Policies

Find all the Care Check policies below

By accessing this website and providing Care Check with your personal details, you agree to accept and be bound by the terms of this statement of fair processing which is summarised below.

Using the IT specification supplied by the Disclosure and Barring Service (DBS), Security Watchdog has produced an online disclosure system, eBulkPlus, which is an alternative to the standard paper forms, therefore allowing you to complete your application at any location with internet access.

Our online service is committed to protecting the privacy of our users. When you supply any personal information to this site we have legal obligations towards you in the way we deal with your data as follows:

  1. We will hold your personal information on our systems for as long as needed to meet the service you have requested, and remove it in the event that the purpose has been met.
  2. We will ensure that all personal information supplied is held securely, in accordance with the UK Data Protection Legislation and the European General Data Protection Regulation (GDPR).
  3. We will provide a safe and secure experience for users of this site.
  4. We will ensure that the information you submit to us remains private, and is only used for the purposes set out below.

Fair Processing Principles

  • Your personal information is only processed with your knowledge.
  • Only information that we actually need is collected and processed.
  • Your personal information is only seen by those who need it to do their jobs.
  • Personal information is retained only for as long as it is required.
  • Decisions affecting you are made on the basis of reliable and up to date information.
  • Your information is protected from unauthorised or accidental disclosure.
  • Inaccurate or misleading data will be corrected as soon as possible.
  • Procedures are in place for dealing promptly with any dispute.

All information requested is used solely for the purpose of producing a Disclosure Scotland or DBS certificate (as appropriate for your location) and is collected, stored and processed by Care Check, Disclosure Scotland and the DBS in accordance with the UK Data Protection Act Legislation and GDPR. We will treat your personal information as confidential and we will not disclose it to any third party except: (i) with your prior agreement; (ii) as necessary for providing our eBulkPlus online disclosure service to you; or (iii) as required by law.

Any organisation which uses this eBulkPlus online disclosure service is obliged to sign a service contract requiring them to:

  • Abide by the UK Data Protection Legislation and GDPR
  • Have a policy for secure storage, handling, use, retention and disposal of Disclosures and Disclosure Information

The Security Watchdog eBulkPlus solution is hosted within an ISO27001, Capita owned data centre and all components of the service are protected by intrusion detection and intrusion prevention devices. Completed applications are fully encrypted and securely transferred to Disclosure Scotland and DBS using the eBulkPlus Interface.

The Disclosure and Barring Service will refer the details provided on this application form to government and law enforcement bodies in accordance with any relevant legislation. The details provided to these bodies will be used for identifying possible matches to records held by them. Where such a match is established, data may be released to the DBS for inclusion on any certificate issued. The details provided on this form may be used to update the records held by the bodies specified above. The details provided on the application form may be used to verify your identity for authentication purposes. The DBS may use any information provided by the DBS on a certificate or otherwise held by the DBS to inform any of its barring decisions made under its powers within the Safeguarding Vulnerable Groups Act 2006.

Who We Are

Care Check LTD (‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection Regulation and laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.

Care Check’s registered office is at Suite 1 Basepoint, Crab Apple Way, Evesham, WR11 1GP and we are a company registered in England and Wales under company number 08076261. We are registered on the Information Commissioner’s Office Register; registration number Z330403X, and act as the data processor when processing your data. Our designated Data Protection Officer/Appointed Person is Charles Eason], who can be contacted at the above address, or by phone on 0333 777 8575

Information That We Collect

Care Check Ltd processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.

The personal data that we collect from is: –

  • Name
  • Date of Birth
  • Home Address
  • Previous addresses
  • Employment details
  • Personal Email
  • Business Email
  • Home Telephone Number
  • Mobile Telephone Number
  • National Insurance Number
  • Passport Number
  • Driver’s License Number
  • Gender
  • Previous names/Alias’
  • Mother’s maiden name

We collect information in the below ways: –

Secure online forms, and occasionally via telephone or secure email when answering queries.

How We Use Your Personal Data (Legal Basis for Processing)

Care Check Ltd takes your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this notice. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time.  The purposes and reasons for processing your personal data are detailed below: –

  • We collect your personal data purely for the processing of DBS Checks for employment or volunteering.

Your Rights

You have the right to access any personal information that Care Check Ltd processes about you and to request information about: –

  • What personal data we hold about you
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from you, information about the source

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

Sharing and Disclosing Your Personal Information

We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement. Care Check Ltd uses third-parties to provide the below services and business functions; however, all processors acting on our behalf only process your data in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.

Disclosure and Barring Service

The DBS provide the processing of all levels of DBS checks, all information collected within the DBS application form is shared with them.

Disclosure Scotland

Disclosure Scotland provide the processing of Basic level checks for applicants living within Scotland.

Intuit

We use intuit for the processing of our accounts, sending out invoices, statements and reminders. All information Intuit hold about our clients is held within the EU. The only information stored within their system is basic contact information for the purposes of sending out invoices.

Capita PLC

Capita PLC are our system providers and they provide the IT infrastructure for sending secure DBS application information between Care Check and the DBS/Disclosure Scotland. All information that is held within this system is encrypted on transfer. IT staff within Capita only view application information at our request when diagnosing technical issues. The Capita PLC system holds the DBS information, plus the information relating to our registered clients e.g Employers/Charities etc. All information is held within the EU.

Campaign Monitor

We use Campaign Monitor to send out bulk mailers relating to system updates, legislation changes ID rules, and system downtime. The only information held within Campaign Monitors system is registered clients email addresses. All info is held within the EU.

Sage Pay

We use Sage Pay for the processing of credit/debit cards information. We have a separate policy for this supplier that can be found within our guidance pages.

Call Credit

We use Call Credit for the processing of Route 2 ID external ID validations. The only information share with Call Credit is applicants title, name and postal code. This data is held within the EU.

Safeguarding Measures

Care Check Ltd takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including: –

measures such as SSL, TLS, encryptions, pseudonymisation, restricted access, IT authentication, firewalls, anti-virus/malware

Consequences of Not Providing Your Data

You are not obligated to provide your personal information to Care Check Ltd, however, as this information is required for us to provide you with our services we will not be able to offer all our services without it.

How Long We Keep Your Data

Care Check Ltd only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. DBS information is archived within our system after 6 months and completely removed after 6 years.

Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.

Special Categories Data

Owing to the products, services or treatments that we offer, Care Check Ltd sometimes needs to process sensitive personal information (known as special category data) about you, to provide employers/volunteering organisations with a result. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so.

LEGITMIATE INTERESTS EXAMPLE

Care Check Ltd will occasionally send you service updates, promotion and guidance by email that have been identified as being beneficial to our customers and in our interests. Such information will be relevant to you as a customer and is non-intrusive and you will always have the option to opt-out/unsubscribe at any time.

Lodging A Complaint

Care Check Ltd only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.

Cancellation must be made by calling us on 0333 777 8575 between 9am and 5pm Monday to Friday. We reserve the right to process and and charge in full for any disclosures unless we have received notice of cancellation before submission to DBS (formerly known as CRB) or DS. Any payments you have made for disclosures that have been properly cancelled will be re-credited to you.

Despite the above provision, you are entitled to cancel a payment for products where fraudulent use has been made of your payment card by a person not acting, or to be treated as acting as your agent. If you have already made a payment where your payment card has been so fraudulently used, then you should approach your card issuer for re credit to your account.

We reserve the right to terminate or restrict the use of our service, for any or no reason whatsoever. If we terminate your use of our service as a result of a breach of any obligation under these terms, such termination would be immediate and without notice.

Care Check terms of service (e-Bulk Electronic Applications)

Our client organisations must adhere to the following conditions when applying for, receiving, holding and disposing of Criminal Disclosures via the e-Bulk Online application channel or Paper Route.

  1. The Client must nominate a designated individual(s) who will act as the clients contact point for all DBS matters and receive Disclosure information.
  2. The client organisation will provide details of the person(s) who will verify the identity of the applicant, and that identity validation will be done in accordance with DBS guidelines using only original documents, and ensure that all applicant details are checked in the same manner.
  3. The client organisation must inform Care Check immediately in writing should the person(s) checking the identity of the applicants change.
  4. The client organisation will observe and fully adhere to the DBS (CRB) code of practice.
  5. Clients using the e-Bulk system will ensure that the “Statement of Fair Processing” is made available to all applicants upon request.
  6. The client organisation is likely and will remain likely to genuinely ask an exempted question.
  7. The client organisation will make all disclosure applicants aware of the Code of Practice when recruiting and will make a copy available to all disclosure applicants upon request.
  8. The client organisation has a satisfactory written policy on the recruitment of ex offenders and issues a copy of the policy to all disclosure applicants at the start of the recruitment process.
  9. The client organisation is aware that a statement must be included on its application forms or accompanying documentation, that a disclosure will be requested in the event of an applicant being offered a position.
  10. The client organisation is aware that it must include a statement on its application forms, or accompanying documentation, that a criminal record will not necessarily be a bar to obtaining a position.
  11. The client organisation must provide a statement in all employment advertisements that Disclosure will be required in the event that a post is offered.
  12. The client organisation has a written policy on the secure storage, handling, retention and disposal of disclosure information.
  13. The client organisation will not retain disclosures or a record of the information contained within them for longer than is required for the particular purpose. This should be no longer than 6 months after the date on which the recruitment or other relevant decisions have been taken, or after the date on which any dispute about the accuracy of the disclosure information has been resolved. The period should only be exceeded in very exceptional circumstances, which justify retention for a longer period. (Disclosure information may be retained for longer than 6 months for the purpose of audit where organisations are regulated by CQC or OFSTED)
  14. All Disclosure certificates will be destroyed in accordance with the DBS (CRB) Code of Practice by shredding, pulping or burning.
  15. The client organisation will keep all Disclosure information kept securely, in accordance with the DBS (CRB) Code of practice, separate from their staff members files and within a locked storage unit that cannot be moved by less than 2 persons.
  16. The client organisation is aware of what additional information is, and that under no circumstances can this information be divulged to an applicant (or person who is not authorised to have access to this information) and that to do so would constitute a criminal offence.
  17. Additional information is very sensitive and must be treated with the utmost caution. Should the client organisation be informed of additional information then they should be careful to base their withdrawal of an offer on employment on pre employment checks, and avoid letting the applicant know that there is “additional information”
  18. Client organisations should discuss any matters revealed in the disclosure with the applicant before withdrawing the offer of employment.
    Information provided on the disclosure is confidential, and as such should only be available to those persons named in the client contract. (Unless the person is a registered inspector with the CQC, CSCIW or OFSTED)
  19. Care Check reserves the right to make assurance visits to our client organisations to ensure that they are fully complying with the terms and conditions of our contract and the DBS (CRB) Code of Practice.
  20. Should Care Check find that any part of this contract is being breached, it reserves the right to withdraw its service with immediate effect.
  21. It is the client organisations responsibility to state the level of check they require and if the applicant is working with Children, Vulnerable Adults or both.
  22. Care Check shall have no liability for defective services where the defect has been caused or contributed by the client organisation
  23. Care Check shall have no liability for defective services where the defect has been caused or contributed by DBS (CRB).
  24. Care Check shall have no liability to the client organisation for services if invoice payments have not been received by the due dates of payment.
  25. Care Check have no liability for additional damage, loss, liability, claims or expenses caused or contributed to by the Client’s continued use of services or the continued engagement of an Applicant once an error or defect in the relevant Disclosure has become apparent.
  26. Care Check shall have no liability for any matters which are outside its reasonable control.
  27. Care Check shall have no liability to the client for any consequential losses, loss or profits and/or damage to goodwill, economic losses, special damages and indirect losses or business interruption, loss of business, contracts, opportunity and production.
  28. Invoiced Clients shall pay Care Check for all invoices within 15 days of receipt. invoices are raised and sent upon receipt of application. Invoices will be raised for the application if completed correctly or if in need of amendment.
  29. Clients using the e-Bulk online channel will ensure that all passwords and log on details are kept private and are under no circumstances passed on to any other person.
  30. Clients using the e-Bulk system will change their passwords on a regular basis, preferably every month not rotating the same password within a three month period.
  31. Clients using the e-Bulk system shall take reasonable care to ensure that no person is within distance to take note of log on details or disclosure information when accessing the e-Bulk system.
  32. ID Checkers using the e-Bulk system shall always check original ID, no photocopies at the time that the information is imputed into the e-Bulk system.
  33. Clients using the e-Bulk system shall keep the information held securely on it, unless it needs to be printed for the purposes of audit.
  34. Clients using the e-Bulk system who print disclosures for the purpose of audit shall only print them once and shall keep them in accordance with the DBS (CRB) Code of Practice and their policy on the secure storage, retention and disposal of disclosure information.
  35. Responsible persons using the e-Bulk system, or the responsible persons Employers shall inform Care Check immediately if they are to leave the client organisation or cease using the system so their log on details can be deleted immediately.
  36. ID Checkers, using the e-Bulk system, or the ID Checker employers shall inform Care Check immediately if they are to cease being employed by the client organisation or cease using the system so their log on details can be deleted immediately.
  37. Disclosure certificates shall not be passed on to persons not named in the service contract without the written consent of the applicant.

Care Check Data Processing Agreement/Terms

WHEREAS:

 

(1)       [Under a written agreement between the Data Controller and the Data Processor the Data Processor provides to the Data Controller] OR [The Data Controller from time to time engages the Data Processor to provide to the Data Controller] the Services described in Schedule 1.

 

(2)       The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.

 

(3)       Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.

 

(4)       The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

 

(5)       The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

 

 

IT IS AGREED as follows:

 

  1. Definitions and Interpretation
    • In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

 

“Data Controller”, “Data Processor”, “processing”, and “data subject”

shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR;

“ICO”

means the UK’s supervisory authority, the Information Commissioner’s Office;

“Personal Data”

means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Schedule 2;

“Services”

means those [services] AND/OR [facilities] described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purpose[s] described in Schedule 1;

“Sub-Processor”

means a sub-processor appointed by the Data Processor to process the Personal Data; and

“Sub-Processing Agreement”

means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10.

 

  • Unless the context otherwise requires, each reference in this Agreement to:
    • “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
    • a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
    • “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
    • a Schedule is a schedule to this Agreement; and
    • a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
    • a “Party” or the “Parties” refer to the parties to this Agreement.
  • The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
  • Words imparting the singular number shall include the plural and vice versa.
  • References to any gender shall include all other genders.
  • References to persons shall include corporations.

 

  1. Scope and Application of this Agreement
    • The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
    • The provisions of this Agreement supersede any other arrangement, understanding, or agreement [including, but not limited to, the Service Agreement] made between the Parties at any time relating to the Personal Data.
    • This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 9.

 

  1. Provision of the Services and Processing Personal Data

The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:

  • for the purposes of those Services and not for any other purpose;
  • to the extent andin such a manner as is necessary for those purposes; and
  • strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).

 

  1. Data Protection Compliance
    • All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR).
    • The Data Processor shall promptly comply with any request from the Data Controller requiring theData Processor to amend, transfer, delete, or otherwise dispose of the Personal
    • The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.
    • Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
    • The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing, and that the Data Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Data Processor.
    • The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
    • The Data Processor shall provide all reasonable assistance [(at the Data Controller’s cost)] to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
    • When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
      • not process the Personal Data outside the [United Kingdom] OR [European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”)] without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
      • not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10;
      • process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
      • implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures;
      • if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
      • keep complete and accurate records and information concerning all processing activities carried out on the Personal Data in order to demonstrate its compliance with this Agreement;
      • make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the GDPR;
      • on [at least 30 days’] OR [reasonable] prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that theData Processor is in breach of any of its obligations under this Agreement or under the law; and
      • inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.

 

  1. Data Subject Access, Complaints, and Breaches
    • The Data Processor shall [, at the Data Controller’s cost,] assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
    • The Data Processor shall notify the Data Controller [without undue delay] OR [within 30 days] if it receives:
      • a subject access request from a data subject; or
      • any other complaint or request relating to the processing of the Personal Data.
    • The Data Processor shall [, at the Data Controller’s cost,] cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:
      • providing the Data Controller with full details of the complaint or request;
      • providing the necessary information and assistance in order to comply with a subject access request;
      • providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and
      • providing the Data Controller with any other information requested by the Data Controller.
    • The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

 

  1. [Appointment of a Data Protection Officer
    • [The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR
    • [The Data Processor shall appoint a Data Protection Officer in accordance with Article 37 of the GDPR and shall supply the details of the Data Protection Officer to the Data Controller prior to the commencement of the processing.]

      OR

      [The Data Processor has appointed a Data Protection Officer in accordance with Article 37 of the GDPR

 

  1. Liability and Indemnity
    • The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor [and any Sub-Processor] arising directly or in connection with:
      • any non-compliance by the Data Controller with the GDPR or other applicable legislation;
      • any Personal Data processing carried out by the Data Processor [or Sub-Processor] in accordance with instructions given by the Data Controller that infringe the GDPR or other applicable legislation; or
      • any breach by the Data Controller of its obligations under this Agreement,

except to the extent that the Data Processor [or Sub-Processor] is liable under sub-Clause 7.2.

  • The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with the Data Processor’s Personal Data processing activities that are subject to this Agreement:
    • only to the extent that the same results from the Data Processor’s [or a Sub-Processor’s] breach of this Agreement; and
    • not to the extent that the same is or are contributed to by any breach of this Agreement by the Data Controller.
  • The Data Controller shall not be entitled to claim back from the Data Processor [or Sub-Processor] any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor [or Sub-Processor] under sub-Clause 7.1.
  • Nothing in this Agreement (and in particular, this Clause 7) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the ICO and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.

 

  1. Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only [for the term of the Service Agreement,] for the purposes of the Services, and in accordance with this Agreement.

 

  1. Confidentiality
    • The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
    • The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
    • The obligations set out in in this Clause 9 shall continue for a period of 30 days after the cessation of the provision of Services by the Data Processor to the Data Controller.
    • Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

 

  1. Appointment of Sub-Processors
    • The Data Processor shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller (such consent not to be unreasonably withheld).
    • In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall:
      • enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and
      • ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
    • In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement.

 

  1. Deletion and/or Disposal of Personal Data
    • The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
      • the end of the provision of the Services [under the Service Agreement]; or
      • the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under [this Agreement] AND/OR [the Service Agreement].
    • Following the deletion, disposal, or return of the Personal Data under sub-Clause 11.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.
    • All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using the following method(s): Data Cleanse via system.

 

  1. [Consideration

The Data Processor accepts the obligations in this Agreement in consideration of the payment of £1 from the Data Controller, which the Data Processor hereby acknowledges.]

 

  1. Law and Jurisdiction
    • This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
    • Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

Deliveries can only be made to addresses within the United Kingdom (including Northern Ireland) This excludes PO Box addresses.

We currently use Royal Mail pre-paid postage to deliver your disclosures to you. Actual delivery times may vary to you depending on your delivery address or circumstances impacting delivery by Royal Mail.

We reserve the rights to use alternative delivery methods without prior notification. You will not hold us responsible for any delays outside our control, which relate to the delivery of completed disclosures.

We reserve the right to cancel your login to the online disclosure system if it becomes apparent that, in our sole opinion, the postal service in your area is too unreliable.