DVLA’s Business to
Business Gateway through which the Data is requested and received;
and
b)
the nature and format of the Data that the DVLA will provide in response
to each request. This is data from the vehicles register, and includes
Personal Data as defined by Data Protection Legislation.
B3.2. The Data shall include the name and address listed on the vehicles
register as the name and address of the registered keeper of the vehicle
on the relevant date.
B4.
Link Providers
B4.1. The Customer shall seek the DVLA’s prior written agreement to the
Customer sub-contracting with a Link Provider to provide the secure
technical link to the DVLA’s Business to Business Gateway through
which the Data shall be requested and received by the Customer.
B4.2. If the DVLA terminates the supply to the Link Provider for any reason
unconnected with the conduct of the Customer, the Customer may
request and receive the Data using a paper service until the Customer
can re-connect to the KADOE Service through a Link Provider.
20
B5.
Time Limits for Data Requests
B5.1. The Customer may request Data using the KADOE Service relating to
events that occurred on or after the Commencement Date of the
KADOE Service.
B5.2. The Customer may request Data relating to events that occurred on the
day that the request is made, or in the preceding 26 weeks.
B6.
Requirements for Requests for Data
B6.1. In making each request for Data, the Customer shall correctly identify
the registration mark of the vehicle concerned and the date of the
relevant event.
B6.2. In making each request for Data, the Customer shall provide the correct
“KADOE Customer Code” to enable DVLA to identify the Customer as
the source of the request. If no “KADOE Customer Code” is given, the
Data shall not be provided.
B6.3. The DVLA shall endeavour to provide the KADOE Service 24 hours per
day. However, request files must be submitted before 16.00 hours on
Monday to Fridays, and must otherwise be in accordance with the
KADOE External Interface Specification. Where possible, the DVLA will
notify the Customer in advance when the KADOE Service will be
unavailable during maintenance.
B7.
Accuracy of the Data
B7.1. The DVLA shall take all reasonable steps to ensure that the Data is
accurate and up to date before it is transmitted to the Customer, but the
DVLA cannot warrant the accuracy of the Data provided. The DVLA
does not accept any liability for any inaccurate information supplied to it
by the keeper of the vehicle or any other source beyond its control.
B7.2. The Customer shall ensure before relying on any item of Data that the
Data provided matches the information in the request (for example, so
21
link to page 22
that the model, type and colour of the vehicle match) and shall not seek
to recover payment where the Data provided does not match the vehicle
information in the request.
B8.
Geographical Extent of the Data
B8.1. The KADOE Service provides access to Data relating to vehicles kept
by registered keepers whose addresses are in the United Kingdom.
B9.
Data That Is Not Available Via Any Electronic Service
B9.1. The KADOE Service does not provide access to Data from vehicle
keeper records that are marked as unavailable for release through any
electronic channel. DVLA cannot provide details of keeper records that
are marked as unavailable, and are unable to provide the reasons why.
B9.2. In such cases as described in clause
B9.1, DVLA may instead be able
to release Data contained on the vehicle keeper record to the Customer
in paper format via post. Where possible, DVLA will send hard copy
(VQ7) prints to the mailing address entered by the Customer on the
INS220 Vehicle Keeper at Date of Event (KADOE) registration form.
The Customer must notify DVLA in advance of any changes to the
address where the hard copy (VQ7) prints are to be sent by DVLA.
B10.
Technical Requirements for Secure Transmission of the Data
B10.1. The Data shall be transmitted to the Customer by the DVLA through the
Business to Business Gateway. The Customer warrants that it has
ensured that the method of provision of the Data by the DVLA is suitable
and satisfactory to meet the Customer’s needs.
B10.2. The Customer shall ensure that it has (or that its Link Provider has),
sufficient technical knowledge and expertise to understand, implement
and support the KADOE Service. This shall include technical resource
capable of setting up, managing and problem-solving issues involving
key technologies of Secure File Transfer Protocol (SFTP) and
22
networking, particularly including firewall configuration and network
address translation.
B11.
Commencement of the KADOE Service
B11.1. The DVLA shall notify the Customer of the Commencement Date of the
KADOE Service after:
a)
the Customer has:
B11.1.a.1.
signed and returned the Contract, including the List of Customer’s
Key Staff, and the Data Governance Assessment form; and
B11.1.a.2.
been allocated a “KADOE Customer Code” which will be used to
identify the Customer when making each request for Data; and
b)
the Customer or its Link Provider has:
B11.1.b.1.
completed a DVLA site survey questionnaire;
B11.1.b.2.
completed, signed and returned the relevant DVLA Code of
Connection;
B11.1.b.3.
made payment of the line rental and connection fees;
B11.1.b.4.
been allocated a “KADOE Link Code” which will be used to
identify the Customer or Link Provider when making each request
for Data;
B11.1.b.5.
obtained connectivity to the relevant network supplied by DVLA’s
chosen supplier;
B11.1.b.6.
deployed an SFTP server and client that utilises Open SSH;
B11.1.b.7.
performed basic testing with the DVLA; and
B11.1.b.8.
completed and satisfied the exit criteria for End to End Connected
testing and User Acceptance testing.
23
B11.2. The DVLA shall monitor the quality of the KADOE Service and report to
the Customer any issues discovered. The Customer or its Link Provider
shall monitor the quality of the KADOE Service the Customer receives
from the Business to Business Gateway, and the Customer shall report
to the DVLA any issues discovered.
24
link to page 7
PART C
MANAGEMENT OF THE CONTRACT
C1.
The Customer’s Key Staff
C1.1. The Customer shall complete the list at
ANNEX B (“Customer’s Key
Staff”) of the individuals who have direct responsibilities for the use of
the Data and for the Customer’s other obligations under this Contract,
giving their names and business addresses and other contact details
and specifying the capacities in which they are concerned with the Data.
C1.2. As a minimum, the list shall include details of the Customer’s registered
office and:
a) the manager who shall be responsible for the Customer’s general
contractual matters and shall receive Notices under clause
A7.2 sent to
the Customer’s registered office, and who shall be referred to in this
Contract as the Commercial Manager; and
b) the manager who is responsible for the management of the Data once
in the hands of the Customer, to be referred to in this Contract as the
Data Manager.
C1.3. The Customer shall inform the DVLA immediately of any changes in
personnel listed in
ANNEX B or their business contact details.
C2.
The DVLA Representative and Points of Contact
C2.1. The DVLA shall provide a list to the Customer of the DVLA
Representative and other individuals whom the Customer may contact
in relation to this Contract.
25
C3.
Reviews and Meetings
C3.1. The Customer shall upon receipt of reasonable notice and during
normal office hours attend all meetings arranged by the DVLA for the
discussion of matters connected with the performance of the Contract.
C3.2. Without prejudice to any other requirement in this Contract, the
Customer shall provide such reports on the performance of the Contract
or any other information relating to the Customer’s requests for and use
of the Data as the DVLA may reasonably require.
C3.3. The DVLA reserve the right to review the Contract at any time. Where
required, the DVLA and the Customer shall meet in person or via video
or telephone conference to review:
a)
the ongoing need for the KADOE Service as defined and any
consequential variation to the terms of the Contract;
b) the Permitted Purpose(s) for which the Data is provided;
c) the performance of the KADOE Service;
d) the volume of Data which the DVLA is providing to the Customer;
e)
the security arrangements governing the Customer’s safe receipt of the
Data and the Customer’s further use of the Data;
f)
the arrangements that the Customer has in place relating to the retention
and secure destruction of the Data;
g)
any audits that have been carried out that have relevance to the way that
the Customer is Processing the Data;
h) any security incidents that have occurred with the Data;
i)
the continued registration of the Customer’s company under the same
registered number;
26
j)
the training and experience of the Customer’s Staff in their duties and
responsibilities under Data Protection Legislation;
k)
other evidence that the Customer relies on to show its compliance with
the requirements of this Contract to support requests for Data made by
the Customer.
27
PART D
DATA PROTECTION
D1.
Data Protection Legislation
D1.1. The Parties shall comply with the requirements of Data Protection
Legislation and subordinate legislation made under it, or any legislation
which may supersede it, together with any relevant guidance and/or
codes of practice issued by the Information Commissioner. All these
requirements are referred to in this Contract as “Data Protection
Legislation”.
D1.2. For the purpose of
Part D, the terms “Data”, “Data Controller”, “Data
Processor”, “Data Subject”, “Information Commissioner”, “Information
Commissioner’s Office”, “Personal Data”, and “Processing” shall have
the meanings prescribed under Data Protection Legislation.
D1.3. The Parties agree that the Data constitutes Personal Data as they relate
to a living individual who can be identified from the Data.
D1.4. It is the duty of the Data Controller to comply with Data Protection
Legislation. The Customer, separately from the DVLA, shall be the Data
Controller of each item of Data received from the DVLA from the point
of receipt of that Data by the Customer, its Sub-Contractor or Link
Provider and shall be responsible for complying with data protection
principles in relation to its further Processing of that Data.
D1.5. The Customer shall (and shall ensure that each member of the
Customer’s Staff) comply with Data Protection Legislation and will duly
observe all their obligations under Data Protection Legislation which
arise in connection with the Contract.
D1.6. The DVLA is satisfied that providing the Data to the Customer for the
Permitted Purpose is compliant with Data Protection Legislation.
28
link to page 71 link to page 71
D1.7. The Customer shall ensure that the individual rights of the Data Subject
are taken into account in responding to any Data Subject Access
Request.
D1.8. The Customer shall notify DVLA immediately if it received a request
from any third party for disclosure of the Data where compliance with
such request is required or purported to be required by Law.
D1.9. The Parties agree to take account of any guidance issued by the
Information Commissioner’s Office. DVLA may on not less than 30
working days’ notice to the Customer amend this Contract to ensure
that it complies with any guidance issued by the Information
Commissioners Office.
D2.
Data Security
D2.1. Both Parties shall ensure the safe transportation/transmission of the
Data in accordance with the appropriate technical and organisational
measures.
D2.2. The Customer shall ensure the Data is processed in accordance with
Data Protection Legislation guidance and code of practice.
D2.3. The Customer shall comply with all the security requirements of the
DVLA, including as a minimum those set out in
SCHEDULE 2
(MINIMUM DATA SECURITY REQUIREMENTS) and any other
requirements that the DVLA shall make from time to time.
D2.4. The Customer shall notify the DVLA immediately, within a maximum of
24 hours of becoming aware, of any failure to comply with the
requirements set out in
SCHEUDLE 2 (MINIMUM DATA SECURITY
REQUIREMENTS) of this Contract.
D2.5. The Customer shall not transfer or in any way make data available to
third parties unconnected with the original purpose of the enquiry.
29
link to page 30 link to page 30
D2.6. The Customer will not sell the Data or permit it to be sold to any third
party.
D3.
Malicious Software
D3.1. The Customer shall, as an enduring obligation throughout the term of
this Contract, use the latest versions of anti-virus software available
from an industry accepted anti-virus software vendor to check for and
remove Malicious Software from the ICT Environment.
D3.2. Notwithstanding clause
D3.1, if Malicious Software is found, the Parties
shall co-operate to reduce the effect of the Malicious Software and,
particularly if Malicious Software causes loss of operational efficiency or
loss or corruption of Data, assist each other to mitigate any losses and
to restore the KADOE Service to their desired operating efficiency.
D3.3. Cost arising out of the actions of the Parties taken in compliance with
the provisions of clause
D3.2 shall be borne by the Parties as follows:
a)
by the Customer, its Sub-Contractor or Link Provider where the
Malicious Software originates from the Customer’s or Link Provider’s
software, any third party software or the Customer’s or Link Provider’s
data;
b)
by the DVLA if the Malicious Software originates from the DVLA’s
software or the Data.
D4.
Transfer of the Data outside the UK
D4.1. The Customer shall not transfer Personal Data outside of the EU
unless the prior written approval of the DVLA has been obtained and
the following conditions are fulfilled:
a)
the DVLA or the Customer has provided appropriate safeguards in
relation to the transfer (whether in accordance with GDPR Article 46
or LED Article 37) as determined by DVLA;
30
link to page 30 link to page 71 link to page 76 link to page 71
b)
the Data Subject has enforceable rights and effective legal remedies.
c)
the Customer complies with its obligations under the Data Protection
Legislation by providing an adequate level of protection to any
Personal Data that is transferred (or, if it is not so bound, uses its best
endeavours to assist the DVLA in meeting its obligations); and
d)
the Customer complies with any reasonable instructions notified to it
in advance by the DVLA with respect to the processing of Personal
Data.
D4.2. Where the DVLA gives the prior and express written approval referred
to in clause
D4.1, the Customer shall disclose the Data only to the extent
agreed and in accordance with any conditions attached to the giving of
that approval.
D5.
Restrictions on Disclosure of the Data
D5.1. The Customer shall respect the confidentiality of the Data and shall not
disclose it to any person, except in the following circumstances:
a)
to a Sub-Contractor who acts as the Customer’s Data Processor, with
whom the Customer shall have entered into a written contract that
requires the Data Processor to abide by requirements
in SCHEDULE 2
and the terms for sub-contractors set out in
SCHEDULE 3;
b)
to a Sub-Contractor who engages in debt collection, with whom the
Customer shall have entered into a written contract which requires the
Sub-Contractor to abide by the requirements
in SCHEDULE 2, and the
terms for Sub-Contractors set out in
SCHEDULE 3. For the avoidance
of doubt, the disclosure of Data to third parties as part of Debt
Assignment agreement is not permitted;
c)
with the prior written agreement of the DVLA (which may be given or
refused at the absolute discretion of the DVLA):
31
link to page 71 link to page 76 link to page 32 link to page 71
D5.1.c.1.
provided that the Customer shall have entered into a written
contract which requires the sub-contractor to abide by the
requirements
in SCHEDULE 2, and the terms for sub-contractors
set out
in SCHEDULE 3; and
D5.1.c.2.
in accordance with any other conditions attached to the giving of
that approval; or
d)
if required to do so by Law.
D6.
Retention of Data and Evidence
D6.1. In accordance with Data Protection Legislation, the Customer shall
retain each item of Data only for as long as is necessary with
reference to the Permitted Purpose for which it was shared.
D6.2. The Customer shall arrange for the secure destruction or deletion of
each item of Data, in accordance with the requirements of Data
Protection Legislation, as soon as it is no longer necessary to retain it.
D6.3. The Customer shall retain for two years from the date of the request, to
allow inspection by the DVLA, the evidence that the Customer relies on
to show its compliance with the requirements of this Contract. Such
evidence shall include evidence relating to any mismatched or incorrect
enquiries, which the Customer shall ensure are cross-referenced to the
correct enquiry with a full audit trail also retained. There is no need, for
DVLA’s inspection purposes, for the Data to be retained as part of this
requirement. The Data must be disposed of in accordance with the
provision of clause
D6.2 above.
D7.
The Customer’s Vetting and Disciplinary Policies
D7.1. The Customer shall maintain policies for vetting, hiring, training and
disciplining the Customer’s Staff and shall comply with these in respect
of each person who has access to the KADOE Service. The minimum
requirements for such vetting procedures are set out
in SCHEDULE 2
– MINIMUM DATA SECURITY REQUIREMENTS.
32
link to page 71
D8.
The Customer’s Internal Compliance Checks
D8.1. The Customer shall ensure that its business processes, records of
customer interactions and transactions, audit procedures on business
activities and financial reporting are appropriate and effective to ensure
proper use of the Data in compliance with this Contract and the
requirements of
Data Protection Legislation. The minimum
requirements for such internal compliance are set out
in SCHEDULE 2–
MINIMUM DATA SECURITY REQUIREMENTS.
D8.2. The Customer shall carry out its own internal compliance checks at least
annually and shall, upon the request of DVLA, provide details of the
outcome of such checks using the Data Governance Assessment Form
provided by DVLA.
D9.
Audits and Reviews
D9.1. The Customer shall share with the DVLA the outcome of any other
checks, audits or reviews that have been carried out on its activities as
a Data Controller that are relevant to the Processing of the Data.
D9.2. The Customer shall notify the DVLA immediately, and within a maximum
of 24 hours of becoming aware, of any audits that are being carried out
by the Information Commissioner’s Office under Data Protection
Legislation that are relevant to the Processing of the Data.
D10.
Incidents
D10.1. The Customer shall notify the DVLA immediately, within a maximum of
24 hours of becoming aware, of any loss, misuse or compromise of the
Data and keep the DVLA informed of any communications about that
breach with: the individuals whose Personal Data is affected; the
Information Commissioner’s Office; or the media.
D10.2. The Customer understands that as the Data Controller it shall be
responsible for taking any action necessary to resolve any such
incident.
33
D11.
Inspection by the DVLA
D11.1. The DVLA reserves the right to carry out an inspection at any time of
the Customer’s compliance with the terms of this Contract. Where
possible, the DVLA or an agent acting on its behalf shall give the
Customer 7 Days’ written notice of any such inspection.
D11.2. The Customer agrees to co-operate fully with any such inspection and
to allow the DVLA or an agent acting on its behalf access to its
Premises, Equipment, evidence and the Customer’s Staff for the
purposes of the inspection.
D11.3. The DVLA may at any time check the electronic trail relating to any
activity made by the Customer and contact the person responsible for
such activity.
D11.4. The DVLA may, by written notice to the Customer, forbid access to the
Data, or withdraw permission for continued access to the Data, to:
a)
any member of the Customer’s Staff; or
b)
any person employed or engaged by any member of the
Customer’s Staff;
whose access to or use of the Data would, in the reasonable opinion of
the DVLA, be undesirable.
D11.5. The decision of the DVLA as to whether any person is to be forbidden
from accessing the Data and as to whether the Customer has failed to
comply with this clause shall be final and conclusive.
D11.6. The DVLA will be entitled to be reimbursed by the Customer for all
DVLA’s reasonable costs incurred in the course of the inspection.
D12.
Action on Complaint
D12.1. Where a complaint is received about the Customer or the manner in
which its services have been supplied or work has been performed or
34
link to page 55
procedures used or about any other matter connected with the
performance of the Customer’s obligations under the Contract or the
use of Data, the DVLA may notify the Customer, and where considered
appropriate by the DVLA, investigate the complaint. The DVLA may, in
its sole discretion, acting reasonably, uphold the complaint and take
further action in accordance with
PART J of the contract.
35
link to page 67 link to page 67 link to page 67
PART E
PAYMENT
E1.
Payment
E1.1. In consideration of the DVLA’s provision of the KADOE Service under
the Contract, if the Customer receives the DVLA Data via a Link
Provider, the Link Provider shall pay to the DVLA the fees listed in
SCHEDULE 1, and any VAT chargeable in respect of the fees.
Alternatively, where the Customer has its own direct link with the DVLA
Business to Business Gateway and so is acting as its own Link Provider,
the Customer shall pay the fees in
SCHEDULE 1, and any VAT
chargeable in respect of the fees.
E1.2. The Link Provider shall pay the fees listed for:
a)
the ongoing availability of the Business to Business Gateway and the
KADOE Service;
b)
any technical work by the DVLA that is required to support and maintain
the KADOE Service; and
c)
the service enquiry charges listed in
SCHEDULE 1.
E1.3. Where the Link Provider is installing its first DVLA Business to Business
Gateway link, the Link Provider shall also pay in advance to the DVLA
the fees listed for the installation and set-up of a direct link to the DVLA
Business to Business Gateway system in accordance with the KADOE
External Interface Specification.
E1.4. Where the Link Provider already has a DVLA Business to Business
Gateway link for another DVLA service, the Link Provider shall also pay
in advance to the DVLA the fees listed for the KADOE Service to be
added to the existing DVLA Business to Business Gateway link, in
accordance with the KADOE External Interface Specification.
36
link to page 67 link to page 67 link to page 67 link to page 67 link to page 67
E2.
The Customer or its Link Provider’s Failure to Pay
E2.1. In accordance with
SCHEDULE 1, the DVLA may suspend access to
the KADOE Service to the Link Provider (and therefore to the Customer)
until all amounts due are paid in full.
E3.
Fee Review by the DVLA
E3.1. The DVLA may review the fees listed
in SCHEDULE 1 at any time and
the DVLA reserve the right to increase these fees. No price variation
shall be retrospective.
E3.2. The fees described in
A2 of
SCHEDULE 1 related to link installation and
connectivity may also be subject to change in line with any reviews
carried out by the DVLA.
E3.3. Where possible, the DVLA shall give reasonable prior written notice of
any reviews that may affect the amounts charged under this Contract.
E3.4. The DVLA shall give the Customer and any Link Provider at least 28
Days’ notice of any increase in the fees listed in
SCHEDULE 1
E4.
Deductions
E4.1. The Customer shall make all payments due to the DVLA without any
deduction whether by way of set-off, counterclaim, discount, abatement
or otherwise unless the Customer has a valid court order requiring an
amount equal to such deduction to be paid by the DVLA to the
Customer.
37
link to page 38
PART F
STATUTORY OBLIGATIONS
F1.
Prevention of Corruption
F1.1. The Customer shall not offer or give, or agree to give, to the DVLA or
any other public body or person employed by or on behalf of the DVLA
or any other public body any gift or consideration of any kind as an
inducement or reward for doing, refraining from doing, or for having
done or refrained from doing, any act in relation to the obtaining or
execution of the Contract or any other contract with the DVLA or any
other public body, or for showing or refraining from showing favour or
disfavour to any person in relation to the Contract or any such contract.
F1.2. If the Customer, its Staff or anyone acting on the Customer’s behalf,
engages in conduct prohibited by clause
F1.1 or the Bribery Act 2010
(as amended), the DVLA may:
a)
terminate and recover from the Customer the amount of any loss
suffered by the DVLA resulting from the termination; or
b)
recover in full from the Customer any other loss sustained by the DVLA
in consequence of any breach of that clause.
F2.
Prevention of Fraud
F2.1. The Customer shall take all reasonable steps, in accordance with
Industry Best Practice, to prevent Fraud by the Customer’s Staff and the
Customer (including its shareholder, members, and directors) in
connection with the receipt of the KADOE Service.
F2.2. The Customer shall notify the DVLA immediately, within a maximum of
24 hours of becoming aware, if it has reason to suspect that any Fraud
has occurred or is occurring or is likely to occur.
F2.3. If the Customer or its Staff commits Fraud in relation to this or any other
contract with the Crown (including the DVLA) the DVLA may:
38
link to page 39
a)
terminate the Contract and recover from the Customer the amount of any
loss suffered by the DVLA resulting from the termination; or
b)
recover in full from the Customer any other loss sustained by the DVLA
in consequence of any breach of this clause.
F3.
Discrimination
F3.1. The Customer must not unlawfully discriminate either directly or
indirectly or by way of victimisation or harassment against a person on
such grounds as age, disability, gender reassignment, marriage and
civil partnership, pregnancy and maternity, race, colour, ethnic or
national origin, sex or sexual orientation, and without prejudice to the
generality of the foregoing the Customer must not unlawfully
discriminate within the meaning and scope of the Equality Acts 2006
and 2010 (as amended), the Human Rights Act 1998 (as amended) or
other relevant or equivalent legislation, or any statutory modification or
re-enactment thereof.
F3.2. The Customer shall take all reasonable steps to secure the observance
of clause
F3.1 by all of its Staff.
F4.
The Contracts (Rights of Third Parties) Act 1999
F4.1. A person who is not a party to the Contract shall have no right to enforce
any of its provisions which, expressly or by implication, confer a benefit
on him, without the prior written agreement of both Parties. This clause
does not affect any right or remedy of any person which exists or is
available apart from the Contracts (Rights of Third Parties) Act 1999 (as
amended) and does not apply to the Crown.
F5.
Health & Safety
F5.1. The Customer shall promptly notify the DVLA of any health & safety
hazards which may arise in connection with the performance of its
obligations under the Contract, including but not limited to, on inspection
by the DVLA.
39
F5.2. While on the Customer’s Premises, the DVLA shall comply with any
health and safety measures implemented by the Customer in respect of
its Staff and other persons working there.
F5.3. The DVLA shall notify the Customer immediately in the event of any
incident occurring in the performance of its obligations under the
Contract on the Premises where that incident causes any personal
injury or damage to property which could give rise to personal injury.
F5.4. The Customer must comply with the requirements of the Health & Safety
at Work Act 1974 (as amended) and any other acts, orders, regulations
and codes of practice relating to health & safety, which may apply to the
Customer’s Staff and other persons working on the Premises in the
performance of its obligations under the Contract.
40
link to page 41
PART G
PROTECTION OF INFORMATION
G1.
Confidential Information
G1.1. Except to the extent set out in this clause or where disclosure is
expressly permitted elsewhere in this Contract, each Party shall:
a)
treat the other Party’s Confidential Information as confidential and
safeguard it accordingly; and
b)
not disclose the other Party’s Confidential Information to any other
person without the owner’s prior written approval.
G1.2. Clause
G1.1 shall not apply to the extent that:
a)
such disclosure is a requirement of Law placed upon the Party making
the disclosure, including any requirements for disclosure under the
FOIA, Code of Practice on Access to Government Information or the
Environmental Information Regulations;
b)
such information was in the possession of the Party making the
disclosure without obligation of confidentiality prior to its disclosure by
the information owner;
c)
such information was obtained from a third party without obligation of
confidentiality;
d)
such information was already in the public domain at the time of
disclosure otherwise than by a breach of this Contract;
e)
it is independently developed without access to the other Party’s
Confidential Information;
f) such disclosure is necessary for the performance of this Contract; or
g)
disclosure is required to comply with inspection or audit requirements of
this Contract.
41
G1.3. The Customer may only disclose the DVLA’s Confidential Information
to the Customer’s Staff who are directly involved in the supply of the
Data through the KADOE Service and who need to know the
information, and shall ensure that such Staff are aware of and shall
comply with these obligations as to confidentiality.
G1.4. The Customer shall not, and shall ensure that the Customer’s Staff do
not, use any of the DVLA’s Confidential Information received otherwise
than for the purposes of this Contract.
G1.5. At the written request of the DVLA, the Customer shall procure that
those members of its Staff identified in the DVLA’s notice signs a
confidentiality undertaking prior to commencing any work in accordance
with this Contract.
G1.6. Nothing in this Contract shall prevent the DVLA from disclosing the
Customer’s Confidential Information (including audit and inspection
reports):
a)
to any Crown Body or any other Contracting Authority. All Crown Bodies
or Contracting Authorities receiving such Confidential Information shall
be entitled to further disclose the Confidential Information to other Crown
Bodies or other Contracting Authorities on the basis that the information
is confidential and is not to be disclosed to a third party which is not part
of any Crown Body or any Contracting Authority;
b)
to any consultant, contractor or other person engaged by the DVLA or
any person conducting an Office of Government Commerce gateway
review;
c)
for the purpose of the examination and certification of the DVLA’s
accounts;
d)
for any examination pursuant to section 6 (1) of the National Audit Act
1983 (as amended) of the economy, efficiency and effectiveness with
which the DVLA has used its resources.
42
link to page 42 link to page 43
G1.7. The DVLA shall ensure that any government department, Contracting
Authority, employee, third party or Sub-Contractor to whom the
Customer’s Confidential Information is disclosed pursuant to clause
G1.6 is made aware of the DVLA’s obligations of confidentiality.
G1.8. Nothing in this clause shall prevent either Party from using any
techniques, ideas or know-how gained during the performance of the
Contract in the course of its normal business to the extent that this use
does not result in a disclosure of the other Party’s Confidential
Information or an infringement of Intellectual Property Rights.
G2.
Publicity and Media
G2.1. The Customer shall notify the DVLA immediately if any circumstances
arise which could result in publicity or media attention to the Customer
which could adversely reflect on the DVLA or the KADOE Service.
G2.2. The Customer shall not create or approve any publicity implying or
stating that the DVLA has a connection with any service provided by the
Customer without the prior written approval of the DVLA.
G3.
Intellectual Property Rights
G3.1. All Intellectual Property Rights in the Contract and any publications or
data relating to the Contract, in any guidance, specifications,
instructions, toolkits, plans, drawings, databases, software, patents,
patterns, models, designs or other material furnished or made available
to the Customer by or on behalf of the DVLA shall remain the property
of the DVLA.
G3.2. The Customer shall not, and shall ensure that its Staff shall not, (except
when necessary for the performance of the Contract) without the prior
written approval of the DVLA, use or disclose any Intellectual Property
Rights in any of the material listed in clause
G3.1.
43
G4.
Crown Copyright and Publication
G4.1. All copyright and rights in the nature of copyright, unregistered design
rights, registered design rights, patent rights and all other rights of a like
nature arising in relation to the Contract, shall vest in and be the
absolute property of the DVLA. Nothing in the Contract shall in any way
derogate from the rights of DVLA under any legislation relating to
patents, copyrights, registered design rights or design rights.
G4.2. Under delegated powers of Crown Copyright, the DVLA shall be the
proprietor of the copyright in respect of the Contract and any data or
publications relating to this copyright.
44
link to page 31 link to page 46 link to page 8 link to page 45
PART H
CONTROL OF THE CONTRACT
H1.
Transfer and Sub-Contracting
H1.1. The Customer may sub-contract its Processing of the Data to a Data
Processor and may sub-contract to a debt collector in accordance with
clause
D5.1. The Customer shall not assign, sub-contract or in any other
way dispose of the Contract or any part of it without the prior written
permission of the DVLA.
H1.2. Sub-Contracting any part of the Contract shall not relieve the Customer
of any of its obligations or duties under the Contract. The Customer shall
be responsible for the acts and omissions of its Sub-Contractors as
though they are its own. Where the DVLA has approved to the placing
of sub-contracts, copies of each sub-contract shall, at the request of the
DVLA, be sent by the Customer to the DVLA as soon as reasonably
practicable.
H1.3. Subject to clause
H1.5, the DVLA may assign, novate or otherwise
dispose of its rights and obligations under the Contract or any part
thereof to:
a)
any Contracting Authority (as defined in clause
A9);
b)
any other body established by the Crown or under statute in order
substantially to perform any of the functions that had previously been
performed by the Authority; or
c)
any private sector body which substantially performs the functions of
the DVLA under this Contract;
provided that any such assignment, novation or other disposal shall not
increase the burden of the Customer’s obligations under the Contract.
H1.4. Any change in the legal status of the DVLA such that it ceases to be a
Contracting Authority shall not, subject to clause
H1.3, affect the validity
45
of the Contract. In such circumstances, the Contract shall bind and inure
to the benefit of any successor body to the DVLA.
H1.5. If there is a change in the legal status of the DVLA such that it ceases
to be a Contracting Authority (in the remainder of this clause such body
being referred to as the “Transferee”):
a)
the rights of termination of the DVLA in this Contract shall be available
to the Customer in the event of respectively, the bankruptcy or
insolvency, or Default of the Transferee; and
b)
the Transferee shall only be able to assign, novate or otherwise dispose
of its rights and obligations under the Contract or any part thereof with
the prior approval in writing of the Customer.
H1.6. The DVLA may disclose to any Transferee any Confidential Information
of the Customer which relates to the performance of the Customer’s
obligations under the Contract. In such circumstances the DVLA shall
authorise the Transferee to use such Confidential Information only for
purposes relating to the performance of the Customer’s obligations
under the Contract and for no other purpose and shall take all
reasonable steps to ensure that the Transferee gives a confidentiality
undertaking in relation to such Confidential Information.
H1.7. Each Party shall at its own cost and expense carry out whatever further
actions (including the execution of further documents) the other Party
reasonably requires from time to time for the purpose of giving that other
Party the full benefit of the provisions of the Contract.
H2.
Insolvency
H2.1. The Customer shall notify the DVLA immediately in writing where the
Customer is a company and in respect of the Customer:
a)
a proposal is made for a voluntary arrangement within Part 1 of the
Insolvency Act 1986 (as amended) or of any other composition scheme
or arrangement with, or assignment for the benefit of, its creditors; or
46
b)
a shareholders’ meeting is convened for the purpose of considering a
resolution that it be wound up or a resolution for its winding-up is
passed (other than as part of, and exclusively for the purpose of, a
bona fide reconstruction or amalgamation); or
c)
a petition is presented for its winding-up (which is not dismissed within
14 Days of its service) or an application is made for the appointment of
a provisional liquidator or a creditors’ meeting is convened pursuant to
section 98 of the Insolvency Act 1986 (as amended); or
d)
a receiver, administrative receiver or similar officer is appointed over
the whole or any part of its business or assets; or
e)
an application order is made either for the appointment of an
administrator or for an administration order, and administrator is
appointed, or notice of intention to appoint an administrator is given; or
f)
it is or becomes insolvent within the meaning of section 123 of the
Insolvency Act 1986 (as amended); or
g)
being a “small company” within the meaning of section 247(3) of the
Companies Act 1985 (as amended), a moratorium comes into force
pursuant to Schedule 1A of the Insolvency Act 1986 (as amended); or
h)
any event similar to those listed in this clause occurs under the law of
any other jurisdiction.
H2.2. The Customer shall notify the DVLA immediately, within a maximum of
24 hours of becoming aware, in writing where the Customer is an
individual and:
a)
an application for an interim order is made pursuant to sections 252-
253 of the Insolvency Act 1986 (as amended) or a proposal is made
for any composition scheme or arrangement with, or assignment for
the benefit of, the Customer’s creditors; or
47
b)
a petition is presented and not dismissed within 14 Days or order made
for the Customer’s bankruptcy; or
c)
a receiver, or similar officer is appointed over the whole or any part of
the Customer’s assets or a person becomes entitled to appoint a
receiver, or similar officer over the whole or any part of his assets; or
d)
the Customer is unable to pay his debts or has no reasonable prospect
of doing so, in either case within the meaning of section 268 of the
Insolvency Act 1986 (as amended); or
e)
a creditor or encumbrancer attaches or takes possession of, or a
distress, execution, sequestration or other such process is levied or
enforced on or sued against, the whole or any part of the Customer’s
assets and such attachment or process is not discharged within 14
Days; or
f)
the Customer suspends or ceases, or threatens to suspend or cease,
to carry on all or a substantial part of his business.
H3.
Change of Control
H3.1. The Customer shall seek the prior written agreement of the DVLA to any
change of control within the meaning of section 450 of the Corporation
Taxes Act 2010 (“Control”) (as amended). Where the DVLA has not
given its written agreement before the Change of Control, the DVLA
may terminate the Contract by notice in writing with immediate effect
within 26 weeks of:
a)
being notified that that change of control has occurred; or
b)
where no notification has been made, the date that the DVLA becomes
aware of that change of control.
H4.
Waiver
H4.1. The failure of either Party to insist upon strict performance of any
provision of the Contract, or the failure of either Party to exercise, or any
48
link to page 7 link to page 7
delay in exercising, any right or remedy shall not constitute a waiver of
that right or remedy and shall not cause a diminution of the obligations
established by the Contract.
H4.2. No waiver shall be effective unless it is expressly stated to be a waiver
and it is communicated to the other Party in writing in accordance with
clause
A7 (Notices).
H4.3. A waiver of any right or remedy arising from a breach of the Contract
shall not constitute a waiver of any right or remedy arising from any
other or subsequent breach of the Contract.
H5.
Variation
H5.1. No Variation of this Contract shall be effective unless it is in writing and
signed by the Parties.
H5.2. If the Customer requests a Variation, it must give the DVLA sufficient
information to assess the extent of the Variation and to consider whether
any change to the fees is required in order to implement the Variation.
H5.3. If the DVLA accepts any Variation requested by the Customer, the
DVLA shall notify the Customer of the date when the Variation shall take
effect.
H5.4. If the DVLA requests a Variation, it may specify a period within which
the Customer shall respond to the request for the Variation. Such period
shall be reasonable having regard to the nature of the Variation. If the
DVLA considers it appropriate to require the Customer to confirm its
agreement to the Variation by signing any document detailing that
Variation (including a version of the Contract amended to include the
Variation), the Customer shall return a signed copy of that document to
the DVLA within the reasonable period specified by the DVLA pursuant
to this clause.
49
H6.
Severability
H6.1. If any court or competent authority finds that any provision of this
Contract (or part of any provision) is invalid, illegal or unenforceable,
that provision or part-provision shall, to the extent required, be deemed
to be deleted with the minimum modification necessary to make it legal,
valid and enforceable and the validity and enforceability of the other
provisions of this Contract shall not be affected.
H7.
Remedies Cumulative
H7.1. Except as otherwise expressly provided by the Contract, all remedies
available to either Party for breach of the Contract are cumulative and
may be exercised concurrently or separately, and the exercise of any
one remedy shall not be deemed an election of such remedy to the
exclusion of other remedies.
H8.
Entire Agreement
H8.1. This Contract constitutes the entire agreement between the Parties in
respect of the KADOE Service between the DVLA and the Customer.
This Contract supersedes all prior negotiations and contracts between
the parties and all representations and undertakings made by one part
to another, whether written or oral, except that this clause shall not
exclude liability in respect of any Fraud or fraudulent misrepresentation.
H8.2. In the event of, and only to the extent of, any conflict between the
clauses of the Contract, any document referred to in those clauses and
the Schedules, the conflict shall be resolved in accordance with the
following order of precedence:
a)
the clauses of the Contract;
b)
the Schedules; and
c)
any other document referred to in the clauses of the Contract.
50
link to page 51 link to page 52 link to page 51 link to page 52
PART I
LIABILITY, INDEMNITY, MITIGATION AND INSURANCE
I1.
Liability
I1.1.
Neither Party excludes or limits liability to the other Party for:
a)
death or personal injury caused by its negligence; or
b)
Fraud; or
c)
fraudulent misrepresentation.
I1.2.
Subject always to clause
I1.1 and separately from the indemnity in
clause
I2, the liability of each Party to the other arising in connection
with this Contract (whether in respect of breach of contract, tort,
negligence or any other Default) shall be limited in respect of all defaults
arising in any one year to one million pounds (£1,000,000).
I1.3.
The Customer’s liability for direct loss or damage to the DVLA caused
by the Customer’s Default shall include liability for additional operational
and administrative costs and wasted expenditure that arises as a direct
consequence of the Default.
I1.4.
The DVLA’s liability for direct loss or damage to the Customer caused
by the DVLA’s Default shall include loss of profits, business revenue,
and goodwill that arise as a direct consequence of the Default.
I1.5.
All Equipment used by the Customer or its Link Provider to access the
KADOE Service shall be used at the Customer’s own risk and the DVLA
shall have no liability for any loss of or damage to any Equipment unless
the Customer or its Link Provider is able to demonstrate that such loss
or damage was directly caused or contributed to by the DVLA’s Default.
I1.6.
Subject to clause
s I1.1 and I2, in no event shall either Party be liable to
the other for any loss of savings (whether anticipated or otherwise).
51
link to page 51 link to page 52 link to page 52
I1.7.
Subject to clause
s I1.1 and
I2, in no event shall either Party be liable to
the other for any indirect or consequential or special loss or damages.
I2.
Indemnity
I2.1.
Subject to clause
I2.2, the Customer shall indemnify the DVLA to a
minimum level of one million pounds (£1,000,000) for each and every
event, and keep the DVLA indemnified fully for six years after the
termination of the Contract against all claims, proceedings, actions, and
any damages, costs, expenses and any other liabilities (including legal
fees) incurred by, awarded against or agreed to be paid by the DVLA
that arise out of a claim relating to the performance or non-performance
by the Customer of its obligations under the Contract. Such indemnity
shall include losses in respect of any death or personal injury, loss of or
damage to property, a Personal Data Breach or any other loss which is
caused directly or indirectly by any act or omission of the Customer.
I2.2.
The Customer shall not be responsible for any injury, loss, damage, cost
or expense if and to the extent that it is caused by the negligence or
wilful misconduct of the DVLA or by breach by the DVLA of its
obligations under the Contract.
I2.3.
The DVLA shall notify the Customer in writing of any such claim and will
not, without first consulting with the Customer, make an admission
relating to the claim.
I3.
Mitigation
I3.1.
Each Party shall at all times take all reasonable steps to minimise and
mitigate any loss for which that Party is entitled to bring a claim against
the other Party under clause I1 or 12.
I4.
Insurance
I4.1.
The Customer shall effect and maintain with a reputable insurance
company a policy or policies of insurance providing an adequate level
of cover in respect of all insurable risks which may be incurred by the
52
Customer, arising out of the Customer’s performance of its obligations
under the Contract, including death or personal injury, loss of or damage
to property or any other loss.
I4.2.
The Customer shall ensure that the amount of such insurance cover will
be adequate to enable the Customer to satisfy both the indemnities
referred to in clause I2 and the liability referred to in clause I1.
I4.3.
Such insurance shall be maintained for the duration of supply of the
KADOE Service and for a minimum of 6 (six) years following the
termination of the Contract.
I4.4.
The Customer shall give the DVLA, on request, copies of all insurance
policies referred to in this clause or a broker’s verification of insurance
to demonstrate that the appropriate cover is in place, together with
receipts or other evidence of payment of the latest premiums due under
those policies.
I4.5.
If, for whatever reason, the Customer fails to give effect to and maintain
the insurances required by the provisions of the Contract the DVLA may
make alternative arrangements to protect its interests and may recover
the costs of such arrangements from the Customer.
I4.6.
The provisions of any insurance or the amount of cover shall not relieve
the Customer of any liabilities under the Contract.
I5.
Warranties and Representations
I5.1.
The Customer warrants and represents that:
a)
it has full capacity and authority and all necessary approvals (including
where its procedures so require, the consent of its parent company) to
enter into and perform its obligations under the Contract and that the
Contract is executed by a duly authorised representative of the
Customer;
b)
in entering the Contract it has not committed any Fraud;
53
c)
no claim is being asserted and no litigation, arbitration or administrative
proceeding is presently in progress or, to the best of its knowledge and
belief, pending or threatened against it or any of its assets which will or
might have a material adverse effect on its ability to perform its
obligations under the Contract;
d)
it is not subject to any contractual obligation, compliance with which is
likely to have a material adverse effect on its ability to perform its
obligations under the Contract;
e)
no proceedings or other steps have been taken and not discharged (nor,
to the best of its knowledge, are threatened) for the winding up of the
Customer or for its dissolution or for the appointment of a receiver,
administrative receiver, liquidator, manager, administrator or similar
officer in relation to any of the Customer’s assets or revenue;
f)
it owns, has obtained or is able to obtain, valid licences for all Intellectual
Property Rights that are necessary for the performance of its obligations
under the Contract;
g)
in the three (3) years prior to the date of the Contract:
I5.1.g.1. it has conducted all financial accounting and reporting activities in
compliance in all material respects with the generally accepted
accounting principles that apply to it in any country where it files
accounts;
I5.1.g.2. it has been in full compliance with all applicable securities and tax
laws and regulations in the jurisdiction in which it is established; and
I5.1.g.3. it has not done or omitted to do anything which could have a material
adverse effect on its assets, financial condition or position as an
ongoing business concern or its ability to fulfil its obligations under
the Contract.
54
PART J
DEFAULTS, DISRUPTION, SUSPENSION & TERMINATION
J1.
Break
J1.1. Without prejudice to any other rights or remedies that the Parties may
have, either Party may terminate the Contract by giving the other Party
at least 28 Days’ notice in writing.
J2.
Termination for Material Breach
J2.1. A Party may terminate the Contract with immediate effect by written
notice to the other Party on or at any time after the occurrence of an
event specified in clause J2.1.
The events are that:
a)
The Customer fails to pay any amount due under this Contract
on the due date for payment and remains in default not less
than 60 days after being notified in writing to make such
payment;
b)
The Customer commits three or more Defaults, whether
simultaneously or singly at any time during the operation of the
Contract, irrespective of whether any or all of such breaches is
minimal or trivial in nature;
c)
The Customer commits a Material Breach of any other term of
this agreement which breach is irremediable or (if such breach
is remediable) fails to remedy that breach within a period of 26
weeks after being notified in writing to do so.
J2.2. For the purposes of clause J2.1, a Material Breach is remediable if time
is not of the essence in performance of the obligation and if in the
reasonable opinion of the DVLA the Material Breach is capable of
remedy within the 26 week period.
55
J3.
Suspension of the KADOE Service
J3.1. If it comes to the attention of the DVLA that the Customer has committed
any Default (including Material Breaches and all other Defaults), the
DVLA may suspend the KADOE Service without further notice and with
immediate effect and investigate the nature and effect of the breach.
J3.2. The DVLA may from time to time issue guidance on its principles on
suspending the KADOE Service and terminating contracts to supply
data using the KADOE Service. The guidance may include guidance
concerning: types of Defaults which the DVLA may consider to be
Material Breaches; guidance as to specific types of breach that the
DVLA will consider to be remediable; how such breaches may be
remedied; how long suspension may last; when following any period of
suspension the Customer may resume making requests and in relation
to which dates of events such requests may be made; and guidance as
to which types of breach the DVLA may consider to be irremediable.
J4.
Effect of Suspension
J4.1. If the DVLA suspends the KADOE Service at any time, the Customer
shall co-operate with any further investigation, audit or review that the
DVLA requires to be carried out in relation to the Data provided to the
Customer.
J4.2. The DVLA may refuse to resume the KADOE Service until the Customer
provides assurances that the matter resulting in the suspension has
been resolved to the satisfaction of the DVLA, and takes specified
actions within a reasonable period set by the DVLA.
J4.3. The DVLA may require that an inspection is carried out after the KADOE
Service is resumed, to check the Customer’s compliance with the
Contract and Data Protection Legislation.
56
link to page 67 link to page 67 link to page 56 link to page 46 link to page 46 link to page 56
J4.4. The DVLA reserves the right to recover costs from the Customer for any
inspection and shall require the Customer to pay the reconnection fee,
as set out
in SCHEDULE 1 (FEES), before it will resume the KADOE
Service.
J4.5. During any suspension period, the DVLA shall not provide Data to the
Customer either through the Business to Business KADOE system or
through any paper service.
J4.6. The Customer shall reimburse the DVLA for all DVLA’s costs and
expenses incurred in relation to the DVLA’s right under clause
J4 to
carry out an inspection, investigation, audit or review of the Customer.
J5.
Insolvency
J5.1. Where the DVLA is notified in writing of any of the circumstances listed
in clause
H2 (Insolvency), the DVLA may suspend the KADOE Service
without further notice and with immediate effect and investigate further
whether any of the Customer’s directors or any liquidator, receiver,
administrative receiver, administrator, or other officer is capable of
ensuring that the provisions of this Contract and Data Protection
Legislation are complied with. If the DVLA is not satisfied that any such
person shall ensure such compliance, the DVLA may terminate the
Contract by written notice with immediate effect.
J6.
Other Termination Rights
J6.1. The DVLA may terminate the Contract by written notice with immediate
effect if in the reasonable view of the DVLA, during any period of
suspension of the KADOE Service the Customer:
a)
fails to co-operate with any investigation, audit or review:
b)
fails to provide any assurances or take any actions within the
reasonable period set by the DVLA under clause
J4.2; or
57
link to page 67
c)
fails to provide assurances that satisfy the DVLA (acting reasonably)
that the Customer has complied and shall continue to comply with the
requirements of this Contract and Data Protection Legislation.
d)
Causes reputational damage to DVLA through any act or Default
committed by the Customer or its Staff.
J6.2. The DVLA may terminate the Contract by written notice with immediate
effect if the Customer fails to pay the DVLA undisputed sums of money
when due in accordance with
SCHEDULE 1.
J6.3. The DVLA may terminate the Contract by written notice with immediate
effect if the Customer is found to be in breach of any aspect of the Law
that could, in the reasonable opinion of the DVLA, bring the DVLA into
disrepute.
J6.4. The DVLA may terminate the Contract by written notice with immediate
effect if the Customer is an individual and he has died or is adjudged
incapable of managing his affairs within the meaning of the Mental
Capacity Act 2005 (as amended).
J7.
Consequences of Suspension and Termination
J7.1. After the KADOE Service has been suspended or the Contract has been
terminated or both, the Customer shall continue to comply with its
obligations under this Contract and under Data Protection Legislation in
relation to the Data which it holds, including as to the proper use of the
Data, retention of the Data and secure destruction of the Data.
J7.2. Save as otherwise expressly provided in the Contract:
a)
termination of the Contract shall be without prejudice to any rights,
remedies or obligations accrued under the Contract prior to termination
or expiration and nothing in the Contract shall prejudice the right of
either Party to recover any amount outstanding at such termination or
expiry; and
58
b)
termination of the Contract shall not affect the continuing rights,
remedies or obligations of the DVLA or the Customer under any
provision of this Contract which expressly or by implication is intended
to come into or to continue in force on or after termination of this
Contract.
J8.
Supply of Data to Related Persons After Termination
J8.1. If it comes to the attention of the DVLA that the Customer committed
any Default in its obligations in relation to the Data prior to termination
of the Contract, or if the DVLA has reason to believe that the Customer
did not comply with its duties in relation to the Data under Data
Protection Legislation, the DVLA shall reserve the right to refuse to
provide any further Data by any means to the Customer, its directors or
to any other Company with which those directors are associated, for up
to 12 months, starting on the date of Termination of the Contract.
J8.2. Where DVLA has terminated this Contract, the Customer will no longer
be permitted to process or transfer the Data received, prior to
termination.
J9.
Disruption
J9.1. The DVLA shall immediately inform the Customer of any actual or
potential industrial action, whether such action is taken by their own
employees or others, which affects or might affect its ability at any time
to perform its obligations under the Contract.
J9.2. The DVLA shall not be liable to the Customer for any additional expense
or loss incurred by the Customer as a result of such disruption.
J9.3. The Customer shall immediately inform the DVLA of any actual or
potential industrial action, whether such action is taken by their own
employees or others, which affects or might affect its ability at any time
to perform its obligations under the Contract.
59
link to page 59
J9.4. In the event of industrial action by the Customer’s Staff, the Customer
shall seek the prior written permission of the DVLA to its proposals to
continue to perform its obligations under the Contract.
J9.5. If the Customer’s proposals referred to in clause
J9.4 are considered
insufficient or unacceptable by the DVLA acting reasonably, then the
Contract may be terminated with immediate effect by the DVLA by
notice in writing.
J10.
Force Majeure
J10.1. Neither Party shall be liable to the other Party for any delay in
performing, or failure to perform, its obligations under the Contract
(other than a payment of money) to the extent that such delay or failure
is a result of Force Majeure. Notwithstanding the foregoing, each Party
shall use all reasonable endeavours to continue to perform its
obligations under the Contract for the duration of such Force Majeure.
However, if such Force Majeure prevents either Party from performing
its material obligations under the Contract for a period in excess of 26
weeks, either Party may terminate the Contract with immediate effect
by notice in writing.
J10.2. Any failure or delay by either Party in performing its obligations under
the Contract which results from any failure or delay by an agent, Sub-
Contractor or supplier shall be regarded as due to Force Majeure only
if that agent, Sub-Contractor or supplier is itself impeded by Force
Majeure from complying with an obligation to the Party.
J10.3. If either Party becomes aware of Force Majeure which gives rise to, or
is likely to give rise to, any failure or delay on its part as described in this
clause it shall immediately notify the other by the most expeditious
method then available and shall inform the other of the period for which
it is estimated that such failure or delay shall continue.
J10.4. If the Customer is unable to perform any of its data protection
obligations under the Contract as a result of Force Majeure, it shall
60
ensure its data protection obligations are fulfilled by alternative means
and shall notify the DVLA immediately giving detailed information as to
how it shall ensure that the Data is protected.
61
link to page 62 link to page 62
PART K
LAW AND DISPUTE RESOLUTION
K1.
Governing Law and Jurisdiction
K1.1. Subject to the provisions of this Contract regarding Dispute Resolution,
the DVLA and the Customer accept the exclusive jurisdiction of the
courts of England and Wales and agree that the Contract and all non-
contractual obligations and other matters arising from or connected with
it are to be governed and construed according to English Law.
K2.
Dispute Resolution
K2.1. The Parties shall attempt in good faith to negotiate a settlement to any
Dispute between them arising out of or in connection with the Contract
within 20 Working Days of either Party notifying the other of the Dispute
and such efforts shall involve the escalation of the Dispute to those
people nominated in
ANNEX B and the DVLA Representative and any
other staff listed by the DVLA for that purpose.
K2.2. Nothing in this Dispute resolution procedure shall prevent the Parties
from seeking from any court of competent jurisdiction an interim order
restraining the other Party from doing any act or compelling the other
Party to do any act.
K2.3. If the Dispute cannot be resolved by the parties pursuant to clause
K2.1,
they shall refer it to mediation pursuant to the procedure set out in
clause
K2.5 unless (a) the DVLA considers that the Dispute is not
suitable for resolution by mediation; or (b) the Customer does not agree
to mediation.
K2.4. If a Dispute is referred to mediation or arbitration, the obligations of the
Parties under the Contract shall not otherwise cease, or be suspended
or delayed by the reference of a Dispute to mediation (or arbitration)
and the Customer and its Staff shall comply fully with the requirements
of the Contract and of Data Protection Legislation at all times.
62
K2.5. The procedure for mediation and consequential provisions relating to
mediation are as follows:
a)
a mediator (the “
Mediator”) shall be chosen by agreement between the
Parties or, if they are unable to agree upon a Mediator within 10
Working Days after a request by one Party to the other or if the Mediator
agreed upon is unable or unwilling to act, either Party shall within 10
Working Days from the date of the proposal to appoint a Mediator or
within 10 Working Days of notice to either Party that he is unable or
unwilling to act, apply to the Centre for Effective Dispute Resolution to
appoint a Mediator.
b)
The Parties shall within 10 Working Days of the appointment of the
Mediator meet with him in order to agree a programme for the exchange
of all relevant information and the structure to be adopted for
negotiations to be held. If considered appropriate, the Parties may at
any stage seek assistance from the Centre for Effective Dispute
Resolution or other mediation provider to provide guidance on a
suitable procedure.
c)
Unless otherwise agreed, all negotiations connected with the Dispute
and any settlement agreement relating to it shall be conducted in
confidence and without prejudice to the rights of the Parties in any
future proceedings.
d)
If the Parties reach agreement on the resolution of the Dispute, the
agreement shall be recorded in writing and shall be binding on the
Parties once it is signed by their duly authorised representatives.
e)
Failing agreement, either of the Parties may invite the Mediator to
provide a non-binding but informative written opinion. Such an opinion
shall be provided on a without prejudice basis and shall not be used in
evidence in any proceedings relating to the Contract without the prior
written approval of both Parties.
63
link to page 64 link to page 62 link to page 62 link to page 62 link to page 64 link to page 64 link to page 64 link to page 64
f)
If the Parties fail to reach agreement in the structured negotiations
within 60 Working Days of the Mediator being appointed, or such longer
period as may be agreed by the Parties, then any Dispute or difference
between them may be referred to the Courts, unless the Dispute is
referred to the arbitration procedures set out in clause
K2.7
K2.6. Subject to clause
K2.2, the Parties shall not institute court proceedings
until the procedures set out in clauses
K2.1 and
K2.3 have been
completed save that:
a)
the DVLA may at any time before court proceedings are commenced
serve a notice on the Customer requiring the Dispute to be referred to
and resolved by arbitration in accordance with clause
K2.7.
b)
if the Customer intends to commence court proceedings, it shall serve
written notice on the DVLA of its intentions and the DVLA shall have 21
Days following receipt of such notice to serve a reply on the Customer
requiring the Dispute to be referred to and resolved by arbitration in
accordance with clause
K2.7.
c)
the Customer may request by notice in writing to the DVLA that any
Dispute be referred and resolved by arbitration in accordance with
clause
K2.7, to which the DVLA may approve as it sees fit.
K2.7. In the event that any arbitration proceedings are commenced pursuant
to clause
K2.6:
a)
the arbitration shall be governed by the provisions of the Arbitration Act
1996 (as amended);
b)
the DVLA shall give a written notice of arbitration to the Customer (the
“
Arbitration Notice”) stating:
K2.7.b.1.
that the Dispute is referred to arbitration; and
K2.7.b.2.
providing details of the issues to be resolved;
64
link to page 64 link to page 64
c)
the London Court of International Arbitration (“
LCIA”) procedural rules
in force at the date that the Dispute was referred to arbitration in
accordance with clause 36.7(b) shall be applied and are deemed to be
incorporated by reference to the Contract and the decision of the
arbitrator shall be binding on the Parties in the absence of any material
failure to comply with such rules;
d)
the tribunal shall consist of a sole arbitrator to be agreed by the Parties;
e)
if the Parties fail to agree the appointment of the arbitrator within 10
Days of the Arbitration Notice being issued by the DVLA under clause
K2.7 b) or if the person appointed is unable or unwilling to act, the
arbitrator shall be appointed by the LCIA;
f)
the arbitration proceedings shall take place in London and in the
English language; and
g)
the arbitration proceedings shall be governed by, and interpreted in
accordance with, English Law.
65
PART L
SIGNATURES
IN WITNESS of the obligations in this Contract, it has been duly executed by
the Parties.
SIGNED for and on behalf of the
SIGNED for and on behalf of
Secretary of State for Transport
Marston (Holdings) Limited
acting through the Driving and
Vehicle Licensing Agency
Signature…………………………….. Signature………………………………
Name ......................................... Name……………………………………
Position ......................................... Position…………………………………
Company Registration
Number
……………………………………
Company Registered Office Address:
……………………………….................
…………………………………………
….........................................................
Date
Date
Internal Use Only – KADOE Commercial Customer Service
66
link to page 20
SCHEDULE 1
FEES
A1.
Payment of Fees by the Link Provider
A1.1. This Schedule sets out the fees that shall be paid to the DVLA by the
Customer’s Link Provider to whom the Customer has sub-contracted the
provision of the secure technical link to the DVLA’s Business to Business
Gateway through which the Data shall be requested and received by the
Customer (under clause
B4).
A1.2. Where the Customer does not Sub-Contract with a Link Provider but
instead obtains its own secure technical link to the DVLA’s Business to
Business Gateway, the Customer shall pay to the DVLA the Link
Provider fees set out in this Schedule.
A2.
Line Installation And DVLA Technical Set Up Fees
A2.1. The fees for line installation and connection (by DVLA’s chosen
supplier), and set up of the direct link to DVLA’s Business to Business
Gateway, or to add the KADOE Service to the Link Provider’s existing
connection in accordance with the KADOE External Interface
Specification are as follows:
Table A
1
Installation Charge (one off
£1,000 - £6,000 (plus VAT at
charge)
prevailing rate)
DVLA Chosen Supplier Annual
£1,000 - £15,000 (plus VAT
2
Line Rental (Recurring)
at prevailing rate)
DVLA Technical Set-up Costs
£300 - £8,000 (plus VAT at
3
prevailing rate)
The above table provides a minimum and maximum cost, however the
Customer will be provided with an actual cost based on postcode location.
A2.2. The fees listed in A2.1 above shall not apply if these have already been
paid under another DVLA Business to Business Gateway Data Product.
67
A2.3. In the event of the Link Provider
moving location, or adding a location,
and a new line needing to be installed and tested, the Link Provider shall
pay the fees numbered 1 and 3 in the table for each new location.
A2.4. The Link Provider
shall also pay any additional fees stated in
Item 4 in
Table B in A3.1 below that may apply, subject to the number of
concurrent active sites and depending on the postcode of any new
locations.
A3.
DVLA Technical Fees For Support And Maintenance
A3.1. Where technical work is required in order to support and maintain the
KADOE Service, the Link Provider shall pay the DVLA’s technical costs.
Those costs are as follows:
Table B
Admin Changes / Updates affecting sFTP
£608
transfer
1
(plus VAT at the
(e.g. Service Provider wishing to change
prevailing rate)
their target server or update their SSH
certificate)
Change of site affecting IP address
£1,547
2
(e.g. Service Provider wishing to change
(plus VAT at the
their IP address)
prevailing rate)
Adding a new “KADOE Customer Code” into
£473.60
3
the DVLA’s vehicle database. (this is
(plus VAT at the
dependent on the business type / model)
prevailing rate)
£185.60
Admin changes (e.g. a change of company
4
(plus VAT at the
name)
prevailing rate)
£236.80
5
Change of Hard Copy Address
(plus VAT at the
prevailing rate)
A4.
Payment of Set Up or Maintenance Fees
A4.1. In order to collect the line installation, set up, annual line rental and DVLA
technical fees, as described in this Schedule, the following process must
be followed:
68
a)
a purchase order (including purchase order number) shall be raised if
applicable, by the Link Provider and provided to the DVLA for the fees
referred to above, as and when requested by the DVLA;
b)
an invoice shall be raised by the DVLA and issued to the Link Provider
quoting the purchase order number;
c)
the Link Provider shall make payment to the DVLA for the amount
required within 30 Days of the invoice date.
A4.2. The line installation work (conducted by DVLA’s chosen supplier) and
DVLA technical set up work described in this Schedule shall not
commence until payment of the relevant fees has been received by the
DVLA.
A5.
DVLA Technical Fees For Support And Maintenance
A5.1. Where technical work is required in order to support and maintain the
KADOE Service after suspension of the KADOE Service to the
Customer, the Link Provider shall pay the DVLA’s technical costs. Those
costs are as follows:
£371.20
Reconnection work to re-enable access to
(plus VAT at the prevailing
the KADOE Service after suspension
rate)
A5.2. The DVLA shall commence reconnection work following any suspension
of the KADOE Service after payment of the fee has been received by the
DVLA.
69
A6.
Service Enquiry Charges
A6.1. The service enquiry charges will comprise of two elements:
•
A fixed element of £52 (plus VAT) per invoicing period.
• A variable element based on the number of monthly enquiries
made, the enquiry thresholds are listed below:-
No. of Enquiries Monthly Charge
Up to - 9,999
£156 (+VAT)
10,000 – 14,999
£208 (+VAT)
15,000 – 19,999 £312 (+VAT)
20,000 – 29,999 £416 (+VAT)
For enquiries numbering above 30,000 the price will increase £100
per 10,000 enquiries, e.g. up to 39,999 will cost £516 (+VAT) and up
to 49,999 will cost £616 (+VAT).
A7.
Payment of Service Enquiry Charges
A7.1. Payment to DVLA shall be made within 30 days from the date of the
invoice.
70
link to page 29
SCHEDULE 2
MINIMUM DATA SECURITY REQUIREMENTS
1.
Data Security Requirements
1.1.
The minimum security requirements, which are required by clause
D2,
are as follows:
a)
Data, including back-up data, must be retained in secure premises and
locked away;
b)
Data, including back-up data, must be protected from unauthorised
access, release or loss;
c)
A User ID and password must be required to enter all databases on
which the Data is stored;
d)
A unique User ID and password must be allocated to each person with
access to the Data or the KADOE Service;
e)
User IDs must not be shared between the Customer’s Staff;
f)
Access to the Data must be minimised so that only where necessary
are individuals given the following levels of access:
• ability to view material from single identifiable records
• ability to view material from many identifiable records
• functional access, including: searching, amendment, deletion,
printing, downloading or transferring information;
g)
An electronic trail relating to any activity involving the Data must be
retained, identifying the User ID and individual involved in each activity;
h)
The Data must not be accessed from, copied onto or stored on
Removable Media. Laptops may be used but only if the device has full
71
link to page 32
disk encryption installed in line with Industry Best Practice and the
devices are securely protected when not in use;
i)
All manual and electronic enquiries must be logged centrally and stored
by the Customer;
j)
Enquiries must be checked by senior Staff on a regular basis;
k)
Senior members of the Customer’s Staff must conduct reconciliation
checks between incoming and outgoing enquiry volumes on a regular
basis;
l)
Data must be used only for the Permitted Purpose(s) as listed in Annex
A for which it was obtained;
m)
Data must be kept only for as long as necessary, as required by clause
D6.1 of the Contract;
n)
Paper records must be destroyed so that reconstruction is unlikely;
o)
Electronic data must be securely destroyed or deleted in accordance
with current guidance from the Information Commissioner’s Office as
soon as it is no longer needed;
p)
Data received by post must be available only to appropriately trained
and experienced members of the Customer’s Staff, who must abide by
the requirements of this Contract and of Data Protection Legislation;
q)
All records containing personal information, including a hard copy of
the record (VQ7), screen prints, reports or other data which have been
supplied or derived from the DVLA’s system in any format must be
handled and retained in a secure manner;
r)
All premises and buildings in which the Data is stored must be secure;
s)
The Customer must be registered with the Information Commissioner
and the permission must cover all activities actually carried out;
72
t)
Information must not be passed to third parties except in accordance
with clause D5.1 and with the prior written permission of the DVLA
where applicable; and
u)
Any conditions required by the DVLA in giving permission for disclosure
to third parties must be satisfied.
2.
Inspection, Internal Compliance and Audit
2.1.
The Data Governance Assessment form shall be completed upon DVLA
request, and shall confirm whether or not all of the Data Security
requirements in paragraph 1 of this Schedule have been complied with.
3.
Minimum Requirements for the Customer’s Staff Vetting and
Disciplinary Procedures
3.1.
The minimum requirements for the Customer’s Staff vetting procedures,
which are required by clause D7 of this Contract, are as follows:
a)
The Customer shall confirm the identity of all of its new Staff.
b)
The Customer shall confirm the references and qualifications of all of
its Staff.
c)
The Customer shall require all persons who are to have access to the
KADOE Service or to the Data to complete and sign a written
declaration of any unspent criminal Convictions.
d)
The Customer shall ensure that no person who discloses that he or she
has a Relevant Conviction, or who is found by the Customer to have
any Relevant Conviction (whether as a result of a police check or
through the Criminal Records Bureau procedures or otherwise), is
allowed access to the Data or to the KADOE Service without the prior
written approval of the DVLA.
e)
The Customer shall not allow any person with unspent criminal
convictions to have access to the KADOE Service or to the Data,
except with the prior written permission of the DVLA.
73
f)
The Customer shall require all persons who are to have access to the
KADOE Service or to the Data to complete and sign an agreement to
use the KADOE Service and the Data only for the Permitted Purpose(s)
set out in Annex A of this Contract and in accordance with the
Customer’s procedures.
g)
The Customer shall require that each person who has access to the
Data shall sign a document confirming that the person shall use the
Data and the KADOE Service only in accordance with the Customer’s
procedures and only for the Permitted Purpose(s) as listed in Annex A.
h)
The Customer shall ensure that each person who has access to the
KADOE Service or the Data shall act with all due skill, care and
diligence and shall possess such qualifications, skills and experience
as are necessary for the proper use of the KADOE Service and the
Data.
i)
The Customer shall ensure that each person who is authorised to use
the KADOE Service has been trained in the operation of the system
and its associated procedures. The Customer shall keep documentary
records of attendance on such training by each person.
j)
The Customer shall ensure that each person who has access to the
Data is appropriately trained in and aware of his or her duties and
responsibilities under Data Protection Legislation and this Contract.
k)
The Customer shall create and maintain a unique user account ID for
each person who has access to the KADOE Service.
l)
The Customer shall maintain a procedure for authorising the creation
of user accounts and for the prompt deletion of accounts that are no
longer required.
m)
The Customer’s disciplinary policy shall state that misuse of the
KADOE Service or the Data by any person shall constitute gross
misconduct and may result in summary dismissal of that person. The
74
Customer shall notify such misuse to the DVLA and the person involved
shall be refused all future access to DVLA Data.
75
link to page 31
SCHEDULE 3
REQUIRED TERMS FOR CONTRACTS WITH SUB-CONTRACTORS
1.
In accordance with clause
D5.1, the following terms must be included
in the written contract between the Customer and any Sub-Contractor
with access to the Data:
Z1.
Data Protection
Z1.1. For the purposes of this contract, the terms “Data Controller”, “Data
Processor”, “Data Subject”, “Information Commissioner”, “Information
Commissioner’s Office”, “Personal Data”, “Process” and “Processing”
shall have the meanings prescribed under Data Protection Legislation.
Z1.2. The Sub-Contractor shall comply (and shall ensure that every member
of its Staff complies) with any notification requirements under Data
Protection Legislation and both Parties will duly observe all their
obligations under Data Protection Legislation which arise in connection
with the Contract.
Z1.3. The Sub-Contractor acknowledges that the Data constitutes Personal
Data to which Data Protection Legislation applies and that the Customer
is the Data Controller of the Data.
Z1.4. The Sub-Contractor shall process the Data only in accordance with
instructions from the Customer (which may be specific instructions or
instructions of a general nature) as set out in this contract or otherwise
notified by the Customer.
Z1.5. The Sub-Contractor shall comply with all applicable Laws, including
Data Protection Legislation.
Z1.6. The Sub-Contractor shall process the Data only to the extent and in
such manner as is necessary to achieve the Permitted Purpose(s) as
listed in
ANNEX A or as is required by Law or any Regulatory Body.
76
link to page 71 link to page 71 link to page 76 link to page 76
Z1.7. The Sub-Contractor shall implement technical and organisational
measures to protect the Data against unauthorised or unlawful
Processing and against accidental loss, destruction, damage, alteration
or disclosure. These measures shall be appropriate to the harm which
might result from any unauthorised or unlawful Processing, accidental
loss, destruction or damage to the Data and having regard to the
personal nature of the Data which is to be protected. These measures
shall as a minimum satisfy the requirements in [paragraph
1 of
SCHEDULE 2] to this contract.
Z1.8. The Sub-Contractor shall take reasonable steps to ensure the reliability
of its Staff and agents who may have access to the Data.
Z1.9. The Sub-Contractor shall not transfer the Data to any other Sub-
Contractor except with the prior written permission of the Customer who
shall have sought and received the prior written permission of the DVLA
to that transfer, which shall include the requirement that the Sub-
Contractor has entered into a written contract with the Sub-Contractor
which includes all of the provisions in
SCHEDULE 2 and
[SCHEDULE
3].
Z1.10. The Sub-Contractor shall not cause or permit any Personal Data to be
transferred outside the EU unless the prior written approval of the
Customer has been obtained, (who shall first have notified the DVLA)
and the following conditions are fulfilled:
(i)
The Customer or the Sub-Contractor has provided the
appropriate safeguards in relation to the transfer (whether in
accordance with GDPR Article 46 or LED Article 37) as
determined by the Customer.
(ii)
The Data Subject has enforceable rights and effective legal
remedies.
(iii)
The Sub-Contractor complies with its obligations under Data
Protection Legislation by providing an adequate level of
protection to any Personal Data that is transferred. (or, if it not so
77
bound, uses its best endeavours to assist the Customer in
meeting its obligations);and
(iv)
The Sub-Contractor complies with any reasonable instructions
notified to it in advance by the Customer with respect to the
processing of the Data.
Z1.11. The Sub-Contractor shall ensure that all Staff and agents required to
access the Data are informed of the confidential nature of the Data and
comply with the obligations set out in this contract, and have undergone
adequate training in the use, care, protection and handling of the Data.
Z1.12. The Sub-Contractor shall ensure that none of the Staff and agents
publish disclose or divulge any of the Data to any third parties unless
directed in writing to do so by the Customer.
Z1.13. The Sub-Contractor shall not disclose any of the Data to any third
parties in any circumstances other directed in writing to do so by the
Customer.
Z1.14. The Sub-Contractor shall notify the Customer within 5 Working Days if
it receives a request from a Data Subject to have access to that person’s
Personal Data, or a complaint or request relating to the Customer’s
obligations under Data Protection Legislation, or any communication
from the Information Commissioner or any other regulatory authority in
connection with the Personal Data processed under this Contract.
Z1.15. The provisions of this contract shall apply during the period that the Sub-
Contractor processes the Data on behalf of the Customer and
indefinitely after the end of that period.
Z1.16. The Sub-Contractor shall ensure that no person who discloses that he
or she has a Relevant Conviction, or who is found by the Sub-contractor
to have any Relevant Conviction (whether as a result of a police check
or through the Criminal Records Bureau procedures or otherwise), is
allowed access to the Data or to the KADOE Service without the prior
written approval of the DVLA.
78
link to page 71
Z1.17. The Sub-Contractor shall notify the Customer immediately if it:
(i)
Receives a request to rectify, block or erase any Data
(ii)
Becomes aware of the Loss of any Data.
Z1.18. The Sub-Contractor shall notify the Customer of any losses or misuse
of the Data within 5 working days and keep the Customer informed of
any relevant communications.
Z1.19. The Sub-Contractor acknowledges that DVLA reserve the right to
withdraw permission relating to Sub-Contracting at any time. Where
DVLA has withdrawn permission, the Sub-Contractor will be required to
cease all data processing activities relating to the Data.
Z1.20. Withdrawal of such permission as set out in paragraph Z1.19 will also
apply to any other Sub-Contracting arrangement that involves the
processing of the Data by the Sub-Contractor.
Z2.
Compliance and Inspection
Z2.1. The Sub-Contractor shall carry out its own internal compliance checks
at least annually, which include at least the matters listed in [paragraph
1 o
f SCHEDULE 2]. The Sub-Contractor shall notify the Customer in
writing within 28 Days of the outcome of such checks.
Z2.2. The Customer reserve the right to carry out an inspection at any time of
the Sub-Contractor’s compliance with the terms of the contract. The
Customer shall give the Sub-Contractor 28 Days’ written notice of any
such inspection.
Z2.3. The Sub-Contractor agrees to co-operate fully with any such inspection
and to allow the Customer access to its Premises, Equipment and Staff
for the purposes of the inspection.
Z2.4. The Sub-Contractor shall share with the Customer the outcome of any
other checks, audits or reviews that have been carried out on its
79
link to page 76 link to page 79
activities as a Sub-Contractor, to the extent that they have relevance to
the Processing of the Data.
Z2.5. The Sub-Contractor shall notify the Customer immediately, and within a
maximum of 24 hours of becoming aware of any audits that are being
carried out by the Information Commissioner’s Office under Data
Protection Legislation, to the extent that they have relevance to the
Processing of the Data.
Z3.
Termination
Z3.1. If at any time the Customer becomes aware that the Sub-contractor has
breached the requirements of clause
Z1 o
r Z2 of this contract, the
Customer may terminate the contract immediately.
80
ANNEX A
PART 1 OF 4
PERMITTED PURPOSE(S)
MARSTON (HOLDINGS) LIMITED
N464
The release of information from DVLA’s vehicle records is governed by
Regulation 27 of the Road Vehicles (Registration and Licensing) Regulations
2002, as amended.
Regulation 27 (1) (a) provides that the Secretary of State may make
particulars contained in the vehicle register available to authorised
organisations for any purpose connected with the investigation of an offence,
or a decriminalised parking contravention.
All requests for information submitted via the ELISE KADOE Service may
only be made for the following purpose(s):
Traffic Warrants
(i) Traffic Warrants issued from the county court
No requests for vehicle keeper information shall be made of the DVLA
vehicle records via the ELISE KADOE Service, where the date of alleged
contravention is more than 6 months prior to the date of enquiry.
Note: Information from vehicle records may not be requested if an alternative
method of identifying the vehicle keeper exists, or for administration purposes.
Any enquiry that falls outside these criteria may still be acceptable to DVLA,
but must not be submitted via the ELISE KADOE Service. It should be made
by means of form VQ615 and VQ616 (depending on the nature of enquiry)
under existing arrangements for making written enquiries.
No enquiries can be submitted for additional “Permitted Purposes” without a
Contract Variation in accordance with clause
H5, an updated
Annex A including the new “Permitted Purpose”, and formal written approval from DVLA
.
81
ANNEX A
PART 2 OF 4
PERMITTED PURPOSE(S)
MARSTON (HOLDINGS) LIMITED
N465
The release of information from DVLA’s vehicle records is governed by
Regulation 27 of the Road Vehicles (Registration and Licensing) Regulations
2002, as amended.
Regulation 27 (1) (a) provides that the Secretary of State may make
particulars contained in the vehicle register available to authorised
organisations for any purpose connected with the investigation of an offence,
or a decriminalised parking contravention.
All requests for information submitted via the ELISE KADOE Service may
only be made for the following purpose(s):
Magistrate Courts Fines Officer Where the Magistrates Courts Approved Enforcement agent has seized the
vehicle by the powers of the Court
Magistrate Courts Fines Officer
Keeper details requested by order of the Court
Magistrate Courts Fines Officer
To enable Magistrates Courts Approved Enforcement agent to execute legal
proceedings on command of the Courts for the recovery of money by seizure
and sale of goods
No requests for vehicle keeper information shall be made of the DVLA
vehicle records via the ELISE KADOE Service, where the date of alleged
contravention is more than 6 months prior to the date of enquiry.
Note: Information from vehicle records may not be requested if an alternative
method of identifying the vehicle keeper exists, or for administration purposes.
Any enquiry that falls outside these criteria may still be acceptable to DVLA,
but must not be submitted via the ELISE KADOE Service. It should be made
by means of form VQ615 and VQ616 (depending on the nature of enquiry)
under existing arrangements for making written enquiries.
No enquiries can be submitted for additional “Permitted Purposes” without a
Contract Variation in accordance with clause
H5, an updated
Annex A including the new “Permitted Purpose”, and formal written approval from DVLA
.
82
ANNEX A
PART 3 OF 4
PERMITTED PURPOSE(S)
MARSTON (HOLDINGS) LIMITED
N466
The release of information from DVLA’s vehicle records is governed by
Regulation 27 of the Road Vehicles (Registration and Licensing) Regulations
2002, as amended.
Regulation 27 (1) (a) provides that the Secretary of State may make
particulars contained in the vehicle register available to authorised
organisations for any purpose connected with the investigation of an offence,
or a decriminalised parking contravention.
All requests for information submitted via the ELISE KADOE Service may
only be made for the following purpose(s):
High Court Enforcement Officers To identify ownership of vehicles the subject of a levy by High Court
Enforcement Officers
No requests for vehicle keeper information shall be made of the DVLA
vehicle records via the ELISE KADOE Service, where the date of alleged
contravention is more than 6 months prior to the date of enquiry.
Note: Information from vehicle records may not be requested if an alternative
method of identifying the vehicle keeper exists, or for administration purposes.
Any enquiry that falls outside these criteria may still be acceptable to DVLA,
but must not be submitted via the ELISE KADOE Service. It should be made
by means of form VQ615 and VQ616 (depending on the nature of enquiry)
under existing arrangements for making written enquiries.
No enquiries can be submitted for additional “Permitted Purposes” without a
Contract Variation in accordance with clause
H5, an updated
Annex A including the new “Permitted Purpose”, and formal written approval from DVLA
.
83
ANNEX A
PART 4 OF 4
PERMITTED PURPOSE(S)
MARSTON (HOLDINGS) LIMITED
N467
The release of information from DVLA’s vehicle records is governed by
Regulation 27 of the Road Vehicles (Registration and Licensing) Regulations
2002, as amended.
Regulation 27 (1) (a) provides that the Secretary of State may make
particulars contained in the vehicle register available to authorised
organisations for any purpose connected with the investigation of an offence,
or a decriminalised parking contravention.
All requests for information submitted via the ELISE KADOE Service may
only be made for the following purpose(s):
Criminal Warrants Seizure of vehicle for repayment of Tax Debts
Criminal Warrants Seizure of vehicle for repayment of Proceeds of Crime
Criminal Warrants Seizure of vehicle for repayment of Non-payment of criminal fines
No requests for vehicle keeper information shall be made of the DVLA
vehicle records via the ELISE KADOE Service, where the date of alleged
contravention is more than 6 months prior to the date of enquiry.
Note: Information from vehicle records may not be requested if an alternative
method of identifying the vehicle keeper exists, or for administration purposes.
Any enquiry that falls outside these criteria may still be acceptable to DVLA,
but must not be submitted via the ELISE KADOE Service. It should be made
by means of form VQ615 and VQ616 (depending on the nature of enquiry)
under existing arrangements for making written enquiries.
No enquiries can be submitted for additional “Permitted Purposes” without a
Contract Variation in accordance with clause
H5, an updated
Annex A including the new “Permitted Purpose”, and formal written approval from DVLA
.
84
link to page 25
ANNEX B
CUSTOMER’S KEY STAFF
WITH DIRECT RESPONSIBILITIES FOR THE DATA AND FOR THE
OTHER OBLIGATIONS UNDER THE CONTRACT
1.
The contact details of the Customer’s Key Staff with responsibility for
the Data and the performance of the Contract, as referred to in clause
C1 of this Contract, are set out in this
Annex B.
1.1.
The contact details of the Commercial Manager referred to in clause
C1.2.a) are:
Name:………………………………………….
Job Title:……………………………………….
Business Address (The Customer’s Registered Office):
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode:……………………………………….
Business telephone number:……………………………………….
Business mobile telephone number:……………………………….
Business Email address:…………………………………………….
85
link to page 25
1.2.
The contact details of the Data Manager referred to in clause
C1.2.b)
are:
Name:………………………………………….
Job Title:……………………………………….
Business Address:……………………………
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode:……………………………………….
Business telephone number:……………………………………….
Business mobile telephone number:……………………………….
Business Email address:…………………………………………….
1.3.
The contact details of any other Key Staff, who are responsible for the
Data or for supervision of the Customer’s Staff with access to the Data,
should be provided below and on continuation sheets attached to this
ANNEX B.
86