Data processing agreement

All Policies

Our agreement with you

This Data processing agreement applies to the extent that Amiqus Resolution Limited processes personal data on behalf of Amiqus clients, which together with:

form the contract between you (“the ‘Client”) and us. This agreement supersedes any written or oral representations, statements, understandings or agreements.

Any obligation imposed on the supplier under this agreement in relation to the processing of personal data shall survive any termination or expiration of the main agreement.

With regard to the subject matter of this agreement, in the event of any conflict or inconsistency between any provision of the main agreement and any provision of this agreement, the provision of this agreement shall prevail. In the event of any conflict or inconsistency between the main agreement or this agreement and the standard contractual clauses, as applicable, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall prevail.


  • The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning as described in Data protection laws;
  • “Agreement” means this Data processing agreement;
  • “Authorised sub-processors” means (a) those sub-processors set out in the agreement (Authorised Sub-processors).
  • “Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018);
  • “Data Protection Laws” means:
    • To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and privacy.
    • To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier or the Client is subject, which relates to the protection of personal data and privacy.
  • “EU GDPR”: the General Data Protection Regulation ((EU) 2017/679);
  • “EEA” means the European Economic Area;
  • “Personal data” means the data described (details of processing of personal data) and any other personal data processed by the supplier on behalf of the client pursuant to or in connection with the main agreement;
  • “Main agreement” means the Amiqus Business terms into which this agreement is incorporated;
  • “Sub-processor” means any data processor (including any affiliate of Amiqus) appointed by Amiqus to process personal data on behalf of the Amiqus client.
  • “Supervisory authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; (b) the Commissioner; and (c) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
  • “Supplier” means Amiqus Resolution Limited, provider of the service;
  • “The Client” means you, the company, firm, corporation or public authority who wishes to purchase the Service;
  • “The Service” means the service described in the Amiqus Business terms.
  • “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Processing of personal data

Data controller and data processor

The parties agree that:

  • the client is a data controller and that,
  • the supplier is a data processor

for the purposes of processing personal data.

Each party shall at all times in relation to processing connected with the main agreement, comply with data protection laws.

Details of the processing of personal data

As required by Article 28(3) GDPR, the information below outlines the details of the personal data processed by Amiqus on behalf of the client.

The supplier shall only process the types of personal data relating to the categories of data subjects for the purposes of the main agreement and for the specific purposes in each case as set out therein and shall not process, transfer, modify, amend or alter the personal data or disclose or permit the disclosure of the personal data to any third party other than in accordance with the client’s documented instructions and the data protection laws, unless processing is required by applicable law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the client of that legal requirement before processing that personal data.

The supplier will reasonably assist the client with meeting the client’s compliance obligations under the data protection laws, taking into account the nature of the supplier’s processing and the information available to the supplier, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection laws.

Subject matter Employee or customer of the client
Duration The Supplier will continue to process any data in accordance with the clients instructions until the client deletes from Amiqus or the main agreement ends, whichever is first – except where a requirement exists to retain data for legal or regulatory purposes. For example, DBS requires records of checks undertaken to be retained for 12 months. Any such data are retained in accordance with this provision shall continue to be subject to the security  and confidentiality  restrictions contained in this Agreement.
Nature and purpose Employee vetting and screening
Customer due diligence to meet risk, legal, compliance standards
Types of personal data Name, date of birth, address history, personal email address, telephone number, an identification card, professional registration details, National Insurance Number. Image of identification documents.
Types of special category personal data Image of passport
Image and video of face
Political information
Criminal history data Indicative notice of disclosure
Disclosure certificate
Client notes about disclosures

The supplier shall immediately inform the client, if in its opinion, an instruction pursuant to the Main Agreement or this agreement infringes data protection laws.

The Client warrants to and undertakes to the Supplier that: (i) it is entitled to disclose the Personal Data to the Supplier; all data subjects of the personal data; (ii) it has and will maintain for the term of the Agreement a valid lawful basis to process and share the Personal Data with the Supplier; (iii) it will ensure that the Personal Data is accurate and is kept up to date; (iv) all data subjects of the Personal Data have been or will be provided with appropriate privacy notices and information in accordance with Data protection laws; (v) where the legal basis relied on is consent or explicit consent, all consents have been obtained in accordance with Data protection laws to establish and maintain for the relevant term the necessary legal grounds, under Data protection laws for transferring the Personal Data to the Supplier to enable the Supplier to process the personal data in accordance with this Agreement and the Main Agreement.


The Client acknowledges that the Supplier is reliant on the Client for direction as to the extent to which it is entitled to use and process the personal data. Consequently, the supplier will not be liable for any claim arising from any action or omission by the supplier to the extent that such action or omission resulted from the client’s express instructions. The liability provisions in the Main Agreement shall apply to this agreement. Nothing in this Agreement shall exclude or limit any party’s liability which cannot legally be limited or excluded by applicable laws.

Effective from 06/09/2023 Last reviewed 14/07/2023 Version 1.4