Our agreement with you
This Data processing agreement applies to the extent that Amiqus Resolution Limited processes personal data on behalf of Amiqus clients, which together with:
- Your Contract schedule (where applicable)
- Amiqus’ Business terms
- Amiqus’ Service user terms
- Amiqus’ Privacy policy
form the contract between you (“the Client”) and us. This agreement supersedes any written or oral representations, statements, understandings or agreements.
Any obligation imposed on the Supplier under this agreement in relation to the processing of personal data shall survive any termination or expiration of the Main Agreement.
With regard to the subject matter of this agreement, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this agreement, the provision of this agreement shall prevail. In the event of any conflict or inconsistency between the main agreement or this agreement and as applicable, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall prevail.
Definitions
- The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning as described in Data protection laws;
- “Agreement” means this Data processing agreement;
- “Authorised sub-processors” means (a) those sub-processors set out in the agreement (Authorised Sub-processors).
- “Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018);
- “Data Protection Laws” means:
- To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and privacy.
- To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier or the Client is subject, which relates to the protection of personal data and privacy.
- “EU GDPR”: the General Data Protection Regulation ((EU) 2017/679);
- “EEA” means the European Economic Area;
- “Personal data” means the data described (details of processing of personal data) and any other personal data processed by the Supplier on behalf of the Client pursuant to or in connection with the Main Agreement;
- “Main Agreement” means the Amiqus Business Terms into which this agreement is incorporated;
- “Sub-processor” means any data processor (including any affiliate of Amiqus) appointed by Amiqus to process personal data on behalf of the Amiqus Client.
- “Supervisory authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; (b) the Commissioner; and (c) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
- “Supplier” means Amiqus Resolution Limited, provider of the service;
- “The Client” means you, the company, firm, corporation or public authority who wishes to purchase the Service;
- “The Service” means the service described in the Amiqus Business terms.
- “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Processing of personal data
Data controller and data processor
The parties agree that:
- the Client is a data controller and that,
- the Supplier is a data processor
for the purposes of processing personal data.
Each party shall at all times in relation to processing connected with the main agreement, comply with data protection laws.
Details of the processing of personal data
As required by Article 28(3) GDPR, the information below outlines the details of the personal data processed by the Supplier under the instruction of the Client.
The Supplier shall only process the personal data outlined in the table below for the purposes set out in the Main Agreement between the Supplier and the Client.
The Supplier shall only process personal data in accordance with the Client’s documented instructions, unless the Supplier becomes subject to any law, regulation, government or regulatory body requirement to process personal data in another way, in which case the Supplier shall, to the extent permitted by such law or regulation, inform the Client before processing that personal data.
The Supplier shall retain personal data in line with customer instructions except where any law, regulation, or government or regulatory body requires the Supplier to retain any documents or materials or personal data that the Supplier would otherwise be required to return or destroy. If this arises, the Supplier will notify the Client in writing of that retention requirement, giving details of the documents, materials or personal data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
The supplier will reasonably assist the client with meeting the client’s compliance obligations under the data protection laws, taking into account the nature of the supplier’s processing and the information available to the supplier, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection laws.
| Subject matter | Prospective employee, employee or customer of the Client |
| Duration | The Supplier will continue to process any data in accordance with the Client’s instructions or until the Client deletes from Amiqus or the Main Agreement ends, whichever is first – except where a requirement exists to retain data for legal or regulatory purposes. For example, DBS requires records of checks undertaken to be retained for 12 months. Any such data are retained in accordance with this provision shall continue to be subject to the security and confidentiality restrictions contained in this Agreement. |
| Nature and purpose | Pre-employment screening Employee vetting and screening Customer due diligence To meet risk, legal, compliance standards |
| Types of personal data | Names, date of birth, address history, personal e-mail address, telephone number, identification card, professional registration details, National Insurance Number, image of identification documents, employment history, education history, details of qualifications, place of birth, family details. |
| Types of special category personal data | Image of passport Image and video of face Political information |
| Criminal history data | Indicative notice of disclosure Disclosure certificate Client notes about disclosures |
The Supplier shall immediately inform the Client, if in its opinion, an instruction pursuant to the Main Agreement or this agreement infringes data protection laws.
The Client warrants to and undertakes to the Supplier that: (i) it is entitled to disclose the personal data to the Supplier; (ii) it has and will maintain for the term of the Main Agreement a valid lawful basis to process and share the Personal Data with the Supplier; (iii) it will ensure that the Personal Data is accurate and is kept up to date; (iv) all data subjects of the Personal Data have been or will be provided with appropriate privacy notices and information in accordance with Data protection laws; (v) where the legal basis relied on is consent or explicit consent, all consents have been obtained in accordance with Data protection laws to establish and maintain for the relevant term the necessary legal grounds, under Data protection laws for transferring the Personal Data to the Supplier to enable the Supplier to process the personal data in accordance with this Agreement and the Main Agreement.
Liability
The Client acknowledges that the Supplier is reliant on the Client for direction as to the extent to which it is entitled to use and process the personal data. Consequently, the supplier will not be liable for any claim arising from any action or omission by the Supplier to the extent that such action or omission resulted from the Client’s express instructions. The liability provisions in the Main Agreement shall apply to this agreement. Nothing in this Agreement shall exclude or limit any party’s liability which cannot legally be limited or excluded by applicable laws.
Processor Personnel
The Supplier shall treat all personal data as strictly confidential and shall inform all its employees, agents, contractors and/or authorised sub-processors engaged in processing the personal data of the confidential nature of such Personal Data.
The Supplier shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of any employee, agent, contractor and/or authorised sub-processor who may have access to the personal data, ensuring in each case that access is limited to those persons or parties who need to access the relevant personal data, as necessary for the purposes set out above in the context of that person’s or party’s duties to the supplier.
The Supplier shall ensure that all such persons or parties involved in the processing of personal data are subject to:
- confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;
- have undertaken training on the data protection laws relating to handling personal data and how it applies to their particular duties;
- are aware both of the Client’s duties and their personal duties and obligations under the data protection laws and this agreement; and
- user authentication processes when accessing the personal data.
Security
The Supplier shall implement appropriate technical and organisational measures to ensure a level of security of the personal data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
More information about Amiqus’ commitment to security can be found here.
Sub-processing
Authorised sub-processors
Entity name Subprocessing activities Amazon Web Services UK Ltd Cloud computing platforms for all application infrastructure including; web servers, databases, and DNS. Disclosure and Barring Service Obtain details of convictions and conditional cautions for provision of Amiqus’ Disclosure Checks. Disclosure Scotland Obtain details of convictions and conditional cautions for provision of the Amiqus’ Disclosure Scotland Level 1 and Level 2 checks. AccessNI Obtain details of convictions and conditional cautions for provision of Amiqus’ AccessNI Disclosure Checks. Equifax Ltd QCB1 AML/EWC services, provision of Amiqus’ identity checks. GoCardless Ltd Outsourced payment management. Hedd Higher Education verification services. HubSpot, Inc Marketing automation and customer relation management. IVSX UK Ltd
(trading as ComplyAdvantage)
Obtain global sanctions, politically exposed persons and adverse media data for the provision of Amiqus’ PEPs & Sanctions and Adverse Media checks. Entrust Corporation (formerly Onfido Ltd) Document verification services, provision of Amiqus’ Photo ID check. Stripe, Inc Outsourced payment management. TransUnion Information Group Ltd (formerly CallCredit) CallValidate and CallReport services, provision of Amiqus’ Identity and Adverse Credit checks. Zendesk, Inc Online ticketing and customer support services. TrueLayer Limited Open banking platform, provision of Amiqus’ Banking information check.
This check type is used for the collection and processing of financial information. Amiqus does not permit storage, processing or transmitting of cardholder and sensitive authentication data.I-Cover Screening Limited International criminal record checks.
International address checks.
International credit search.Appointing sub-processors
The Supplier shall not engage any sub-processor to process personal data other than with the prior specific or general written authorisation of the Client. As at the date of the Main Agreement or (if later) implementation of this agreement, the Client hereby authorises the Supplier to engage those sub-processors set out in the table above (authorised sub-processors) or those specifically outlined in the Contract Schedule or Main Agreement.
Changes to sub-processors
In the case of general written authorisation, the Supplier shall inform the Client of any intended changes concerning the addition or replacement of other processors with 10 working days’ notice, thereby giving the Client the opportunity to object to such changes.
With respect to each Sub-processor, the Supplier shall:
Sub-processor due diligence
Carry out adequate due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the personal data as is required by this agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of data protection laws and this agreement;
Agreement with sub-processors
Include terms in the contract between the Supplier and each sub-processor which contains terms substantially the same as those set out in this agreement, in particular that all sub-processors’ employees handling personal data must be subject to confidentiality obligations and receive training on data protection laws. Sub-processors are required to have in place appropriate technical and organisational data security measures agreement and shall monitor those measures to ensure compliance;
Transfer of personal data outside of the UK and EEA
Insofar as the contract with the sub-processor requires the transfer of personal data outside of the UK and EEA, the Supplier shall ensure that territory has adequacy status to offer adequate protection for the privacy rights of individuals; or incorporate a valid cross-border transfer mechanism under data protection laws to ensure the lawful transfer of personal data.
Sub-processor failure
Remain fully liable to the Client for any failure by each sub-processor to fulfil its obligations in relation to the processing of any personal data.
Data subject rights
The Supplier shall without undue delay, and in any case within two (2) working days, notify the Client if it receives a request from a data subject under any data protection laws in respect of personal data, including requests by a data subject to exercise rights in chapter 3 of GDPR, and shall provide full details of that request.
The Supplier shall cooperate as reasonably requested by the Client to enable the Client to comply with any exercise of rights by a data subject under any data protection laws in respect of personal data and to comply with any assessment, enquiry, notice or investigation under any data protection laws in respect of personal data or the Main Agreement, which shall include:
- the provision of all information reasonably requested by the Client within any reasonable timescale specified by the Client in each case, including full details and copies of the complaint, communication or request and any personal data it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the Client to enable the Client to comply with the relevant request within the timescales prescribed by data protection laws; and
- implementing any additional technical and organisational measures as may be reasonably required by the Client to allow the Client to respond effectively to relevant complaints, communications or requests.
Personal data breach management
In the case of a personal data breach, the Supplier shall without undue delay notify the personal data breach to the Client providing sufficient information which allows the Client to meet any obligations to report a personal data breach under data protection laws. Such notification shall as a minimum:
- describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned;
- communicate the name and contact details of the Supplier’s data protection officer or other relevant contact from whom more information may be obtained; and
- describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Supplier co-operation
The Supplier shall fully cooperate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Client to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under data protection laws.
Public Statement
The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Supplier shall not inform any third party without first obtaining the Client’s prior written consent, unless notification is required by law to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform the Client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Client before notifying the personal data breach.
Data protection impact assessments and consultation
The Supplier shall, at the Client’s request, provide reasonable assistance with any data protection impact assessments and any consultations with any supervisory authority of the Client as may be required.
Deletion or return of controller personal data
The Supplier shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of personal data by the Supplier; or (ii) termination of the Main Agreement, at the choice of the Client securely dispose of personal data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Supplier to store such personal data or where a requirement exists to retain data for legal or regulatory purposes. For example, DBS requires records of checks undertaken to be retained for 12 months. Any such data are retained in accordance with this provision shall continue to be subject to the security and confidentiality restrictions contained in this Agreement.
Audit rights
The Supplier shall make available to the Client on request all information necessary to demonstrate compliance with this agreement and data protection laws and allow for and contribute to audits, including inspections by the Client or another auditor mandated by the Client of any premises where the processing of personal data takes place.
The Supplier shall permit the Client or another auditor mandated by the Client during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Client may satisfy itself that the provisions of data protection laws and this agreement are being complied with.
The Supplier shall provide full cooperation to the Client in respect of any such audit and shall at the request of the Client, provide evidence of compliance with its obligations under this agreement and data protection laws.
International transfers of controller personal data
The Supplier shall not (permanently or temporarily) process the personal data nor permit any authorised sub-processor to (permanently or temporarily) process the personal data in a country outside of the UK and EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in the Contract Schedule (Authorised Transfers of Personal Data), unless authorised in writing by the Client in advance.