STANDARD TERMS AND CONDITIONS FOR THE PROVISION OF ITS SCREENING AND FACT CHECKING SERVICES TO ITS CLIENTS AND CUSTOMERS (FOR THE PURPOSES OF THESE TERMS A ‘CUSTOMER’)
- In these Terms, the following expressions have the following meanings:
||means all applicable statutes, common law, statutory instruments, orders, regulatory policies, binding codes of practice, binding guidance notes, bye-laws, rules of court and regulations, directives, notices or legally enforceable requirements of any local, statutory, governing or public authority or body, or any other lawfully constituted regulatory body having authority (including EU regulations, directives, decisions and notices) and all subordinate or delegated legislation made by such bodies or under such legislation.
||means the potential job applicants or employees of Customer in respect of which the Services will be provided.
||means information Customer and Verifile obtain from Applicants.
||means the Bribery Act 2010 and all other applicable UK legislation, statutory instruments and regulations in relation to bribery or corruption and any similar or equivalent legislation in any other relevant jurisdiction.
||means any day except Saturday, Sunday, bank or public holidays and the period 25th December – 31st December in any calendar year.
||means any charges payable, in accordance with Clause 4, in respect of any services, such charges to be as published by Verifile on its Website or as agreed in writing between Verifile and the Customer.
||means account numbers, identification codes and passwords (including User ID) provided by Verifile to Customer and used by Customer to access the Services.
||means the date that the Customer creates its online account with Verifile and in doing so, accepts these Terms.
||means any information relating to a party or the business, prospective business, technical processes, computer software (both source code and object code), intellectual property rights or finances of a party, or compilations of two or more items of such information whether or not each individual item is itself confidential, coming into the possession of the other party by virtue or in anticipation of these Terms, and which the disclosing party regards, or could reasonably be expected to regard, as confidential, whether or not such information is reduced to a tangible form or marked in writing as “confidential”, and any and all information which has been or may be derived or obtained from such information.
||has the meaning given to that term in Data Protection Legislation.
|“Customer Created IPR”
||means IPR created by Verifile for the Customer’s use pursuant to provision of the Services including but not limited to Applicant Information and Information.
||means the Intellectual Property Rights owned by or licensed to Customer and/or its Related Persons and which are or have been developed independently of the relationship between the parties (whether prior to the Commencement Date or otherwise).
|“Data Protection Legislation”
||any legislation in force from time to time relating to the protection of personal data of individuals including (without limitation) any legislation which implements Directive 95/46/EC or Directive 2002/58/EC of the European Community (including the UK Data Protection Act 2018, the Privacy and Electronic Communication (EC Directive) Regulations 2003 or such other legislation that amends, supersedes, updates or replaces it from time to time (including the GDPR), whether or not such legislation is in force at the date of these Terms) together with all Applicable Law in any jurisdiction relating to the processing or protection of personal data and privacy.
||has the meaning given to that term in Data Protection Legislation.
|“Description of Processing”
||means the description and other particulars of Personal Data Processed by Verifile (and/or Processed on behalf of Verifile or Verifile Related Persons) for which Company is a Controller which are set out at the Schedule as such Schedule may be amended in writing between the parties.
||means General Data Protection Regulation (EU) 2016/679 as implemented by the Data Protection Act 2018
||means, in relation to either party, each and any subsidiary or holding company of that party and each and any subsidiary of a holding company of that party.
||means the results, reports and the data provided by Verifile to Customer.
|“Intellectual Property Rights or IPR”
||means copyright, patents, know-how, trade secrets, trademarks, trade names, design rights, rights in get-up, rights in goodwill, rights in confidential information, rights to sue for passing off, domain names and all similar rights and, in each case:
(a) whether registered or not
(b) including any applications to protect or register such rights;
(c) including all renewals and extensions of such rights or applications;
(d) whether vested, contingent or future;
(e) to which the relevant party is or may be entitled, and
(f) in whichever part of the world existing.
||has the meaning given to that term in Data Protection Legislation.
|“Processor, Process or Processing”
||has the meaning given to that term in Data Protection Legislation.
||means a member of the Verifile Group or Customer Group (as applicable) and their employees, officers, shareholders, affiliates, representatives, agents, consultants, contractors, suppliers and advisers
||means any economic or trade sanctions or restrictive measures enacted, administered, imposed or enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the U.S. Department of State, the United Nations Security Council, and/or the European Union, and/or the French Republic, and/or Her Majesty’s Treasury, or any other relevant sanctions authority.
||means the CV verification and background check services provided by Verifile to Customer, as published by Verifile on its Website from time to time, or as requested by the Customer and provided by Verifile from time to time.
||means the individual identification provided by Verifile to each individual employee of Customer using the Services for the purposes of their work with Customer.
|“Verifile Created IPR”
||means IPR created by Verifile in the course of providing the Services including but not limited to software, algorithms, databases, know-how, techniques, systems and processes.
||means the Intellectual Property Rights which are used in connection with the delivery of the Services and are owned by or licensed to Verifile and are, or have been, developed independently of these Terms (whether prior to the Commencement Date or otherwise) and Verifile Created IPR.
|“Verifile Processing Activities”
|means all Processing of Personal Data performed by Verifile and/or Verifile Related Persons (and/or on behalf of Verifile or Verifile Related Persons acting as Sub-Contractors) on behalf of Customer in the course of providing the Services to Customer and carrying out the obligations under these Terms.
||means www.verifile.co.uk or such other website through which the Services are provided.
- Unless the context otherwise requires:
- The headings used in these Terms are for convenience only and do not affect the interpretation of these Terms;
- references to ‘writing’ or ‘written’ include any method of reproducing word in a legible and non-transitory form including email and any other means of electronic communication;
- a reference to a ‘person’ includes a natural person, corporate or unincorporated body (in each case whether or not having separate legal personality) and that person’s personal representatives, successors and permitted assigns; and
- References to legislation include any modification or re-enactment thereof including, as a result of the United Kingdom’s withdrawal from the European Union by virtue of Article 50 of the Treaty of the European Union.
2.2.These terms contain clauses which shall apply from the Commencement Date and shall continue to apply, whether the Customer has requested Services or continues to request Services, until either (i) the relationship of the parties is terminated in accordance with Clause 12.1 (save for any such provisions that are stated to apply following termination) or (ii) until they are changed in accordance with Clause 2.1.
3. THE SERVICES
- Verifile will provide the Services in accordance with any service description and in accordance with any standard time scales set out on the Website, from time to time (provided always that any time scales are a guide and Verifile will use all reasonable endeavours to comply with them but may not always be able to do so as they reflect the response time of the third parties Verifile contacts in the course of providing the Services.
- Verifile may suspend the provision of any Service(s) at any time if the Information needed to provide the Service(s) is not provided by the data providers or Sub Contractors for reasons outside of the control of Verifile or provision of the Service(s) is no longer permitted due to changes in Applicable Law.
4. PAYING CHARGES
- Verifile will invoice in respect of the Charges at the end of each calendar month after the Commencement Date
- Customer will, within 30 (thirty) calendar days of receipt of Verifile’s invoice, pay the amount of the invoice to Verifile’s bank account, details of which have been provided by Verifile to Customer. Verifile prefers the Customer to set up a direct debit and where instances occur regarding continuous late payment, Verifile reserves the right to require the Customer to set up a direct debit or cease to carry out any further Services. Payment may be made by credit card but may incur an additional processing fee.
- If Customer fails to pay the Charges when due, Verifile reserves the right to charge interest on the amount owed pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.This will not prejudice any other action available to Verifile.
- The Charges do not include Value Added Tax (VAT) or any other similar charge which will be charged to and paid for by Customer, where applicable, in addition to the Charges at the prevailing rate from time to time.
5. USE OF INFORMATION
- Customer undertakes not, for a period from the Commencement Date and until 1 (one) year after termination of any relationship between the parties, whether alone or in concert with or for or on behalf of any other person, to do either of the following:
- solicit the custom of any client of Verifile in respect of similar goods or services to those provided by Verifile; or
- solicit or employ staff employed by Verifile during the term of the relationship between the parties except that Customer may solicit or employ staff who are made redundant or dismissed by Verifile or who have been employed by a third party subsequent to being employed by Verifile.
- Each undertaking contained in this Clause 5 shall be construed as a separate undertaking and if one or more of the undertakings or part thereof is held to be void or unlawful or in any way unenforceable, such undertaking or part thereof shall to that extent be disregarded and deemed not to form part of these Terms and the remaining undertakings shall continue to bind Customer.
- The restrictions contained in this Clause 5 are considered reasonable by the parties and Customer acknowledges that the provisions of this Clause 5 are reasonably necessary for the protection of the legitimate interests of Verifile.
- Customer agrees to follow any reasonable rules and guidelines that apply to the way in which Verifile provides the Services from time to time provided such rules and guidelines have been provided to Customer via the Website. Verifile will maintain appropriate technical and organisational security measures and procedures to prevent Customer’s Client ID being accidentally given to or used by unauthorised people.
- Verifile will provide to each user an individual identification, referred to as 'User ID'. Customer will ensure that only the person to whom it is issued uses the User ID and will ensure that the User ID is not transferred to or used by others.
- The Customer is responsible for keeping its Client ID secure. Verifile will not be responsible for any losses arising from anyone using the Client ID issued to Customer, whether authorised by Customer or not unless Verifile is responsible for the breach of the Client ID. Verifile reserves the right to provide a new Client ID at any time. Any new Client ID will apply 24 (twenty-four) hours after Verifile provides the new Client ID.
- Customer agrees that it will:
- maintain appropriate technical and organisational security measures and procedures to prevent its Client ID being accidentally given to or used by unauthorised people;
- tell Verifile as soon as it becomes aware that any third party has found out or used the Client ID, or if any equipment Customer uses to access the Services is stolen; and
- be responsible for any charges connected to the reissuing of Client ID unless Verifile is responsible for the Client ID being used by unauthorised people.
- Verifile may cancel or suspend Customer’s use of the Client ID if:
- Customer fails to comply with any of its security obligations pursuant to Clause 6; or
- Verifile is advised or becomes aware, of any unauthorised or improper use of Customer’s Client ID (either by Customer or by any third party), or that any equipment Customer uses to access the Services is stolen.
- Verifile undertakes to issue Customer with a new Client ID as soon as possible provided that Customer is not in breach of the provisions of these Terms.
Verifile shall have in place contracts of insurance with reputable insurers incorporated in the United Kingdom to cover its obligations under these Terms at its own cost.
- Verifile shall use all reasonable skill and care to provide the Services.
- Customer acknowledges that the Information is based on information held by third parties. Verifile cannot control or guarantee the accuracy of such information, which may also contain advice or opinions of third parties. Verifile undertakes that it will provide accurately to Customer all information that it does receive from third parties.
- Verifile will not be liable to Customer for indirect loss, loss of profit, loss of data, loss of business or loss of business use as a result of Verifile’s negligence or breach of these terms or other liability or obligation.
- Subject to clause 8.3 Verifile’s total liability to Customer in any 12 month period for all claims for negligence, breach of contract, or another liability or obligation is limited to £500 or the Charges paid by Customer in that period, whichever is the lesser.
- To the extent permitted by law, Verifile excludes all representations, guarantees or conditions that:
- the Services or the Information (or both) are fit for a particular purpose, or
- the Services or Information (or both) will meet Customer’s requirements.
- Nothing contained in these Terms will operate to exclude or limit Verifile’s liability for death or personal injury arising out of Verifile’s negligence or willful misconduct.
9. INTELLECTUAL PROPERTY
- Verifile is the absolute, legal and beneficial owner of Verifile IPR. All IPR in Verifile IPR shall, at all times, be and remain the exclusive property of Verifile or its third-party licensors.
- Customer is the absolute, legal and beneficial owner of the Customer IPR and Customer Created IPR. All IPR in the Customer IPR and Customer Created IPR shall, at all times, be and remain the exclusive property of Customer or its third-party licensors.
- Verifile grants Customer a royalty-free non-exclusive licence to use its name and logo on all of its recruitment publications to deter misleading Applicants from applying for vacancies, for so long as and provided that Verifile is providing the Service(s) to Customer.
- Customer grants Verifile a royalty non-exclusive licence to use its name and logo on Verifile’s website until either such licence is revoked in writing by the Customer or until this relationship of the parties is termination pursuant to clause 12..
- Each party shall protect, and shall procure that its Related Persons shall protect the Confidential Information of the other party using at least the same degree of care as it takes to preserve and safeguard its own Confidential Information of a similar nature and in any event at least a reasonable degree of care.
- Confidential Information may be disclosed by the receiving party to its Related Persons, provided that the recipient is bound in writing to maintain the confidentiality of the Confidential Information received.
- The obligations set out in this clause 10 shall not apply to Confidential Information which the receiving party can demonstrate:
- is or has become publicly known other than through breach of this clause 10; or
- was in possession of the receiving party prior to disclosure by the other party; or
- was received by the receiving party from an independent third party who has full right to disclosure; or
- was independently developed by the receiving party; or
- was required to be disclosed by a governmental authority, stock exchange or regulatory body, provided that the party subject to such requirement to disclose gives the other party prompt written notice of the requirement.
- The obligations of confidentiality in this clause 10 shall not be affected by the expiry or termination of these Terms.
- Each party undertakes not to use the Confidential Information for any purpose except in the ordinary course of its business and as authorised by these Terms.
11. CUSTOMER OBLIGATIONS
- At Customer’s cost and expense, Customer agrees to co-operate with Verifile and provide Verifile such information and assistance as may be required in order for Verifile to perform its obligations in relation to the Services.
- Where Customer requests Verifile to supply Information which Verifile sources from the UK’s Disclosure & Barring Service (“DBS”), Disclosure Scotland (“DS”) and/or AccessNI (“ANI”), Customer warrants and undertakes that it will:
- observe and fully comply with the DBS / DS / ANI Code of Practice;
- only request the standard, enhanced or PVG checks for roles that meet the appropriate legislation;
- make all Applicants aware of the DBS / DS / ANI Code of Practice at the start of the recruitment process and make a copy available to any Applicant on request;
- have a satisfactory written policy on the recruitment of ex-offenders and issue a copy of that policy to all Applicants at the start of the recruitment process;
- include a statement on its application forms or accompanying documentation that DBS / DS / ANI information on the Applicant will be requested in the event of the Applicant being offered a position;
- include a statement on its application forms or accompanying documentation that a criminal record will not necessarily be a bar to obtaining a position;
- have a written policy on the secure storage, handling, retention and disposal of information which Verifile sources from the DBS / DS / ANI;
- ensure that identity validation of Applicants is undertaken in accordance with DBS / DS / ANI guidelines;
- confirm that Verifile plays no part in the recruitment decision;
- permit Verifile to carry out audits and/or assurance visits to ensure that the Customer is complying fully with the terms of these Terms and the DBS / DS / ANI Code of Practice.
- Either party may give notice to the other at any time that it no longer wishes to provide or receive Services (as the case may be) and that it wishes to end the relationship it has with the other.
- Terminating the relationship between the parties will not affect:
- any rights accrued to either party prior to termination; or
- any part of these Terms that will continue to apply notwithstanding termination.
- Upon termination of the relationship, both parties agree to return to the other all Confidential Information and all copies of it. In the event that copies cannot be returned, they will be destroyed, and certification of destruction will be provided to the owner of the Confidential Information.
13. LEGAL COMPLIANCE
- Each Party shall all times with and shall procure that its Related Persons at all times comply with, all Applicable Laws in the performance of its obligations under these Terms.
- Each Party shall not do or permit anything to be done which might cause or otherwise result in a breach of Applicable Law by the other Party and/or its Related Persons.
- For the purposes of this clause 14 the expressions 'adequate procedures' and 'associated with' shall be construed in accordance with the Bribery Act 2010 and legislation or guidance published under it.
- Each party shall comply with applicable Bribery Laws including ensuring that it has in place adequate procedures to prevent bribery and use all reasonable endeavours to ensure that:
- all of that party’s personnel;
- all others associated with that party; and
- all of that party’s sub-contractors;
involved in performing the obligations under these Terms so comply.
- Without limitation to clause14.2, neither party shall make or receive any bribe (as defined in the Bribery Act 2010) or other improper payment, or allow any such to be made or received on its behalf, either in the United Kingdom or elsewhere, and shall implement and maintain adequate procedures to ensure that such bribes or payments are not made or received directly or indirectly on its behalf.
- Each party shall immediately notify the other as soon as it becomes aware of a breach or possible breach of any of the requirements in this clause 14.
Verifile undertakes, warrants and represents that:
- neither Verifile nor any of its Related Persons has:
- committed an offence under the Modern Slavery Act 2015 (an “MSA Offence”); or
- been notified that it is subject to an investigation relating to an alleged MSA Offence or prosecution under the Modern Slavery Act 2015; or
15. MODERN SLAVERY
- is aware if any circumstances within its supply chain that could give rise to an investigation relating to an alleged MSA Offence or prosecution under the Modern Slavery Act 2015;
- it shall comply with the Modern Slavery Act 2015; and
- it shall notify the Customer immediately in writing if it becomes aware or has reason to believe that it, or any of its Related Persons have breached or potentially breached any of its obligations under Clause15. Such notice to set out full details of the circumstances concerning the breach or potential breach of Verifile’s obligations.
16. SANCTIONS COMPLIANCE
Verifile warrants and represents that it and each of its Subcontractors and Related Persons, direct or indirect beneficial owners or shareholders, and/or any other person acting on behalf of Verifile, is not, or is not owned or controlled by an individual or entity that are:
- the target of any Sanctions (a “Sanctioned Person”); or
- located, organised or resident in a country or territory that is, or whose government is, the subject of Sanctions broadly prohibiting dealings with such government, country, or territory (a “Sanctioned Country”).
- Any breach by Supplier of this Clause 16 (Sanctions Compliance) shall be deemed to be a material breach of these Terms not capable of remedy.
17. DATA PROTECTION
- Each Party shall be responsible for its own compliance obligations imposed by the Data Protection Legislation.
- The Parties acknowledge that they have agreed that Verifile shall act as Customer’s Processor in respect of all Processing of Personal Data pursuant to the provision of the Services under these Terms and in respect of the Verifile Processing Activities and Customer shall act as Controller in respect of Personal Data Processed by Verifile. If this analysis subsequently is determined by a competent body in a manner inconsistent with this view, this clause shall not apply.
- Processing and Transfer of Data – Article 28(3)(a) GDPR (unless stated otherwise)
Subject to clause 17.1 above, in respect of any Personal Data which Verifile Processes as a Processor in relation to the Services, and in respect of all Verifile Processing Activities, Verifile shall (and shall procure that all Verifile Related Persons shall):
- or is likely to breach any Data Protection Legislation. only process that Personal Data for the purposes of supplying the Services (except to the extent the laws of the European Union or of any of its member states require Verifile to do otherwise) and at all times in accordance with Customer’s documented instructions from time to time and the Description of Processing;
- not transfer, or otherwise directly or indirectly disclose or make available, any Personal Data to (or access those data from) any location outside the European Economic Area (“EEA”) except where one or more of the following applies:
- the Processor has in place with the non-EEA receiving entity the EU model contractual clauses as set out in Decision 2010/87/EU or any alternative version of those clauses issued by the European Commission or a supervisory authority from time to time;
- the transfer is to a non-EEA country that is deemed to have an adequate level of protection from time to time by the European Commission or such other supervisory authority;
- there is an approved code of conduct in place by an association or other body representing the Controller or Processor that applies to the non-EEA territory or territories to which the Personal Data is to be transferred;
- there is an approved certification mechanism in place in respect of the non-EEA territory;
- to the extent that the transfer is to an entity located in the United States, such entity participates in the EU-US Privacy Shield or such other mechanism that may replace or supersede it from time to time;
- the Data Subject has provided their prior written explicit consent, which shall be obtained by Customer, either directly or indirectly (through Verifile) in an appropriate form and include all information as required by Article 49(1)(a) of the GDPR. The Customer shall ensure it has in place robust mechanisms and systems to be able to demonstrate and evidence such explicit consent through the provision of a data protection declaration signed by the Data Subject and containing a declaration to that effect (“Data Protection Declaration”). In the event that a Data Subject: (i) withdraws their explicit consent by informing Customer, Customer will notify Verifile in writing immediately, providing details of the nature, scope and extent of the explicit consent withdrawal; or (ii) withdraws their explicit consent by informing Verifile, Verifile will notify Customer immediately, and Verifile’s cessation of the processing of such Data Subject’s Personal Data and/or supply of Services shall not be a breach of these Terms.
- the transfer is necessary for the performance of a contract between the Data Subject and Customer or the implementation of pre-contractual measures taken at the Data Subject’s request (Article 49(1)((b)); or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between Customer and another natural or legal person (Article 49(1)(c)).
- on the formal termination of the relationship between the parties or on the request of the Customer, at Customer’s option either return all of the Personal Data and Confidential Information (and copies of it) or securely dispose of the Personal Data and Confidential Information except to the extent that any applicable law or Customer requires Verifile to store such Personal Data (Article 28(3)(g) GDPR); and
- comply with all Data Protection Legislation imposed on Verifile as Processor that is relevant to the processing of Personal Data under the provision of the Services to Customer. Verifile shall inform Customer in writing if, in Verifile’s opinion, any instruction provided by Customer in relation to the Processing of Personal Data will or is likely to breach any Data Protection Legislation.
Verifile Personnel – Article 28(3)(b) GDPR
Subject to clause 17.1 above, in respect of any Personal Data which Verifile Processes as a Processor in relation to the Services, and in respect of all Verifile Processing Activities, Verifile shall (and shall procure that all Verifile Personnel shall):
- ensure that access to the Personal Data is limited to those of the Verifile Personnel or Sub-Contractors who need access to them to supply the Services and only in accordance with the terms and conditions of these Terms (Article 28(3)(b) GDPR);
- ensure that all Verifile Personnel and Sub-Contractors are informed of the confidential nature of the Personal Data and are always subject to enforceable obligations of confidentiality by Verifile in relation to Personal Data (Article 28(3)(b) GDPR);
- ensure that all Verifile Personnel and Sub-Contractors are assessed by Verifile to ensure their reliability (Article 28(3)(b) GDPR).
- Sub-Contractors – Article 28(2) and Article 28(3)(d) GDPR unless stated otherwise
- Description of Processing – Article 28(1) GDPR
Customer shall regularly review and maintain the Description of Processing to ensure that it is up to date at all times and that it accurately and fully reflects Customer’s instructions and Processing of Personal Data in relation to all Services. Customer shall, following any change to the Description of Processing, provide such amended version (“Revised Description”) to Verifile in writing. Following the provision of such amended version to Verifile, the Description of Processing shall be deemed replaced with the Revised Description and these Terms shall be deemed amended accordingly. For the avoidance of doubt, if the nature of the Processing under these Terms changes in such a way as to change the scope of the Services the costs for the Services shall change accordingly.
- Security - Technical and Organisational Measures - Article 28(3)(c) and Article 32 GDPR
Taking into account the state of technical development and the nature of processing, Verifile shall implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration or damage and unauthorised disclosure, access, use, removal, copying, modification or other misuse.
- Data Subject Rights - Articles 28(3)(e) and 33 GDPR
- Subject to clause 17.1 above, in respect of any Personal Data which Verifile Processes as a Processor in relation to the Services, and in respect of all Verifile Processing Activities, Verifile shall (and shall procure that all Verifile Personnel shall) notify Customer without undue delay in writing of any notices received by it from Data Subjects or any competent supervisory authority relating to the Processing of Personal Data, including any requests, complaints or correspondence and provide such information, co-operation and assistance as Customer may require in relation to such notices (at Customer’s cost) including in connection with any approval of any supervisory authority to any Processing of Personal Data, or any request, action, notice or investigation by such supervisory authority. For the avoidance of doubt, in no event shall Verifile or any of Verifile Personnel respond directly to any such notices without Customer’s prior written consent unless and to the extent required by law.
- Verifile shall, taking into account the nature of the processing, assist Customer (by appropriate technical and organisational measures and at Customer’s cost where such measures fall outside the scope of the Services), insofar as this is possible, in relation to any request from any Data Subject for access, rectification or erasure of Personal Data or any objection to processing.
- Data Security, Breach Reporting and DPIAs – Article 28(3)(f) GDPR, Article 32, Article 33, Article 35 and Article 36 GDPR
- Verifile shall notify Customer without undue delay and in writing if any Personal Data has been disclosed in breach of these Terms (Article 33 GDPR).
- Verifile shall notify Customer without undue delay if it becomes aware of a breach of security of Personal Data, such notices shall include full and complete details relating to such breach (Article 33(2) GDPR).
- Verifile shall provide such assistance (at Customer’s cost) as Customer may reasonably require in relation to (a) the need to undertake a data protection impact assessment as such term is defined in the Data Protection Legislation in accordance with Data Protection Legislation and (b) any approval of the Information Commissioner’s Office or other data protection supervisory authority to any processing of Personal Data (Articles 35 and 36 GDPR).
- Verifile undertakes to not take any steps in relation to a data breach, including but not limited to contacting any Data Subject, except in accordance with clause 17.9.
- Audit – Article 28(3)(h) GDPR
- At Customer’s cost (including without limitation for any fees charged by any auditor appointed by Customer to execute any such audit), Verifile shall allow for an audit (no more than once per annum, unless and to the extent additional audits are required by the Information Commissioner’s Office or other relevant supervisory authority) by Customer and any auditors appointed by it in order for Verifile to demonstrate its compliance with Verifile’s compliance with the Data Protection Legislation. For the purposes of such audit, upon reasonable notice, Verifile shall make available to Customer and any appointed auditors all information that Customer deems necessary (acting reasonably) to demonstrate Verifile’s compliance with the Data Protection Legislation. If access is required to Verifile’s premises, such access shall be subject to compliance with Verifile’s relevant policies.
- In Verifile’s reasonable opinion, to the extent that it believes that any instruction received by it in accordance with the audit clause is likely to infringe Data Protection Legislation or any other applicable law, Verifile shall promptly inform Customer and shall be entitled to withhold its permission for such audit and/or perform the relevant obligations under these Terms until Customer amends its instruction so as not to be infringing.
- With respect to Customer’s rights under clause 17.10.1:
- Customer must provide at least thirty Business Days prior written notice of its need to conduct an audit (unless a shorter timeframe is mandated by Customer’s competent supervisory authority), and the parties shall mutually cooperate in good faith to establish an audit date. Verifile will contribute to such audits by providing Customer or Customer’s competent supervisory authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services.
- If a third party is to conduct the audit, Verifile may object to the auditor if the auditor is, in Verifile’s reasonable opinion, not suitably qualified or independent, a competitor of Verifile, or otherwise manifestly unsuitable. Such objection by Verifile will require Customer to appoint another auditor or conduct the audit itself.
- The audit be conducted during regular business hours at the applicable facility and in accordance with Verifile’s health and safety policies, and may not unreasonably interfere with Verifile’s business activities.
- Customer will notify Verifile of any non-compliance discovered during the course of an audit and provide Verifile any audit reports generated in connection with any audit under this Clause, unless prohibited by the GDPR, other applicable Data Protection Legislation or otherwise instructed by a competent supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of these Terms. The audit reports are Confidential Information of the parties under these Terms.
- Customer’s Obligations
- The obligations and rights of Customer as the applicable Controller of the Personal Data processed in accordance with these Terms and with Data Protection Legislation. The Customer shall ensure that all instructions it issues to Verifile comply with Data Protection Legislation. For the avoidance of doubt, Customer shall be solely responsible for determining the legal basis and conditions for the processing of Personal Data under these Terms and shall make available to Verifile all information reasonably necessary to demonstrate compliance with its obligations in this clause. The Customer shall indemnify Verifile against all liabilities arising out of or in connection with any breach by Customer of any of the terms of this clause, including all amounts paid or payable by Verifile or any of its Related Persons to a third party which would not have been paid or payable if the Customer’s breach of these Terms had not occurred.
- To the extent permitted by law, Verifile accepts no liability for any inaccurate Information provided to Customer as part of the Services to the extent such inaccuracy comes from incorrect data provided by Customer, the Data Subjects or any of Verifile’s sources which are not sub-processors for the purpose of the GDPR. Verifile further excludes, to the extent permitted by law, all representations, guarantees or conditions that the Services or the Information (or both) are fit for a particular purpose or will meet the Customer’s requirements.
- Verifile acknowledges that Customer Related Persons may receive and Process Personal Data relating to Verifile Personnel in connection with Verifile’s performance and Customer’s and Verifile’s, administration or management of these Terms. Verifile acknowledges and agrees that Customer or its Related Persons shall Process such data as part of Customer’s own Processing activities acting as Controller.
Verifile may, with the prior written consent of the Customer (such consent not to be unreasonably withheld or delayed), announce or publicly disclose (whether or not by a press release) any matters concerning the appointment of Verifile to deliver Services to the Customer or any case studies arising from the Services.
19. FORCE MAJEURE
- If either party cannot carry out its obligations because of events beyond their control for a period of at least 30 days, the party that cannot perform its obligations will notify the other party as soon as it is practical to do so. The defaulting party’s obligations will be suspended immediately and it must do all it can to rectify the situation as soon as possible.
- Events beyond the control of either party include the following acts or circumstances which neither party can prevent including but not limited to acts of God, strikes, lockouts or other industrial disturbances; wars, blockades, riots, epidemics, landslides, lightning, earthquakes, fires, storms, civil disturbances and terrorism; governmental regulations and directions.
- Verifile will use all reasonable endeavours to continue to provide the Services but in the event that it is prevented from doing so unused Services can be deferred until such time as Verifile is able to resume performance of the Services.
- If either party cannot carry out its obligations due to events beyond its control for a period of more than 180 (one hundred and eighty) days the other party will be entitled to terminate its obligations under these Terms immediately upon written notice.
20. TRANSFERRING RIGHTS
The rights granted by virtue of these Terms are personal. Neither party can transfer or grant any of these rights to anyone else without the permission, in writing, of the other. This permission must not be unreasonably withheld or delayed.
If either party fails to exercise any right or solution available under these Terms any failure or delay will not prevent either party from relying on those rights or solutions in the future.
If a court finds any part of these Terms to be invalid, it will be deleted and the rest of these Terms will stay in full force.
Both parties agree that these Terms will be governed by English law. The courts of England will have the exclusive jurisdiction to settle any disagreement that may arise out of, under, or in connection with these Terms.
- Verifile shall use such addresses as are provided as part of the online registration process for the purposes of any notices to the Customer. The Customer shall use the following for the purposes of any notices to Verifile.
|Address: Verifile Limited, 5 Franklin Court, Stannard Way, Priory Business Park, Bedford, MK44 3JZ
|E-mail: privacy @verifile.co.uk (Privacy matters)
|firstname.lastname@example.org (Operational and Service Issues)
|email@example.com (Invoicing and Accounts Payable)
25. THIRD-PARTY RIGHTS
Only Customer and Verifile have legal rights under these Terms. Under the Contract (Rights of Third Parties) Act 1999, no-one else will be able to enforce any part of these Terms.
26. DISPUTE AND MEDIATION CLAUSE
Should a dispute arising relating to these Terms or the Services under it, the parties shall attempt to resolve it by discussion between their duly authorised senior management, negotiation, and mediation before legal proceedings are brought.
DESCRIPTION OF PROCESSING – As required by Article 28(3) gdpr
Description of the Processing Activities, including the subject matter, nature and duration of Processing
The Processing of Personal Data is as follows:
The Personal Data shall be processed as necessary for the Verifile to provide the Services (as described on the Website and updated from time to time). Verifile processes the Personal Data using its web-based platform, email servers and where applicable in hard copy format as well. Processing of Personal Data shall take place for the duration of these Terms and as long as is necessary for the delivery of the Services, unless otherwise directed by the Customer.
The Personal Data relate to the following categories of Data Subjects (please specify):
- Individuals about whom Customer requires background checks carried out, or references obtained, for the Customer’s business purposes.
Purposes of the Processing
The Processing is necessary for the following purposes (please specify):
- Completion of background checks and/or the obtaining of references for the Data Subjects noted above.
Categories/types of Personal Data
The Personal Data Processed fall within the following categories of Personal Data (please specify):
- Personal details of the Data Subject, including name (current and former), date and place of birth, gender or sex, address history, contact information, nationality, fingerprints, photograph, documents to prove identity or address, government issued identity numbers, immigration status;
- Criminal, court, and police records, including barred, and watch lists;
- Financial history, including credit reports, bankruptcy, court records, tax information, salary and income, real estate ownership, shareholding, financial sanctions, bank accounts;
- Employment (including volunteering) and self-employment history, including employer’s name, period, job title, status, location, duties, performance, compensation, disciplinary or sanctions, supervisor, conduct, reason for leaving, opinions about you;
- Education history, including institution’s name, period, status, location, performance, exam results, qualifications awarded, disciplinary or sanctions, supervisor, conduct, opinions about you;
- Gap history, including activities you have undertaken, period, documents to prove these, character referees, opinions about you;
- Professional credentials, designations, licences, memberships, associations, awards, sanctions or reprimands;
- Health information, including results from occupational health assessment, drug test, and GP letter;
- Driving records, including driving licence details and copy, status, points, convictions, sanctions, restrictions, medical history, insurance;
- Media coverage, including social media, politically exposed persons, press articles, press releases, internet activity (e.g. blogs, forums etc.);
- Other public record information;
- Associations to other people and groups including family, and household members, professional, political and others;
- Telephone call recordings;
- Your opinions about your experience with Verifile.
Sensitive Personal Data including special categories of Personal Data and Personal Data relating to actual or alleged criminal offences or convictions (if appropriate)
The Personal Data Processed fall within the following special categories of Personal Data (please specify):
- Health information;
- Biometric information, including fingerprints.
The Personal Data Processed fall within its own category of Personal Data (please specify):
- Relating to criminal convictions and offences;
The obligations and rights of Customer as the Controller of the Personal Data processed in connection with these Terms are set out in these Terms and in Data Protection Legislation.
||STANDARD TERMS AND CONDITIONS FOR THE PROVISION OF SERVICES TO THE CUSTOMER
|Last Review date
||XX April 2019
||XX April 2019
||Eyal Ben Cohen
||Revised and updated version including GDPR compliance. For the previous version click here.