Part A: Operative provisions
Part B: Data processing details
Data Processing Schedule
Part A: Operative provisions
1.1 In this Schedule all capitalised terms in this DPA shall have the meaning as prescribed by the VettingGateway Terms as located at www.vettinggateway.com/terms or as otherwise agreed between the parties, unless otherwise defined below:
Controller has the meaning given in applicable Data Protection Laws from time to time;
Data Protection Laws means, as binding on either party or the Services:
(a) the EU GDPR;
(b) the UK GDPR and the UK DPA 2018;
(c) any laws which implement or supplement any such laws; and
(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
Data Subject has the meaning given in applicable Data Protection Laws from time to time;
EEA Data Protection Laws means Data Protection Laws applicable under the laws of the European Economic Area, the European Union or any of their member states;
EEA Protected Data has the meaning given in paragraph 4.2 of this Part A;
EU GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679);
GDPR means the EU GDPR and UK GDPR (as applicable in the circumstances);
Personal Data has the meaning given in applicable Data Protection Laws from time to time;
Personal Data Breach has the meaning given in applicable Data Protection Laws from time to time;
Processing has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed and processes shall be construed accordingly);
Processor has the meaning given in applicable Data Protection Laws from time to time;
Protected Data means Personal Data received from or on behalf of the Client in connection with the performance of VettingGateway’s obligations under this Agreement;
Relevant Law means:
(a) in respect of EEA Protected Data, all applicable law(s) of the European Economic Area and European Union and of the relevant member state(s) of either; and
(b) in respect of UK Protected Data, all applicable law(s) of the United Kingdom (or of any part of the United Kingdom);
Sub-Processor means any Processor engaged by VettingGateway (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on behalf of the Client;
Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Related expressions such as Transfers, Transferred and Transferring shall be construed accordingly;
UK Data Protection Laws means the Data Protection Laws applicable under the laws of the United Kingdom (or of any part of the United Kingdom), including the UK GDPR and UK DPA 2018;
UK DPA 2018 means the United Kingdom’s Data Protection Act 2018;
UK GDPR has the meaning given to that term in the UK DPA 2018; and
UK Protected Data has the meaning given in paragraph 4.1 of this Part A.
2. Client’s compliance with Data Protection Laws
The parties agree that the Client is a Controller and that VettingGateway is a Processor for the purposes of processing Protected Data pursuant to the Agreement. The Client shall, at all times, comply with all Data Protection Laws in connection with the processing of Protected Data. The Client shall ensure all instructions given by it to VettingGateway in respect of Protected Data (including the terms of the Agreement) shall at all times be in accordance with all Data Protection Laws.
3. VettingGateway’s compliance with Data Protection Laws
VettingGateway shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of the Agreement.
4. Applicable Data Protection Laws
4.1 The parties have agreed that the following Protected Data is to be treated as subject to UK Data Protection Laws all Protected Data concerning a UK Data Subject (collectively, UK Protected Data).
4.2 The parties have agreed that the following Protected Data is to be treated as subject to EEA Data Protection Laws all Protected Data concerning an EU Data Subject (collectively, EEA Protected Data).
4.3 If VettingGateway is subject to any new or amended applicable laws at any time that conflict with any of its obligations under this Schedule it may amend the Agreement by notice in accordance with clause 15.2 of the Terms of Service.
5.1 VettingGateway shall only process (and shall ensure VettingGateway personnel only process) the Protected Data to the extent such processing is necessary in accordance with the provision of the Services under the Agreement or on the Client’s documented instructions in accordance with Part B of this Schedule and the Agreement (including with regard to any Transfer to which paragraph 9 of this Part A relates), except to the extent:
5.1.1 that alternative processing instructions are agreed between the parties in writing; or
5.1.2 otherwise required by Relevant Law (and shall inform the Client of that legal requirement before processing, unless Relevant Law prevents it doing so on important grounds of public interest).
5.2 if VettingGateway believes that any instruction received by it from the Client is likely to infringe the Data Protection Laws it shall be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. The Charges payable to VettingGateway shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this paragraph 5.2.
6.1 VettingGateway shall implement and maintain technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
6.2 Protected Data processed by VettingGateway shall be collected and processed by the Client in accordance with Data Protection Laws and without limitation to the foregoing, the Client shall take all steps necessary including without limitation providing appropriate privacy notices and ensuring that there is a lawful basis or bases as specified in Part B of this Schedule for both the Client and VettingGateway to process Protected Data (including, without limitation, by obtaining valid explicit consent from the Data Subjects) to ensure that the Processing of the Protected Data by VettingGateway in accordance with the Agreement is in accordance with all Data Protection Laws.
7. Sub-processing and personnel
7.1 VettingGateway shall:
7.1.1 not permit any processing of Protected Data by any Sub-Processor without the prior general authorisation of the Client;
7.1.2 prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under this Schedule (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);
7.1.3 remain fully liable to the Client under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
7.1.4 ensure that all natural persons authorised by VettingGateway to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
7.2 The Client authorises the appointment of the Sub-Processors listed below:
Processing this Sub-Processor is authorised to undertake
TrustID Limited – a company incorporated in England with registered number 05953015, whose registered office is at The Blade, Abbey Street, Reading, England, RG1 3BA
To undertake an identity verification and right to work (RTW) eligibility check.
Amazon Web Services EMEA SARL, located at Avenue John F. Kennedy 38, Luxembourg, 1855, Luxembourg
Web and data hosting services, i.e. storing your personal data on computer equipment so it can be accessed by us and permitted third parties online in order to run our business and provide services to the Client.
Redline Assured Security Ltd – a company incorporated in England with registered number 05915087, whose registered office is at C/O Air Partner Plc 2 City Place, Beehive Ring Road, Gatwick, United Kingdom, RH6 0PA
To facilitate General Security Awareness Training (GSAT).
EXPERIAN LIMITED - a company incorporated in England with registered number 00653331, whose registered office is at The Sir John Peace Building Experian Way, Ng2 Business Park, Nottingham, NG80 1ZZ
To undertake the following types of check:
Adverse financial check
Complete Background Screening Limited —a company incorporated in England with registered number 05435348, whose registered office is at The Screening House, Cwm Cynon Business Park, Mountain Ash, Wales, CF45 4ER
To undertake a criminal record check.
YHH Technologies Ltd – a company incorporated in England with registered number 10113268, whose registered office is at Mallory House, Goostrey Way, Mobberley, Cheshire WA16 7GY
To undertake a social media check.
7.3 The Client generally authorises the appointment of any other Sub-Processor (either in-addition-to or in-replacement-of any of those listed at clause 7.2) which VettingGateway may reasonably wish to engage as part of its normal business activities or the provision of its services. VettingGateway shall inform the Client of its intention to appoint any such additional or replacement Sub-Processor before any such Sub-Processor processes any Protected Data. In the event that the Client objects to any such appointment, the Client may where technically feasible restrict its use of the services such that the Sub-Processor in question does not process any Protected Data for the Client or where VettingGateway confirms in writing (following receipt of an objection) that such restriction is not technically possible then the Client may terminate its use of the services in accordance with clause 10 of the Terms of Service.
8.1 VettingGateway shall (at the Client’s cost and expense) assist the Client in ensuring compliance with the Client’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to VettingGateway.
8.2 VettingGateway shall (at the Client’s cost and expense) and taking into account the nature of the processing, assist the Client (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Client’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR in respect of any Protected Data.
8.3 VettingGateway shall promptly refer to the Client all requests it receives for exercising any Data Subjects’ rights under Chapter III of the GDPR which relate to any Protected Data. It shall be the Client’s responsibility to reply to all such requests as required by applicable law.
9. International Transfers
9.1 VettingGateway shall not Transfer or otherwise process any Protected Data in or to any country or territory or to any ‘international organisation’ (as defined in the GDPR) without the prior written authorisation of the Client, except where (a) required by Relevant Law (in which case the provisions of paragraph 5 of this Part A shall apply) or (b) in the normal course of using the Software, the Client causes certain elements of Protected Data to be transferred outside of the European Economic Area or the United Kingdom, for example, by sending a reference request to a recipient in India or by communicating via the Software with a referee in the USA.
9.2 VettingGateway is authorised and instructed that it may Transfer and process:
9.2.1 any EEA Protected Data in and to: (a) the European Economic Area; and (b) any country or territory that has a valid adequacy decision further to Article 45 of the EU GDPR at the time of its Transfer to that country or territory; and
9.2.2 any UK Protected Data in and to: (a) the United Kingdom; and (b) any country or territory that has a valid adequacy regulation within the meaning of Article 45 of the UK GDPR at the time of its Transfer to that country or territory.
9.3 VettingGateway and each Sub-Processor is not obliged to undertake any unlawful Transfer or processing of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Agreement due to it (or any Sub-Processor) being unable (or believing it is unable) to undertake any Transfer or processing in a lawful manner. The Charges payable to VettingGateway shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this paragraph 9.3.
10. Requests for information on processing activities
VettingGateway shall (at the Client’s cost and expense) make available to the Client on request such information that is in its possession or control as is reasonable and necessary to demonstrate VettingGateway’s compliance with the obligations placed on it under this Schedule and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR.
VettingGateway shall notify the Client without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
12.1 Following termination of the Agreement VettingGateway shall have no obligation to retain any Protected Data. If the Client wishes to export any Protected Data, it must do so in accordance with the functions available in the Software. Where the Client requires VettingGateway to mass export any Protected Data then a charge shall be levied for this additional service which VettingGateway shall advise to the Client at the time;
12.2 VettingGateway may following termination of the Agreement retain certain Protected Data for statistical and analytical purposes, provided that such Protected Data contains no personally identifiable information or is otherwise retained in accordance with applicable Data Protection Laws.
13.1 This Schedule shall survive termination or expiry of the Agreement:
13.1.1 indefinitely in the case of paragraph 12 of this Part A; and
13.1.2 in the case of all other paragraphs and provisions of this Schedule, until the later of:
(a) the termination or expiry of this Agreement; or
(b) return or secure deletion or disposal of the last of the Protected Data in VettingGateway’s (or any of its Sub-Processor’s) possession or control in accordance with this Agreement.
Part B: Data processing details
Processing of the Protected Data by VettingGateway under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Part B.
1. Subject-matter of processing:
The provision of VettingGateway Services to the Client as set out in the Agreement.
2. Duration of the processing:
The length of the Agreement
3. Nature and purpose of the processing:
Delivery of the VettingGateway Services to the Client as set out in the Agreement.
4. Type of Personal Data:
Identity information including forenames, middle names, last names, maiden names, usernames or similar identifiers, gender, nationality, place and date of birth, any previous names and National Insurance number; Information relating to your right to work in the UK; Contact details including phone numbers and email addresses; Job titles; Current address and address history; Copies of identification documents in relevant combinations in order to meet background checking or employment criteria, which may include but are not limited to your driving licence, passport, birth certificate, bank statements, council tax statements or other utility bills; Current employment and/or previous employment details, including names, job titles and contact details of referees; Current and/or previous educational details including where you studied, the qualifications and grades you achieved, and names, job titles and contact details of educational referees; Details of personal and/or character referees including their names, job titles and contact details; Information about how you use our website, IT, communication and other systems; Details of IP addresses and other identifiers; Criminal record history.
5. Categories of Data Subjects:
Employees, candidates and contractors of the Client who (as Controller) has requested that their data (and that of their referees, where applicable) be provided to VettingGateway (as Processor).
6. Special categories of Personal Data:
Personal data revealing racial or ethnic origin
7. Lawful basis/bases for Processing:
For Special Category Data, the lawful basis for Processing shall always be explicit consent. For all other Processing, the lawful basis shall be either (a) consent, or (b) contractual obligations, or (c) legitimate interests.