Terms & Conditions
These Terms and Conditions apply from the date the Customer, creates a user account, and who confirms when doing so that the authorised signatory of the Customer has read, understood and agreed to the following:
Parties
1. One Auto API Limited incorporated and registered in England and Wales with company number 13646463 whose registered office is at 3B Swallowfield Courtyard, Wolverhampton Road, Oldbury, B69 2JG (One Auto API); and
2. The party subscribing to services provided by One Auto API under the terms of this agreement (Customer)
Background
(A) One Auto API has developed certain services which it makes available to subscribers via endpoints forming part of its API (application programming interface) on a subscription basis.
(B) The Customer wishes to use One Auto API's services in its business operations.
(C) One Auto API has agreed to provide and the Customer has agreed to take and pay for One Auto API's services subject to the terms and conditions of this agreement.
Agreed Terms
1 Interpretation
1.1 The definitions and rules of interpretation in this clause apply in this agreement.
Applicable Data Protection Laws: means:
a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which One Auto API is subject, which relates to the protection of personal data.
Authorised Users: those employees, agents and independent contractors of the Customer who are authorised by the Customer under these Terms and Conditions to use the Services and the Documentation.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Confidential Information: information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 11.1.
Customer Data: the data inputted by the Customer, Authorised Users, or One Auto API on the Customer's behalf for the purpose of using the Services or facilitating the Customer's use of the Services.
Customer Personal Data: any personal data which One Auto API processes in connection with this agreement, in the capacity of a processor on behalf of the Customer.
Documentation: any document or other deliverable available to the Customer by One Auto API online via oneautoapi.com or such other web address notified by One Auto API to the Customer from time to time which sets out a description of the Services and the user instructions for the Services.
Effective Date: the date when One Auto API accepts the Customer’s request for Services.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
Heightened Cybersecurity Requirements: any laws, regulations, codes, guidance (from regulatory and advisory bodies), whether mandatory or not, international and national standards, industry schemes and sanctions, which are applicable to either the Customer or an Authorised User relating to security of network and information systems and security breach and incident reporting requirements, which may include the cybersecurity Directive ((EU) 2016/1148), Commission Implementing Regulation ((EU) 2018/151), the Network and Information Systems Regulations 2018 (SI 506/2018), all as amended or updated from time to time.
Normal Business Hours: 9.00 am to 6.00 pm local UK time, each Business Day.
One Auto API Personal Data: any personal data which One Auto API processes in connection with this agreement, in the capacity of a controller.
Purpose: the purposes for which the personal data is processed as part of or in connection with the Services provided to the Customer by One Auto API under the terms of this agreement.
Services: the subscription services provided by One Auto API to the Customer under this agreement via oneautoapi.com or any other website notified to the Customer by One Auto API from time to time, as more particularly described in the Documentation.
Software: the online software applications and functions provided by One Auto API as part of the Services.
Subscription Fees: the subscription fees payable by the Customer to One Auto API for the User Subscriptions, as set out on oneautoapi.com.
Subscription Term: the term of this Agreement, from the date these terms are accepted by the Customer to the date the Agreement is terminated whether in accordance with clause 14 or otherwise.
Supplier Personal Data: any personal data which is provided to One Auto API from a supplier of services to One Auto API, and which that supplier processes in connection with this agreement, in the capacity of a controller.
Support Services: consulting, advisory or other support services supplied by One Auto API.
UK GDPR: has the meaning given to it in the Data Protection Act 2018.
User Subscriptions: the user subscriptions purchased by the Customer pursuant to clause 9.1 which entitle Authorised Users to access and use the Services and the Documentation in accordance with this agreement.
Virus: any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
Vulnerability: a weakness in the computational logic (for example, code) found in software and hardware components that when exploited, results in a negative impact to the confidentiality, integrity, or availability, and the term Vulnerabilities shall be interpreted accordingly.
1.2 Clause and paragraph headings shall not affect the interpretation of this agreement.
1.3 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person's legal and personal representatives, successors or permitted assigns.
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this agreement.
1.8 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this agreement under that statute or statutory provision.
1.9 A reference to writing or written includes email.
1.10 References to clauses are to the clauses of this agreement.
2 User subscriptions
2.1 Subject to the Customer purchasing the User Subscriptions in accordance with clause 9.1, the restrictions set out in this clause 2 and the other terms and conditions of this agreement, One Auto API hereby grants to the Customer a non-exclusive, non-transferable right and licence, to permit Authorised Users to use the Services and the Documentation during the Subscription Term for the Customer's business operations.
2.2 In relation to the Authorised Users, the Customer undertakes that:
a. it shall permit One Auto API or it's designated auditor to audit the Services in order to establish each Authorised User and the Customer's data processing facilities to audit compliance with this agreement. Each such audit may be conducted no more than once per quarter, at One Auto API's expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Customer's normal conduct of business; and
b. if any of the audits referred to in Clause 2.2(a) reveal that the User Subscription has been used by someone other than as permitted under this agreement, then without prejudice to One Auto API's other rights, One Auto API shall promptly disable the Customer’s access to the Services without liability to the Customer.
2.3 The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that:
a. is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;
b. facilitates illegal activity;
c. depicts sexually explicit images;
d. promotes unlawful violence;
e. is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or
f. is otherwise illegal or causes damage or injury to any person or property;
and One Auto API reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer's access to any material that breaches the provisions of this clause.
2.4 The Customer shall not:
a. except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this agreement:
b. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or
c. attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or
d. access all or any part of the Services and Documentation in order to build a product or service which competes with the Services and/or the Documentation; or
e. subject to clause 22.1, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party except the Authorised Users or as otherwise authorised by One Auto API, or
f. attempt to obtain, or assist third parties in obtaining, access to the Services and/or Documentation, other than as provided under this clause 2; or
g. introduce or permit the introduction of, any Virus or Vulnerability into One Auto API's network and information systems.
2.5 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify One Auto API.
2.6 The rights provided under this clause 2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer.
3 Additional user subscriptions
3.1 Subject to clause 3.2, the Customer may, from time to time during any Subscription Term, purchase additional User Subscriptions in addition and One Auto API shall grant access to the Services and the Documentation to such additional User Subscriptions in accordance with the provisions of this agreement.
3.2 If the Customer wishes to purchase additional User Subscriptions, the Customer may access them via oneautoapi.com . Providing the relevant initial payment has been made online by the Customer, and received by One Auto API, One Auto API shall activate the additional User Subscriptions
4 Services
4.1 One Auto API shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of this agreement.
4.2 One Auto API aims to make the Services available 24 hours a day, seven days a week, except for planned maintenance (in which case notice will be provided) or unscheduled maintenance (where One Auto API will use commercially reasonable endeavours to complete the maintenance as soon as possible).
4.3 One Auto API can if requested by the Customer, as part of the Services provide the Customer with Support Services to assist the Customer to best utilise the Services. One Auto API reserves the right to charge for Support Services, depending on the extent of support required or requested by the Customer.
4.4 The Customer may select different Services as described and offered on oneautoapi.com, for the fees, billing term, and the applicable supplemental terms and conditions relating to the Service set out thereon.
5 Data protection
5.1 For the purposes of this clause 5, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
5.2 The parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.
5.3 For the purposes of Applicable Data Protection Laws:
a. One Auto API may act as controller in respect of the Customer Personal Data, the One Auto API Personal Data, and/or the Supplier Personal Data and related processing activities in the supply of the Services; and
b. One Auto API and the Customer shall act as joint controllers in respect of the personal data mentioned in sub clause 5.3a and related processing activities in the supply of the Services.
c. in relation to data cleansing activity which may be part of the Services, One Auto API and any third party supplier of services shall act as processors of the Customer Personal Data, and the Customer shall act as controller.
5.4 Should the determination in clause 5.3 change, then each party shall work together in good faith to make any changes which are necessary to this clause 5.
5.5 By entering into this agreement, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by One Auto API in connection with the processing of customer Personal Data, in compliance with the then-current version of One Auto API's privacy policy available at oneautoapi.com ()https://www.oneautoapi.com/privacy) (“Privacy Policy”). In the event of any inconsistency or conflict between the terms of the Privacy Policy and this agreement, the Privacy Policy will take precedence.
5.6 Without prejudice to the generality of 5.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to One Auto API and its third party suppliers and/or lawful collection of the same by One Auto API for the duration and purposes of this agreement.
5.7 The Privacy Policy sets out the scope, nature and purpose of processing by One Auto API, the duration of the processing and the types of personal data and categories of data subject.
5.8 One Auto API shall, in relation to Customer Personal Data:
a. process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes set out in this agreement, unless One Auto API is required by Applicable Data Protection Laws to otherwise process that Customer Personal Data;
b. comply with and implement all appropriate technical and organisational measures necessary to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data;
c. ensure that any personnel engaged and authorised by One Auto API to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
d. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to One Auto API), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
e. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
f. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless One Auto API is required by Applicable Data Protection Law to continue to process that Customer Personal Data. For the purposes of this Customer Personal Data shall be considered deleted where it is put beyond further use by One Auto API; and
g. maintain records to demonstrate its compliance with this clause.
5.9 The Customer hereby provides its prior, general authorisation for One Auto API to:
a. appoint processors to process the Customer Personal Data, provided that One Auto API:
i. shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on One Auto API in this clause 5;
ii. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of One Auto API; and
iii. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to One Auto API's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify One Auto API for any losses, damages, costs (including legal fees) and expenses suffered by One Auto API in accommodating the objection.
b. transfer Customer Personal Data outside of the UK as required for the Purpose, provided that One Auto API shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of One Auto API, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).
5.10 To the extent the parties act as joint-controllers in respect of personal data pursuant to this agreement, the parties have agreed to allocate responsibility for each of their controller obligations under Applicable Data Protection Laws.
6 Third party providers/supplier
6.1 The Customer acknowledges that the Services may be provided, enabled or assisted by the services of third parties and that the Customer accesses and uses those services solely at its own risk.
6.2 In the event that the Customer accesses Services which are provided by third parties and which uses third party data and information as part of the Services, the Customer is required to abide by the terms and conditions of that third party which will be notified to the Customer either by email, or by access to those terms on oneautoapi.com when the Customer selects the particular Service provided by the third party. Additionally, they may appear as a schedule to this agreement.
DVLA Services
6.3 One Auto API makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer, with any such third party.
Royal Mail Services
6.4 The Customers attention is drawn to the detailed provisions laid down by Royal Mail in Schedule 2 for the use of its data and information.
6.5 As a result of One Auto API agreeing to ensure that its Customers are notified of and abide by the DVLA and Royal Mail terms and conditions in the Schedules 1, should One Auto API face a claim from DVLA or Royal Mail or any third party concerning the Customer’s breach of the DVLA or Royal Mail terms and conditions, the Customer agrees to indemnify One Auto API in full and on demand for all losses and expenses incurred by One Auto API as a result of such a breach.
6.6 One Auto API makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer, with any such third party.
6.7 Any contract entered into and any transaction completed via any third-party website is between the Customer and the relevant third party, and not One Auto API. One Auto API recommends that the Customer refers to the third party's website terms and conditions and privacy policy prior to using the relevant third-party website.
6.8 In the event that the Customer breaches any website terms and conditions or the privacy policy or other data protection requirements of a third party, and One Auto API suffers or incurs loss or expense (in terms of any compensation, damages, indemnities or other liability owed to a third party), the Customer agrees to indemnity One Auto API in full and on demand in relation to the same.
7 One Auto API's obligations
7.1 One Auto API undertakes that the Services will be performed with reasonable skill and care.
7.2 One Auto API:
a. does not warrant that:
i. the Customer's use of the Services will be uninterrupted or error-free; or
ii. that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer's requirements; or
iii. the Software or the Services will be free from Vulnerabilities or Viruses; or
iv. the Software, Documentation or Services will comply with any Heightened Cybersecurity Requirements.
b. is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
7.3 This agreement shall not prevent One Auto API from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this agreement.
7.4 One Auto API warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.
8 Customer's obligations
8.1 The Customer shall:
a. provide One Auto API with:
i. all necessary co-operation in relation to this agreement; and
ii. all necessary access to such information as may be required by One Auto API; in order to provide the Services, including but not limited to Customer Data, security access information and configuration services;
b. without affecting its other obligations under this agreement, comply with all applicable laws and regulations with respect to its activities under this agreement;
c. carry out all other Customer responsibilities set out in this agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, One Auto API may adjust any agreed timetable or delivery schedule as reasonably necessary;
d. ensure that the Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this agreement and shall be responsible for any Authorised User's breach of this agreement;
e. obtain and shall maintain all necessary licences, consents, and permissions necessary for One Auto API, its contractors and agents to perform their obligations under this agreement, including without limitation the Services;
f. comply with the terms and conditions of any third party supplier of the Services, in accordance with the provisions of clause 6;
g. ensure that its network and systems comply with the relevant specifications provided by One Auto API from time to time; and
h. be, to the extent permitted by law and except as otherwise expressly provided in this agreement, solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to One Auto API's data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer's network connections or telecommunications links or caused by the internet.
8.2 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
8.3 The Customer shall not use the Services, Documentation or any data produced as a result of the use of the Services:
8.3.1 for the marketing or promotion of any services in connection with payday loans or the reclaim of Payment Protection Insurance ('PPI') or compensation for the mis-selling of PPI products; or
8.3.2 in a way that does not comply with the DMA Code of Practice and with the British Code of Advertising, Sales Promotion and Direct Marketing currently applicable, or any replacement or equivalent Code or Codes.
9 Charges and payment
9.1 The Customer shall pay the Subscription Fees to One Auto API for the User Subscriptions and Services as set out at oneautoapi.com and updated from time to time
9.2 The Customer shall on the Effective Date provide to One Auto API valid, up-to-date and complete credit card details or approved purchase order information acceptable to One Auto API and any other relevant valid, up-to-date and complete contact and billing details and, if the Customer provides its credit card details to One Auto API, the Customer hereby authorises the One Auto API to bill such credit card on the Effective Date and at the appropriate time thereafter for the Subscription Fees payable in respect of each billing term applicable for the Service(s).
9.3 Invoices for the Subscription Fees will be issued by One Auto API to cover Subscription Fees when payable or when paid. Invoices for excess usage fees will be issued in arrears on a monthly basis, and are payable on presentation.
9.4 If One Auto API has not received payment after the due date, and without prejudice to any other rights and remedies of One Auto API:
a. One Auto API may, without liability to the Customer, disable the Customer's, account and access to all or part of the Services and One Auto API shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and
b. interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of the Bank of England from time to time, commencing on the due date and continuing until fully paid, whether before or after judgement.
9.5 All amounts and fees stated on oneautoapi.com:
a. shall be payable in pounds sterling;
b. are non-cancellable and non-refundable, save as may otherwise be permitted by clause 9.7 below;
c. are exclusive of value added tax, which shall be added to One Auto API's invoice(s) at the appropriate rate.
9.6 One Auto API shall be entitled to increase the Subscription Fees and the fees payable in respect of the additional User Subscriptions, the fees payable for Support Services on giving the Customer at least 30 days notice.
9.7 The Customer may submit a request via oneautoapi.com to cancel their Service(s) at any time, and the Service(s) concerned will be scheduled to end at the end of their respective billing term(s). Any additional use of the Service(s) which has not been covered by the Subscription Fees paid up to the date of cancellation of the Service(s) will be invoiced for and is payable by the Customer on presentation.
9.8 The Customer may request a change of plan via oneautoapi.com for any of the Services they have contracted to receive, and the change will apply at the start of the next billing term. The Customer will remain liable for additional use of the existing Service(s) until the end of the current billing term for the Service(s) concerned.
10 Proprietary rights
10.1 The Customer acknowledges and agrees that One Auto API and/or its licensors own all intellectual property rights in, and produced by, the Services and the Documentation. Except as expressly stated herein, this agreement does not grant the Customer any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Services or the Documentation.
10.2 One Auto API confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this agreement.
11 Confidentiality and compliance with policies
11.1 Confidential Information means all confidential information (however recorded or preserved) disclosed by a party or its Representatives (as defined below) to the other party and that party's Representatives in connection with the supply of the Services, including but not limited to:
a. any information that would be regarded as confidential by a reasonable business person relating to:
i. the business, assets, affairs, customers, clients, suppliers, plans, intentions, or market opportunities of the disclosing party (or of any member of the group of companies to which the disclosing party belongs); and
ii. the operations, processes, product information, know-how, designs, trade secrets or software of the disclosing party (or of any member of the group of companies to which the disclosing party belongs);
b. any information developed by the parties in the course of carrying out this agreement and the parties agree that:
i. details of the Services, and the results of any performance of the Services, shall constitute One Auto API Confidential Information; and
ii. Customer Data shall constitute Customer Confidential Information.
Representatives means, in relation to a party, its employees, officers, contractors, subcontractors, representatives and advisers.
11.2 The provisions of this clause shall not apply to any Confidential Information that:
a. is or becomes generally available to the public (other than as a result of its disclosure by the receiving party or its Representatives in breach of this clause);
b. was available to the receiving party on a non-confidential basis before disclosure by the disclosing party;
c. was, is or becomes available to the receiving party on a non-confidential basis from a person who, to the receiving party's knowledge, is not bound by a confidentiality agreement with the disclosing party or otherwise prohibited from disclosing the information to the receiving party;
d. the parties agree in writing is not confidential or may be disclosed; or
e. is developed by or for the receiving party independently of the information disclosed by the disclosing party.
11.3 Each party shall keep the other party's Confidential Information secret and confidential and shall not:
a. use such Confidential Information except for the purpose of exercising or performing its rights and obligations under or in connection with this agreement (Permitted Purpose); or
b. disclose such Confidential Information in whole or in part to any third party, except as expressly permitted by this clause 11.
11.4 A party may disclose the other party's Confidential Information to those of its Representatives who need to know such Confidential Information for the Permitted Purpose, provided that:
a. it informs such Representatives of the confidential nature of the Confidential Information before disclosure; and
b. at all times, it is responsible for such Representatives' compliance with the confidentiality obligations set out in this clause.
11.5 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible.
11.6 A party may, provided that it has reasonable grounds to believe that the other party is involved in activity that may constitute a criminal offence under the Bribery Act 2010, disclose Confidential Information to the Serious Fraud Office without first informing the other party of such disclosure.
11.7 Each party reserves all rights in its Confidential Information. No rights or obligations in respect of a party's Confidential Information other than those expressly stated in this clause are granted to the other party, or to be implied from this agreement.
11.8 Except as expressly stated in this agreement, no party makes any express or implied warranty or representation concerning its Confidential Information.
11.9 The above provisions of this clause 11 shall survive for a period of five years from termination or expiry of this agreement.
12 Indemnity
12.1 The Customer shall defend, indemnify and hold harmless One Auto API against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer's use of the Services and/or Documentation, provided that:
a. the Customer is given prompt notice of any such claim;
b. One Auto API provides reasonable co-operation to the Customer in the defence and settlement of such claim, at the Customer's expense; and
c. the Customer is given sole authority to defend or settle the claim.
12.2 In no event shall One Auto API, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged breach of a terms of this agreement is based on:
a. a modification of the Services or Documentation by anyone other than One Auto API; or
b. the Customer's use of the Services or Documentation in a manner contrary to the instructions given to the Customer by One Auto API; or
c. the Customer's use of the Services or Documentation after notice of the alleged or actual infringement from One Auto API or any appropriate authority.
12.3 The foregoing and the relevant provisions of clause 13 state the Customer's sole and exclusive rights and remedies, and One Auto API's (including One Auto API's employees', agents' and sub-contractors') entire obligations and liability, for infringement of any patent, copyright, trade mark, database right or right of confidentiality.
13 Limitation of liability
13.1 Except as expressly and specifically provided in this agreement:
a. the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, for conclusions drawn from such use, and any onward use by the Customer of the data/results in a software application, website, business process or similar. One Auto API shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to One Auto API by the Customer in connection with the Services, or any actions taken by One Auto API at the Customer's direction;
b. all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this agreement; and
c. the Services and the Documentation are provided to the Customer on an "as is" basis.
13.2 Nothing in this agreement excludes the liability of One Auto API:
a. for death or personal injury caused by One Auto API's negligence; or
b. for fraud or fraudulent misrepresentation.
13.3 Subject to clause 13.1 and clause 13.2:
a. One Auto API shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and
b. One Auto API's total aggregate liability in contract), tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the total Subscription Fees paid for the User Subscriptions during the 12 months immediately preceding the date on which the claim arose.
13.4 Nothing in this agreement excludes the liability of the Customer for any breach, infringement or misappropriation of One Auto API’s Intellectual Property Rights”.
14 Term and termination
14.1 This agreement shall, unless otherwise terminated as provided in this clause 14, commence on the Effective Date and shall continue until:
a. either party gives the other party at least 60 days notice in writing; or
b. it is otherwise terminated in accordance with the provisions of this agreement;
14.2 Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other party if:
a. the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than 7 days after being notified in writing to make such payment;
b. the other party commits a material breach of any other term of this agreement and (if such breach is remediable) fails to remedy that breach within a period of 21 days after being notified [in writing] to do so;
c. the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 (IA 1986) as if the words "it is proved to the satisfaction of the court" did not appear in sections 123(1)(e) or 123(2) of the IA 1986 or (being an individual) is deemed either unable to pay its debts or as having no reasonable prospect of so doing, in either case, within the meaning of section 268 of the IA 1986 or (being a partnership) has any partner to whom any of the foregoing apply;
d. the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
e. the other party applies to court for, or obtains, a moratorium under Part A1 of the Insolvency Act 1986;
f. a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
g. an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party (being a company, partnership or limited liability partnership);
h. the holder of a qualifying floating charge over the assets of that other party (being a company or limited liability partnership) has become entitled to appoint or has appointed an administrative receiver;
i. a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
j. a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party's assets and such attachment or process is not discharged within 14 days;
k. any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 14.2(c) to clause 14.2(j) (inclusive);
l. the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business; or
m. the other party's financial position deteriorates so far as to reasonably justify the opinion that its ability to give effect to the terms of this agreement is in jeopardy;
14.3 On termination of this agreement for any reason:
a. all subscriptions granted under this agreement shall immediately terminate and the Customer shall immediately cease all use of the Services and/or the Documentation;
b. any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.
15 Force majeure
Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. The time for performance of such obligations shall be extended accordingly. If the period of delay or non-performance continues for 13 weeks, the party not affected may terminate this agreement by giving 28 days' written notice to the affected party.
16 Conflict
If there is an inconsistency between any of the provisions in the main body of this agreement and any supplemental terms for any part of the Services provided, and of which the Customer is made aware, the provisions in the supplemental terms shall prevail.
17 Variation
No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
18 Waiver
18.1 A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy.
18.2 A delay or failure to exercise, or the single or partial exercise of, any right or remedy shall not waive that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy.
19 Rights and remedies
Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
20 Severance
20.1 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
20.2 If any provision or part-provision of this agreement is deemed deleted under clause 20.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
21 Entire agreement
21.1 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous and contemporaneous agreements, promises, assurances and understandings between them, whether written or oral, relating to its subject matter.
21.2 Each party acknowledges that in entering into this agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement.
21.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this agreement.
21.4 Nothing in this clause shall limit or exclude any liability for fraud.
22 Assignment
22.1 The Customer shall not, without the prior written consent of One Auto API, assign, novate, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
22.2 One Auto API may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
23 No partnership or agency
Nothing in this agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
24 Third party rights
This agreement does not confer any rights on any person or party (other than the parties to this agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
25 Acceptance of these Terms
The terms and conditions of this agreement are binding on the Customer when the Customer’s representative confirms agreement and acceptance of these terms when completing its sign up to the Services at oneautoapi.com
26 Notices
26.1 Any notice given to a party under or in connection with this agreement shall be in writing and shall be:
a. delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
b. sent by email to the following addresses (or an address substituted in writing by the party to be served):
i. One Auto API: notices@oneautoapi.com
ii. Customer: the address confirmed by the Customer when signing up to the Services.
26.2 Any notice shall be deemed to have been received:
a. if delivered by hand, at the time the notice is left at the proper address;
b. if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; or if sent by email, at the time of transmission, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume.
26.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
27 Governing law
This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and interpreted in accordance with the law of England and Wales.
28 Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
These terms and conditions have been read, considered and accepted by the Customer, on the date and at the time the Customer’s authorised representative has confirmed their acceptance of these terms via oneautoapi.com.
Schedule 1: DVLA Requirements
References below to “the Customer” and “One Auto API” are to the same defined terms in the Agreement.
For all other defined terms, please refer below.
|
Definition
|
Meaning
|
|
Caching
|
Means the process of storing Data in a temporary storage area (a Cache”) for further use within a defined period of time. A Cache is a hardware or software component that stores Data so that future requests for that Data can be served faster.
|
|
Conviction
|
other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding-over orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974 (as amended) by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended);
|
|
Data
|
DVLA data that is provided or to be provided to the Customer and any Third Party Customers;
|
|
Data Governance Assessment
|
a form used by the DVLA to assess data governance measures in place as a measure against the contract.
|
|
Data Subject
|
the meaning given to that term in Data Protection Legislation, means an identified or identifiable natural person, directly or indirectly through Personal Data;
|
|
Default
|
any breach of the obligations of the relevant party (including but not limited to fundamental breach or breach of a fundamental term) or any other default, act, omission, negligence or negligent statement of the relevant party or the Staff in connection with or in relation to the subject matter of the Agreement and in respect of which such party is liable to the other;
|
|
Equipment
|
the Customer’s equipment, plant, materials and such other items used by the Customer in the performance of its obligations under the Agreement, or otherwise used to access or store Data.
|
|
Fraud
|
any offence under Applicable Law creating offences in respect of
fraudulent acts or at common law in respect of fraudulent acts in relation to the Agreement or defrauding or attempting to defraud or conspiring to defraud the Crown;
|
|
Industry Best Practice
|
at any time the exercise of that degree of skill, care, diligence, prudence, efficiency, foresight, standards, practices, methods, procedures and timeliness which would be expected at such time from a leading and expert company within the industry, such company seeking to comply with its contractual obligations in full and complying with all Applicable Laws;
|
|
Intermediary
|
an organisation who receives the Data from One Auto API and uses it to provide products and services to other organisations (to be referred to as “Third Party Customers”) that demonstrate Reasonable Cause;
|
|
Malicious Software
|
any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, Data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence;
|
|
Personal Data Breach
|
any event that results, or may result in a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
|
|
Premises
|
the location where the Data is to be supplied to the Customer, or accessed, stored or destroyed by the Customer;
|
|
Reasonable Cause
|
Products or services that have one or more of the following benefits:
a) Improving vehicle and road safety
b) Reducing vehicle crime
c) Consumer Protection
d) Environmental impact (greener transport).
|
|
Relevant Conviction
|
a Conviction which the Customer, acting reasonably and in accordance with Industry Best Practice, deems to preclude a person from being involved in any way with use of the Data
|
|
Removable Media
|
all physical items and devices that can carry and transfer electronic information. Examples include but are not limited to DVDs, CD-ROMs, floppy disks, portable hard disk drives, USB memory sticks, flash drives, portable music and video players including mobile phones, hand held devices such as smartphones and personal digital assistants;
|
|
Requestor
|
a person who is making an enquiry for Data about a particular vehicle, using products or services provided by the Customer or an Intermediary or a Third Party Customer;
|
|
Staff
|
all persons employed by a party to perform its obligations under the Agreement together with the party’s servants, agents, suppliers and subcontractors used in the performance of its obligations under the Agreement;
|
|
Third Party Customer
|
any organisation that:
a) is not an Intermediary; and
b) receives Data from the Customer or an Intermediary providing Reasonable Cause can be demonstrated;
|
Attachment 1: Minimum Data Security Requirements
1 Data Security Requirements
1.1 The Customer shall abide by the minimum security requirements, which are as follows:
a. Data, including back-up data, must be retained in secure premises and locked away;
b. The Data supplied may only be copied for back-up and for the purposes of Processing the Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;
c. The Customer will retain the Data only for as long as necessary with reference to the Reasonable Cause for which it was shared in accordance with the Data Protection Legislation;
d. The Customer, in accordance to Data Protection Legislation, should dispose of the Data where there is no business need to retain it;
e. Data, including back-up Data, must be protected from unauthorised access, release or loss;
f. A user ID and a robust password must be required to enter all databases on which the Data is stored;
g. A unique user ID and password must be attributable to an individual and must be allocated to each person with access to the Data or the Bulk Data Service;
h. User IDs and passwords must not be shared between the Customer’s Staff;
i. Access to the Data must be minimised so that only where necessary are individuals given the following levels of access:
i. ability to view material from single identifiable records
ii. ability to view material from many identifiable records
iii. functional access, including: searching, amendment, deletion, printing, downloading or transferring information;
j. The Data must not then be copied onto or stored on Removable Media. Laptops may be used but only if the device has full disk encryption installed in line with Industry Best Practice and the devices are securely protected when not in use;
k. Data must be used only for the Reasonable Cause for which it was obtained;
l. Paper records must be destroyed by incineration, pulping or shredding finely so that reconstruction is unlikely;
m. Electronic Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;
n. All premises and buildings in which the Data is stored must be secure;
o. The Customer must be registered with the Information Commissioner and the permission must cover all activities actually carried out;
p. information must not be passed to third parties except with the prior written approval of the DVLA; and
q. transfer of the Data to third parties (where approval has been granted by DVLA) must be in accordance with the principles of Data Protection Legislation. Any other conditions required by the DVLA in giving permission for disclosure to third parties must be satisfied.
r. Caching of Data by the Customer must be in accordance with Attachment 2 of these terms.
2 Inspection, Internal Compliance and Audit
2.1 The Data Governance Assessment form shall be completed upon DVLA request and shall confirm whether or not the following requirements have been complied with:
a. all of the Data Security requirements in paragraph 1 above;
b. the requirements set out in Attachment 2 and Attachment 3.
3 Minimum Requirements for the Customer’s Staff Vetting and Disciplinary Procedures
3.1 The minimum requirements for the Customer’s Staff vetting procedures are as follows:
a. The Customer shall confirm the identity of its entire new Staff.
b. The Customer shall confirm the references of its entire Staff.
c. The Customer shall require all persons who are to have access to the Bulk Data Service or to the Data to complete and sign a written declaration of any unspent criminal Convictions.
d. The Customer shall not allow any person with unspent criminal convictions to have access to the Data, except with the prior written permission of the DVLA.
e. The Customer shall ensure that no person who discloses that he or she has a Relevant Conviction, or who is found by the Customer to have any Relevant Conviction is allowed access to the Data.
f. The Customer shall either (i) require that all persons who are to have access to the Data shall complete and sign an agreement to use the Data only for the Reasonable Causes set out in this Agreement and in accordance with the Customer’s procedures or where not feasible, (ii) upon the request of One Auto API, provide a written undertaking confirming that the Customer has put in place sufficient procedures to ensure that all persons who are to have access to the data will use the Data only for the Reasonable Causes set out in the Agreement and in accordance with the Customer’s procedures.
g. The Customer shall ensure that each person who has access to the Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the Data.
h. The Customer shall ensure that each person who has access to the Data is appropriately trained in and aware of his or her duties and responsibilities under the Data Protection Legislation and this Agreement.
i. The Customer shall create and maintain a unique user account ID for each person who has access to the Data.
j. The Customer shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The Customer must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account.
k. The Customer’s disciplinary policy shall state that misuse of the Bulk Data Service or the Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The Customer shall notify such misuse to One Auto API and the person involved shall be refused all future access to DVLA Data.
l. System administrators must receive appropriate training.
m. The system administration role must be separated from any other role to ensure a separation of duties.
The Customer shall, upon One Auto API’s written request, provide written confirmation that these procedures are followed, along with any reasonable supporting evidence that One Auto API may require.
Attachment 2: Requirements in relation to Intermediaries, Third Party Customers and Requestors
1 Contractual Obligations of all Third Party Customers
1.1 If the Customer is an Intermediary, the provisions of this paragraph 1 form part of the Agreement. The Customer shall also include the provisions in this Attachment 2 in its contracts with Third Party Customers, with references to One Auto API in that contract being replaced with references to the Customer and references to the Customer being replaced with references to the Third Party Customer.
1.1.1 Purpose For Which Data Is Provided
1.1.1.1 The Customer will provide One Auto API with a statement detailing the type of business it conducts and a description of products or services it offers to its customers that involve the use of DVLA Data.
1.1.1.2 One Auto API will only consider requests for services that involve the provision of DVLA Data from organisations that can demonstrate a Reasonable Cause for access to the Data. Organisations that cannot prove a Reasonable Cause will not be considered further.
1.1.1.3 The Customer will notify One Auto API of any changes to their business need for access to the service.
1.1.1.4 The requirements for transfer of the Data outside the UK set out below apply, including to the Customer’s backup or disaster recovery sites.
1.1.1.5 The Customer will not sell or permit the Data to be sold to any third party.
1.1.2 The Customer’s Key Staff
1.1.2.1 The Customer shall complete the list at ANNEX A (Customers Key Staff) of the individuals (or those individuals carrying out equivalent roles) who have direct responsibilities for the use of the Data and for the Customer's other obligations under this Agreement, giving their names and business addresses and other contact details and specifying the capacities in which they are concerned with the Data.
1.1.2.2 As a minimum, the list shall include details of the Customer’s registered office, as recorded by Companies’ House and:
a. the manager who shall be responsible for the Customer’s general Contractual matters and shall receive notices sent to the Customer under this Agreement, and who shall be referred to in this Agreement as the Commercial Manager (or equivalent role); and
b. the manager who is responsible for the management of the Data once in the hands of the Customer, to be referred to in this Agreement as the Data Manager (or equivalent role).
1.1.2.3 The Customer shall inform One Auto API immediately of any changes in personnel listed in ANNEX A (Customers Key Staff) or their business contact details.
1.1.3 Prevention of Corruption
1.1.3.1 The Customer shall not offer or give, or agree to give, to the DVLA, One Auto API or any other public body or person employed by or on behalf of the DVLA, One Auto API or any other public body any gift or consideration of any kind as an inducement or reward for doing, refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of the Agreement or any other contract with the DVLA, One Auto API or any other public body, or for showing or refraining from showing favour or disfavour to any person in relation to the Agreement or any such contract.
1.1.3.2 If the Customer its Staff or anyone acting on the Customer’s behalf, engages in conduct prohibited by paragraph 1.1.3.1 or the Bribery Act 2010 (amended), One Auto API may:
a. terminate and recover from the Customer the amount of any loss suffered by One Auto API resulting from the termination; or
b. recover in full from the Customer any other loss sustained by One Auto API in consequence of any breach of that paragraph.
1.1.4 Prevention of Fraud
1.1.4.1 The Customer shall take all reasonable steps, in accordance with Industry Best Practice, to prevent Fraud by the Customer’s Staff and the Customer including its shareholder, members, and directors) in connection with the receipt of the Services.
1.1.4.2 The Customer shall notify One Auto API immediately, within a maximum of 24 hours of becoming aware, if it has reason to suspect that any Fraud has occurred or is occurring or is likely to occur.
1.1.4.3 If the Customer or its Staff commits Fraud in relation to this Agreement or any other contract, One Auto API may:
a. terminate the Agreement and recover from the Customer the amount of any loss suffered by One Auto API resulting from the termination; or
b. recover in full from the Customer any other loss sustained by One Auto API in consequence of any breach of this paragraph.
1.1.5 Discrimination
1.1.5.1 The Customer must not unlawfully discriminate either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, colour, ethnic or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing the Customer must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended) the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof.
1.1.5.2 The Customer shall take all reasonable steps to secure the observance of paragraph 1.1.5.1 by all of its Staff.
1.1.6 Health & Safety
1.1.6.1 The Customer shall promptly notify One Auto API of any health and safety hazards which may arise in connection with the performance of its obligations under the Agreement, including but not limited to, on inspection by One Auto API.
1.1.6.2 While on the Customer’s premises, One Auto API shall comply with any health and safety measures implemented by the Customer in respect of its Staff and other persons working there.
1.1.6.3 One Auto API shall notify the Customer immediately in the event of any incident occurring in the performance of its obligations under the Agreement on the Premises where that incident causes any personal injury or damage to property which could give rise to personal injury.
1.1.6.4 The Customer must comply with the requirements of the Health & Safety at Work etc. Act 1974 (as amended) and any other acts, orders, regulations and codes of practice relating to health and safety, which may apply to the Customer's Staff and other persons working on the Premises in the performance of its obligations under the Agreement.
1.1.7 Publicity and Media
1.1.7.1 The Customer shall notify One Auto API immediately if any circumstances arise which could result in publicity or media attention to the Customer which could adversely reflect on the DVLA, One Auto API or the Services.
1.1.7.2 The Customer shall not use the DVLA or One Auto API logo, create or approve any publicity implying or stating that the DVLA and/or One Auto API has a connection with any service provided by the Customer without the prior written approval of the DVLA and/or One Auto API. Prior written approval of the DVLA and/or One Auto API shall be obtained for each individual piece of publicity.
1.1.8 Transfer and Sub-contracting
1.1.8.1 The Customer shall not assign, sub-contract or in any other way dispose of the Agreement or any part of it without the prior written permission of One Auto API.
1.1.8.2 Sub-Contracting any part of the Agreement shall not relieve the Customer of any of its obligations or duties under the Agreement. The Customer shall be responsible for the acts and omissions of its sub-contractors as though they are its own. Where One Auto API has given approval to the placing of sub-contracts, copies of each sub-contract shall, at the request of One Auto API, be sent by the Customer to One Auto API as soon as reasonably practicable
1.1.9 Insolvency
1.1.9.1 The Customer shall notify One Auto API immediately in writing where the Customer undertakes, undergoes or performs an insolvency event. Insolvency events are any action or event described in the clause of the Terms and Conditions permitting termination for an insolvency event, being in version 4.4 of the Terms & Conditions, clause 10.1.3.
1.1.10 Change of Control
1.1.10.1 The Customer shall seek the prior written agreement of One Auto API to any change of control within the meaning of section 450 of the Corporation Taxes Act 2010 (as amended) (“Change of Control”). Where One Auto API has not given its written agreement before the Change of Control, One Auto API may terminate the Agreement by notice in writing with immediate effect within 26 weeks of:
a. being notified that that change of control has occurred; or
b. where no notification has been made, the date that One Auto API becomes aware of that change of control.
1.1.11 Consequences of Suspension and Termination
1.1.11.1 After the Services have been suspended or the Agreement has been terminated or both, the Customer shall continue to comply with its obligations under this Agreement and under Data Protection Legislation in relation to the Data which it holds, including as to the proper use of the Data, retention of the Data and secure destruction of the Data.
1.1.11.2 After the Services have been suspended or the Agreement has been terminated or both, the Customer will no longer have the right to use the Data already supplied by One Auto API.
1.1.11.3 During the suspension period, the Customer is not permitted to process or transfer the Data received prior to suspension.
1.1.11.4 Save as otherwise expressly provided in the Agreement:
a. termination of the Agreement shall be without prejudice to any rights, remedies or obligations accrued under the Agreement prior to termination or expiration and nothing in the Agreement shall prejudice the right of either party to recover any amount outstanding at such termination or expiry; and
b. termination of the Agreement shall not affect the continuing rights, remedies or obligations of One Auto API or the Customer under any provision of this Agreement which expressly or by implication is intended to come into or to continue in force on or after termination of this Agreement.
1.1.12 Transfer of the Data outside the UK
1.1.12.1 The Customer shall not transfer Personal Data outside of the EU or UK unless the prior written approval of One Auto API has been obtained and the following conditions are fulfilled:
a. One Auto API or the Customer has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by One Auto API;
b. the Data Subject has enforceable rights and effective legal remedies;
c. the Customer complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist One Auto API in meeting its obligations); and
d. the Customer complies with any reasonable instructions notified to it in advance by One Auto API with respect to the processing of Personal Data.
1.1.12.2 Where One Auto API gives the prior and express written approval referred to in paragraph 1.1.12.1, the Customer shall disclose the Data only to the extent agreed and in accordance with any conditions attached to the giving of that approval.
2 Contractual Obligations of Intermediaries or Third Party Customers with Access to the Data
If the Customer is an Intermediary, the provisions of this paragraph 2 form part of the Agreement. The Customer shall also include the provisions in this Attachment 2 in its contracts with Third Party Customers, with references to One Auto API in that contract being replaced with references to the Customer and references to the Customer being replaced with references to the Third Party Customer.
2.1 Technical Requirements for Secure Transmission of the Data
2.1.1 The Data shall be requested from One Auto API by the Customer under this Agreement. The Customer warrants that it has ensured that the method of provision of the Data by One Auto API is suitable and satisfactory to meet the Customer's needs.
2.1.2 The Customer shall ensure that it has sufficient technical knowledge and expertise to understand, implement and support the Services.
2.1.3 The Customer must ensure that Caching of Data is only possible where the Customer is compliant with all requirements of this Agreement and only in the following circumstances:
a. for a limited period of 24 hours to allow multiple hits against a single record as part of continuous enquiry (e.g. multiple insurance quotes from a website or call centre);
b. The Cache is protected from unauthorised access by way of encryption in accordance with Industry Best Practice;
c. The Customer must ensure that Intermediaries and Third Party Customers are made aware that they must not use Data to fulfil further enquiries or transactions on that Intermediary’s behalf or from Requestor’s or any other actual or potential customers of the Intermediary or Third Party Customer, not to fulfil multiple enquiries such as insurance or financial quotes after the 24 hour period permitted above has expired;
d. The Customer must make customers aware of the above and that storage of the Data for future use/to create an alternative database is not permitted. In addition, the Customer should also note the requirements of ATTACHMENT 3 (Restrictions on Disclosure of Vehicle Identification Number (VIN)
2.2 Reviews and Meetings
2.2.1 The Customer shall upon receipt of reasonable notice and during normal office hours attend all meetings arranged by One Auto API for the discussion of matters connected with the performance of the Agreement.
2.2.2 Without prejudice to any other requirement in this Agreement, the Customer shall provide such reports on the performance of the Agreement or any other information relating to the Customer's requests for and use of the Data as One Auto API may reasonably require.
2.2.3 One Auto API reserves the right to review the Agreement with the Customer at any time. Where required by One Auto API, the parties shall meet in person or via video or telephone conference to review:
a. the ongoing need for the Services as defined and any consequential variation to the terms of the Agreement;
b. the Reasonable Causes for which the Data is provided;
c. the performance of the Services;
d. the security arrangements governing the Customer's safe receipt of the Data and the Customer's further use of the Data;
e. the arrangements that the Customer has in place relating to the retention and secure destruction of the Data;
f. any audits that have been carried out that have relevance to the way that the Customer is Processing the Data;
g. any security incidents that have occurred with the Data;
h. the continued registration of the Customer's company under the same registered number;
i. the training and experience of the Customer's Staff in their duties and responsibilities under the Data Protection Legislation;
3 The Data Protection Legislation
For the purpose of this paragraph 3, the terms “Data”, “Data Controller”, “Data Processor”, “Data Subject”, “Information Commissioner”, “Information Commissioner’s Office”, “Personal Data”, and “Processing” shall have the meanings prescribed under Data Protection Legislation.
3.1 The parties agree that the Data constitutes Personal Data as they relate to a living individual who can be directly or indirectly identified from the Data.
3.2 It is the duty of the Data Controller to comply with Data Protection Legislation. The Customer, separately from One Auto API, shall be the Data Controller of each item of Data received from One Auto API from the point of receipt of that Data by the Customer and shall be responsible for complying with data protection principles in relation to its further Processing of that Data.
3.3 One Auto API is satisfied that providing the Data to the Customer for the Reasonable Causes is compliant with Data Protection Legislation.
3.4 The Customer shall ensure that the individual rights of the Data Subject are taken into account in responding to any Data Subject Access Request.
3.5 The Customer shall notify One Auto API immediately if it received a request from any third party for disclosure of the Data where compliance with such request is required or purported to be required by Law.
3.6 The parties agree to take into account of any guidance issued by the Information Commissioner’s Office. DVLA may on not less than 30 working days’ notice to the Bulk Data Provider amend their terms of use in which case this Agreement will be updated to ensure it complies with any guidance issued by the Information Commissioners Office.
4 Data Security
4.1 Both parties shall ensure the safe transportation/transmission of the Data in accordance with the appropriate technical and organisational measures.
4.2 The Customer shall ensure the Data is processed in accordance with Data Protection Legislation guidance and codes of practice.
4.3 The Customer shall comply with all the security requirements of One Auto API, including as a minimum those set out in Attachment 1 (Minimum Data Security Requirements) and any other requirements that One Auto API shall make from time to time.
4.4 The Customer shall notify One Auto API immediately, within a maximum of 24 hours of becoming aware, of any failure to comply with the requirements set out in Attachment 1 (Minimum Data Security Requirements) of this Agreement. One Auto API shall in turn notify the Bulk Data Provider who may at their discretion notify the DVLA.
4.5 The Customer shall not transfer or in any way make Data available to third parties unconnected with the Reasonable Causes.
5 Malicious Software
5.1 The Customer shall, as an enduring obligation throughout the term of this Agreement, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software from the ICT environment.
5.2 Notwithstanding paragraph 5.1, if Malicious Software is found, the parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Data, assist each other to mitigate any losses and to restore the Bulk Service to their desired operating efficiency.
5.3 Cost arising out of the actions of the parties taken in compliance with the provisions of paragraph 5.2 shall be borne by the Parties as follows:
a. by the Customer where the Malicious Software originates from the Customer's software (or a sub-contractor of the Customer) or the Customer's data;
b. by One Auto API if the Malicious Software originates from the One Auto API’s software or the Data.
6 Retention of Data and Evidence
6.1 In accordance with the Data Protection Legislation, the Customer shall retain each item of Data only for as long as is necessary with reference to the Reasonable Cause for which it was shared.
6.2 The Customer shall arrange for the secure destruction or deletion of each item of Data, in accordance with the requirements of the Data Protection Legislation, as soon as it is no longer necessary to retain it.
6.3 The Customer shall retain for two years after Processing of the Data, to allow inspection by One Auto API, the evidence that the Customer relies on to show its compliance with the requirements of this Agreement. There is no need, for One Auto APIs inspection purposes, for the Data to be retained as part of this requirement. The Data must be disposed of in accordance with the provision of paragraph 6.2 above.
7 The Customer's Vetting and Disciplinary Policies
7.1 The Customer shall maintain policies for vetting, hiring, training and disciplining the Customer's Staff and shall comply with these in respect of each person who has access to the Services. The minimum requirements for such vetting procedures are set out in Attachment 1 (Minimum Data Security Requirements).
8 The Customer's Internal Compliance Checks
8.1 The Customer shall ensure that its business processes, records of customer interactions and transactions, audit procedures on business activities and financial reporting are appropriate and effective to ensure proper use of the Data in compliance with this Agreement and the requirements of the Data Protection Legislation The minimum requirements for such internal compliance are set out in Attachment 1 (Minimum Data Security Requirements).
8.2 The Customer shall carry out its own internal compliance checks at least annually and shall, upon the request of One Auto API, provide details of the outcome of such checks using the Data Governance Assessment form provided by One Auto API .
9 Audits and Reviews
9.1 The Customer shall share with One Auto API the outcome of any other checks, audits or reviews that have been carried out on its activities as a Data Controller that are relevant to the Processing of the Data.
9.2 The Customer shall notify One Auto API immediately, within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under Data Protection Legislation that are relevant to the Processing of the Data.
10 Incidents
10.1 The Customer shall notify One Auto API immediately, within a maximum of 24 hours of becoming aware, of any losses, compromise or misuse of the Data or any Personal Data Breach and keep One Auto API informed of any communications about the incident with; the individuals whose Personal Data is affected; the Information Commissioner’s Office; or the media.
10.2 The Customer understands that as the Data Controller it shall be responsible for taking any action necessary to resolve any such incident.
11 Inspection by One Auto API
11.1 One Auto API or an agent acting on its behalf reserves the right to carry out an inspection at any time of the Customer's compliance with the terms of this Agreement. Where possible, One Auto API shall give the Customer 7 days’ written notice of any such inspection.
11.2 The Customer agrees to co-operate fully with any such inspection and to allow One Auto API or an agent acting on its behalf access to its Premises, Equipment, evidence and the Customer's Staff for the purposes of the inspection.
11.3 The Customer will respond as required to the findings and recommendations of any One Auto API inspection and will provide updates as required on the implementation of any required actions.
11.4 One Auto API may, by written notice to the Customer, forbid access to the Data, or withdraw permission for continued access to the Data, to:
a. any member of the Customer's Staff; or
b. any person employed or engaged by any member of the Customer's Staff; whose access to or use of the Data would, in the reasonable opinion of One Auto API, be undesirable.
11.5 The decision of One Auto API as to whether any person is to be forbidden from accessing the Data and as to whether the Customer has failed to comply with this clause shall be final and conclusive.
11.6 One Auto API will be entitled to be reimbursed by the Customer for all One Auto API’s reasonable costs incurred in the course of the inspection.
12 Action on Complaint
12.1 Where a complaint is received about the Customer or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Customer's obligations under the Agreement or the use of Data, One Auto API may notify the Customer, and where considered appropriate by One Auto API, investigate the complaint. One Auto API may, in its sole discretion, acting reasonably, uphold the complaint and take further action in accordance with the Terms and Conditions of this Agreement
13 Contractual Rights and Powers
13.1 Inspection by the DVLA
13.1.1 The DVLA or an agent acting on its behalf reserves the right to carry out an inspection at any time of the Customer's compliance with the terms of this Contract. Where possible, the DVLA shall give the Customer 7 Days’ written notice of any such inspection.
13.1.2 The Customer agrees to co-operate fully with any such inspection and to allow the DVLA or an agent acting on its behalf access to its Premises, Equipment, evidence and the Customer's Staff for the purposes of the inspection.
13.1.3 The Customer will respond as required to the findings and recommendations of any DVLA inspection and will provide updates as required on the implementation of any required actions.
13.1.4 The DVLA may, by written notice to the Bulk Data Provider, forbid the Customer access to the Data, or withdraw permission for continued access to the Data, to: a) any member of the Customer's Staff; or b) any person employed or engaged by any member of the Customer's Staff; whose access to or use of the Data would, in the reasonable opinion of the DVLA, be undesirable.
13.1.5 The decision of the DVLA as to whether any person is to be forbidden from accessing the Data and as to whether the Customer has failed to comply with this clause shall be final and conclusive.
13.1.6 The DVLA will be entitled to be reimbursed by the Customer for all DVLA’s reasonable costs incurred in the course of the inspection.
14 Action on Complaint
14.1 Where a complaint is received about the Customer or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Customer's obligations under the Contract or the use of Data, the DVLA may notify the Bulk Data Provider, who may where considered appropriate by the DVLA investigate the complaint. The Bulk Data Provider may, in its sole discretion, acting reasonably;
a. uphold the complaint and take further action at their discretion.
b. instruct One Auto API to terminate the contract, in accordance with the Terms and Conditions of this Agreement.
15 Termination
15.1 One Auto API may terminate the Agreement with immediate effect by written notice to the Customer if the Customer commits any three or more Defaults, whether simultaneously or singly at any time during the operation of the Agreement, irrespective of whether any or all of such breaches is minimal or trivial in nature;
16 Other Termination Rights
16.1 One Auto API may terminate the Contract by written notice with immediate effect if in the reasonable view of One Auto API, during any period of suspension of the Services the Customer:
a. fails to co-operate with any investigation, audit or review:
b. fails to provide any assurances or take any actions within the reasonable period set by One Auto API under the Terms and Conditions of this Agreement; or
c. fails to provide assurances that satisfy One Auto API (acting reasonably) that the Customer has complied and shall continue to comply with the requirements of this Agreement and of Data Protection Legislation.
16.2 One Auto API may terminate the Agreement by written notice with immediate effect if the Customer fails to pay One Auto API any undisputed sums of money.
16.3 One Auto API may terminate the Agreement by written notice with immediate effect if the Customer is found to be in breach of any aspect of Applicable Law that could, in the reasonable opinion of One Auto API, bring One Auto API into disrepute.
16.4 One Auto API may terminate the Agreement by written notice with immediate effect if the Customer is an individual and he has died or is adjudged incapable of managing his affairs within the Mental Capacity Act 2005 (as amended).
17 Suspension of the Services
17.1 If it comes to the attention of One Auto API that the Customer has committed any Default (including material breaches and all other Defaults), One Auto API may suspend the Services without further notice and with immediate effect and investigate the nature and effect of the breach.
17.2 One Auto API may from time to time issue guidance on its principles on suspending the Services and terminating contracts to supply Data using the Services. The guidance may include guidance concerning: types of Defaults which One Auto API may consider to be material breaches; guidance as to specific types of breach that One Auto API will consider to be remediable; how such breaches may be remedied; how long suspension may last; and guidance as to which types of breach One Auto API may consider to be irremediable.
18 Effect of Suspension
18.1 If One Auto API suspends the Services at any time, the Customer shall co-operate with any further investigation, audit or review that One Auto API requires to be carried out in relation to the Data provided to the Customer.
18.2 One Auto API may refuse to resume the Services until the Customer provides assurances that the matter resulting in the suspension has been resolved to the satisfaction of One Auto API, and takes specified actions within a reasonable period set by One Auto API.
18.3 One Auto API may require that an inspection is carried out after the Services are resumed, to check the Customer's compliance with the Agreement and Data Protection Legislation.
18.4 During any suspension period, One Auto API shall not provide Data to the Customer.
18.5 The Customer shall reimburse One Auto API for all One Auto API’s cost and expenses incurred in relation to the One Auto API’s right under this paragraph to carry out an inspection, investigation, audit or review of the Customer.
19 Insolvency
19.1 Where One Auto API is notified in writing of any of the circumstances listed in paragraph entitled “Insolvency”, One Auto API may suspend the Services without further notice and with immediate effect and investigate further whether any of the Customer's directors or any liquidator, receiver, administrative receiver, administrator, or other officer is capable of ensuring that the provisions of this Agreement and of Data Protection Legislation are complied with. If One Auto API is not satisfied that any such person shall ensure such compliance, One Auto API may terminate the Agreement by written notice with immediate effect.
20 Ensuring Compliance of Intermediaries and Third Party Customers
20.1 In order to ensure the compliance of its Intermediaries or Third Party Customers with the obligations in Attachment 2, the Customer shall:
a. at all times maintain a written contract with the Third Party Customer that includes all the obligations and rights required to be included under this Agreement;
b. audit every Intermediary or Third Party Customer at least once in the first calendar year during which the Customer discloses Data to each Intermediary or Third Party Customer, and annually thereafter, and make evidence of such audits available to One Auto API at its request;
c. notify One Auto API immediately of any Defaults that the Customer considers to have been committed by the Intermediary or Third Party Customer, whether discovered on audit by the Customer or at any other time; and
d. take any additional action the Customer considers reasonable to ensure that the Intermediary or Third Party Customer shall comply with all of its obligations.
21 Conditions on the Use of Vehicle Registration Number (VRN) as Search Criteria
Disclosure of the Data (or any extract from it) relating a specific vehicle upon entry of a VRN by a Requestor, an Intermediary or a Third Party Customer are only permitted in the following cases:
a. The VRN relates to a vehicle where the Requestor is either owner or registered keeper of that vehicle; or
b. The VRN relates to a vehicle that is being or intended to be marketed or offered for sale; or
c. The Requestor has a genuine and legitimate interest in determining the provenance, status or technical specification of that vehicle; or
d. Where confirmation of the vehicle identity is a pre-requisite for the Data being accessed by the Requestor; or
e. The VRN relates to a vehicle that the Requestor, Intermediary or Third Party Customer has involvement in providing services to. This may include where the Requestor, Intermediary or Third Party Customer:
i. Has sold, repaired, modified, or serviced that vehicle;
ii. Is providing an insurance quotation or vehicle finance for that vehicle;
iii. Is involved in reducing crime for that vehicle.
22 Restrictions on Free Disclosure of The Data
In order to restrict excessive amounts of Data from being disclosed to Third Party Customers, Intermediaries or Requestors, the Customer is only permitted to disclose the following Data fields free of charge and free of any conditions:
|
Make
|
Year of Manufacture
|
|
Model
|
Export Marker
|
|
Colour
|
Vehicle Type Approval
|
|
Date of First Registration
|
Wheelplan
|
|
Body Type
|
Vehicle/Revenue Weight
|
|
Fuel Type
|
Tax Data
|
|
Engine Capacity
|
MOT Data
|
|
CO2
|
Gearbox (obtained from SMMT)
|
|
BHP (obtained from SMMT)
|
Attachment 3: Restrictions on disclosure of Vehicle Identification Number (VIN)
1 Introduction
1.1 It is necessary to have key identifying criteria and references (such as a serial number) for most assets. The main identifiers for a motor vehicle are the VRN (Vehicle Registration Number) and the VIN (Vehicle Identification Number). As the VRN is only applicable once the vehicle is registered and can be transferred to another vehicle, the most reliable identifier has become the VIN.
1.2 Within the automotive sector, correctly identifying a vehicle is vital in order to ensure the correct details are recorded and disclosed during the life of that vehicle. This applies in particular when specific events occur such as registration, secured finance, resale, repair, cherished plate transfer process, future finance applications and insurance application/renewal.
1.3 To address this market need, the Customer can release the full VIN in certain circumstances, to agreed trade sectors, in accordance with Reasonable Cause, and subject to specified conditions.
1.4 The table in section 2 below sets out the specified conditions for disclosure of the full VIN. The full VIN must only be released where absolutely essential and where this is not necessary VIN confirmation or partial VIN release should be the preferred solution.
1.5 Section 4 below sets out conditions on disclosure of the partial VIN.
2 Market Sectors Where Disclosure of Full VIN is Permitted
|
Market Sector
|
Purpose for Release of VIN
|
Permitted Disclosure
|
|
Motor Dealers Franchised
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.
|
Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle purchaser / owner, dealership staff, sub-contractors and auditors.
|
|
Motor Dealers Non-Franchised
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.
|
Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle purchaser / owner, dealership staff, sub-contractors and auditors.
|
|
Auction Houses
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.
|
Displayed on the vehicle search report / sale lot. Recorded on the sales systems, vehicle inventory, stock report and ledgers. Information disclosed to vehicle vendor / purchaser, auction staff, sub-contractors and auditors.
|
|
Original Equipment Manufacturers
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if the vehicle is not yet registered.
|
Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to franchise holders, vehicle owner / purchaser, OEM staff, sub-contractors and auditors.
|
|
Finance Companies
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if the vehicle is not yet registered.
|
Recorded on the vehicle asset / inventory files, Contract reports, ledgers and customer database / record. Information disclosed to vehicle operator / owner / purchaser, finance company staff, sub-contractors and auditors.
|
|
Insurance Companies
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. Used to help identify and link to replacement parts and accessories.
|
Recorded on the vehicle policy / claims files, contract reports, ledgers and customer database / record. Information disclosed to vehicle operator / owner / policyholder, insurance company staff, sub-contractors and auditors.
|
|
Fleet and Leasing Companies
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if the vehicle is not yet registered.
|
Recorded on the vehicle asset / inventory files, Contract reports, ledgers and customer database / service record. Information disclosed to vehicle operator / owner / purchaser, fleet & leasing company staff, sub-contractors and auditors.
|
|
Aftermarket Service Providers
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle.
|
Recorded on the vehicle order record, ledgers and customer database / service record. Information disclosed to vehicle repairer / operator / owner.
|
|
Automotive Systems and Integration Companies (e.g. Vendors of Dealer Management Systems)
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle.
|
Displayed on the vehicle search report / certificate. Recorded within the application modules to handle vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle repairer / systems operator, vehicle owner / purchaser, systems integrator company staff, sub-contractors and auditors.
|
|
Law Enforcement Agencies
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle. To use the VIN as an identifier if the vehicle is not yet registered.
|
Displayed on the vehicle search report / certificate. Recorded on the case files, reports and legislative documentation. Information disclosed to authorised individuals and bodies involved in and processing the case / enquiry.
|
|
Salvage Companies
|
To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.
|
Displayed on the vehicle record / COD (Certificate Of Destruction). Recorded on the vehicle inventory, stock report, ledgers and customer database. Information disclosed to vehicle operator / owner, salvage company staff, sub-contractors and auditors.
|
3 Market Sectors Where Disclosure of Full VIN is not Permitted
3.1 Disclosure of the full VIN is not permitted to the following market sectors:
a. Consumers
b. Marketing Companies (other than those working on behalf of approved trade sector Customers in respect of their core activities under permitted uses)
c. Companies, Partnerships and Sole Traders who do not meet the criteria set out in the table in section 2 above.
3.2 Where there is a requirement to disclose the full VIN to new market sectors or for new purposes other than those set out in the table above in section 2 of these terms, the Customer must detail this in writing to One Auto API who will request formal written approval from DVLA via the Bulk Data Provider. The Customer shall not disclose the full VIN to any additional market sectors or for any new purposes without a contract variation in accordance with these terms and formal written approval from DVLA.
4 Conditions on Disclosure of Partial VIN
4.1 The Society of Motor Manufacturers and Traders (SMMT) has informed DVLA that the release of the end characters of a VIN (so a partial VIN) may lead to the ability to uniquely identify a vehicle in a very limited range of circumstances.
4.2 Where there are fewer than 500 vehicles of a particular type registered in a year, only the last three characters are needed to uniquely identify a vehicle, assuming that the make and model of that vehicle is known.
4.3 Where Reasonable Cause cannot be demonstrated to allow a Requester. Intermediary or Third Party Customer to identify a unique vehicle (in accordance with these terms) and where there are fewer than 500 vehicles of a particular vehicle type registered in one year, the Customer must only disclose the final two characters of the VIN.
ANNEX A
CUSTOMER’S KEY STAFF WITH DIRECT RESPONSIBILITIES FOR THE DVLA DATA AND FOR THE OTHER OBLIGATIONS UNDER THE AGREEMENT
1. The contact details of the Customer's Key Staff with responsibility for the DVLA Data and the performance of the Agreement, are as follows:
1.1 The contact details of the Commercial Manager referred to in clause C1.2.a) are:
Name:………………………………………….
Job Title:……………………………………….
Business Address (The Customer’s Registered Office, as recorded at
Companies’ House):
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode:……………………………………….
Business telephone number:……………………………………….
Business mobile telephone number:……………………………….
Business Email address:…………………………………………….
1.2 The contact details of the Data Manager referred to in clause C1.2.b) are:
Name:………………………………………….
Job Title:……………………………………….
Business Address:……………………………
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode:……………………………………….
Business telephone number:……………………………………….
Business mobile telephone number:……………………………….
Business Email address:…………………………………………….
1.3 The contact details of any other Key Staff, who are responsible for the Data or for supervision of the Staff with access to the Data, should be provided below and on continuation sheets attached to this ANNEX A.
1.4 The contact details for the Data Protection Officer (DPO) where applicable:
Name:………………………………………….
Business Address:……………………………
…………………………………………………..
…………………………………………………..
…………………………………………………..
Postcode:……………………………………….
Business telephone number:……………………………………….
Business mobile telephone number:……………………………….
Business Email address:…………………………………………….
SCHEDULE 2: Royal Mail End User Licence Agreement ("EULA")
The Customer acknowledges and agrees that any Services containing Redirection or Suppression data are subject to the terms of this EULA.
1. Definitions and Interpretation
1.1 In this EULA, where the context allows, the following words and expressions have the following meanings:
Batch Processing the use of the Product to carry out automated electronic processing of a batch of Customer Records in a Customer Database against Suppression Data in the NCOA® Suppress Database for the purpose of identifying Matches;
Confidential Information any information of a confidential or proprietary nature (irrespective of the form, presentation or communication including computer software and data, physical objects and samples and, in the case of Royal Mail, the Suppression Data, whether before or after it is incorporated into a Customer Database) relating to the business, operations, customers, processes, budgets, product information, know-how and/or strategies of either Party;
Customer Database an electronic compilation of Customer Records;
Customer Record the name and address of a current or lapsed customer or prospective customer of the End User which have been lawfully and fairly obtained by the End User solely for the purposes of marketing, commercial communications or customer administration and where the End User is a Public Body, such references to customer shall be deemed to mean any individual over whom such Public Body has or exercises competence under its statutory powers or duties;
Data Protection Legislation the Data Protection Act 1998, Directive 95/46/EC of the European Parliament, the General Data Protection Regulation (GDPR) (EU) 2016/679, the Electronic Communications Data Protection Directive 2002/58/EC and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation and/or regulations implementing them or made in pursuance of them including where applicable the guidance and codes of practice issued by the Information Commissioner;
Decryption Process the codes, methodology and/or medium to be deployed to decrypt, use or activate the Product;
EEA the European Economic Area comprising, for the time being, the EU member states, Norway, Iceland and Liechtenstein and the United Kingdom;
End User the individual, company or other legal entity which is the owner or licensor of the Customer Database;
EULA this end user licence agreement between the Parties;
Individual Look Up the use of the Product to carry out electronic processing of an individual Customer Record against Suppression Data in the NCOA® Suppress Database for the purpose of identifying a Match;
Intellectual Property Rights all intellectual property rights including copyright and related rights, database rights, trade marks and trade names, patents, topography rights, design rights, trade secrets, know-how, and all rights of a similar nature or having similar effect which subsist anywhere in the world, whether or not any of them are registered and applications for registrations, extensions and renewals of any of them;
Law
-
any applicable statute or proclamation or any delegated or subordinate legislation;
-
any enforceable Community right within the meaning of section 2(1) of the European Communities Act 1972;
-
any applicable guidance, direction, determination or regulations with which either Party is bound to comply to the extent that the same are publicly available or the existence or contents of them have been notified to the other Party;
-
any applicable judgment of a relevant court of law which is binding precedent in England, in each case in force at any time during the term of this EULA;
Match each instance where through Processing, a name and address contained in the Customer Database is matched to a name and address in the NCOA® Suppress Database;
NCOA® Suppress Database a database containing Suppression Data selected, arranged and compiled by Royal Mail and stored on electronic media and including any updates to it;
Old Address the address specified by a Redirection Customer as that from which mail should be redirected, as subsequently amended by Royal Mail, if necessary, to ensure that the address information is correct for Royal Mail’s postal purposes;
Party the End User or Royal Mail, as applicable (together, the Parties);
Permitted Purpose carrying out Processing and in relation to any Match either:
-
deleting the name and address records which appear in the Customer Records of the relevant existing customer or prospective customer to whom the Match relates, for the purposes of a one-off mailing campaign by the End User; or
-
providing a permanent flag against the address of the relevant existing customer or prospective customer to whom the Match relates;
-
for the avoidance of any doubt, the Permitted Purpose shall not, in accordance with Data Protection Legislation, include sending any direct marketing to individuals.
Processing Batch Processing and/or Individual Look Ups, as per the agreement between the End User and the Product Reseller;
Product Reseller the individual, company or other legal entity which is licensed by Royal Mail Group Limited to use the Suppression Data in the Product and which directly or indirectly is providing access to the Product to the End User;
Public Body any department, office or agency of Her Majesty’s Government or any local government authority or agency or any other public authority;
Redirection Customer a customer of the Redirection Service whose post is, at the relevant time, being redirected by Royal Mail from the relevant Old Address to the relevant new address pursuant to such service;
Redirection Form the application form for individuals who wish to use the Redirection Service;
Royal Mail Royal Mail Group Limited, a company registered in England & Wales under registered number 04138203 whose registered office is at 100 Victoria Embankment, London, EC4Y 0HQ.
Redirection Service Royal Mail’s service for the redirection of mail provided to members of the public who have requested such service whereby mail which has been addressed to their Old Address is redirected to and delivered at their New Address;
Reseller Agreement Royal Mail’s agreement with the Product Reseller under the terms of which Royal Mail licenses the Product Reseller to use the NCOA® Suppress Database to create, modify and/or enhance its Product;
Royal Mail Royal Mail Group Limited, a company registered in England & Wales under registered number 04138203 whose registered office is at 100 Victoria Embankment, London, EC4Y 0HQ;
Suppression Data address data held by Royal Mail on the NCOA® Suppress Database and updated on a periodic basis which is derived from the Old Address information provided by Redirection Customers on the Redirection Form.
1.2 In this EULA unless the context otherwise requires:
1.2.1 references to one gender include references to all genders and references to the singular include the plural and vice versa;
1.2.2 clause headings are for convenience only and will not affect the construction of this EULA;
1.2.3 any reference to an enactment or statutory provision is a reference to it as it may have been or may from time to time be amended, replaced or re-enacted;
1.2.4 references to persons shall include references to individuals, bodies corporate (wherever incorporated), unincorporated associations and partnerships;
1.2.5 any phrase introduced by the expressions including, include or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms; and
1.2.6 references in this EULA to the NCOA® Suppress Database shall be deemed to include Suppression Data or any part of it, as the context so requires.
2. Licence
2.1 In consideration of the End User complying with the terms of this EULA, Royal Mail grants to the End User a non-exclusive, non-transferable, revocable right in the EEA to access and use the Suppression Data accessed as part of its use of the Product for the Permitted Purpose only. The End User shall in no circumstances use the Suppression Data for the purpose of detecting fraud or money laundering.
2.2 The End User warrants and undertakes that any Customer Database (in respect of which Processing is being performed) is owned or licensed by the End User for the End User’s own use and comprises only Customer Records used for the purposes of marketing, commercial communications and routine administration. In each case, the address in each Customer Record will be complete to the best of the End User’s knowledge prior to Processing.
2.3 Except as expressly permitted in this EULA, the End User must not at any time reproduce, publish, sell, let, lend, extract, utilise, process or otherwise disclose the Suppression Data or the Customer Database after Processing (in whole or in part), either directly or indirectly, and the End User must treat Suppression Data as Confidential Information.
2.4 The End User may only use the Suppression Data for the Permitted Purpose. For the avoidance of doubt, the End User must:
2.4.1 ensure that Suppression Data supplied by way of a Match is immediately integrated into the Customer Records; and
2.4.2 not try to access, extract, utilise or process Suppression Data except through Processing and not carry out any Individual Look Ups or any other means of looking up Suppression Data concerning a specific individual where this is not expressly permitted by Royal Mail for the Product Reseller.
2.5 The End User must pay the Product Reseller for all Matches it obtains through its use of the Product.
2.6 The End User agrees to indemnify and keep indemnified Royal Mail against all losses, costs, claims and damages suffered or incurred by Royal Mail directly or indirectly as a result of a breach of any provision of this EULA by the End User.
2.7 The End User must not modify the Product at any time and must not pass the Product or copies thereof nor the Decryption Process to any third party.
2.8 At any time during the term of this EULA, on the provision of two (2) Working Days’ notice from Royal Mail, the End User shall give Royal Mail and its agents reasonable accompanied access during working hours to its premises, computer systems, accounts, documents and records for the purpose of verifying and monitoring the End User’s compliance with this EULA.
2.9 The End User shall ensure the centralised allocation and storage of all material relevant to the Decryption Process. The End User shall, in addition, ensure that all details and data concerning the Decryption Process are treated as Confidential Information and shall provide details of the Decryption Process to its own employees or subcontractors only on a strictly ‘need to know’ basis for the purpose of performing its obligations under this EULA.
2.10 In the case that the End User is a Public Body, the End User acknowledges that the Product Reseller shall not be entitled to allow the Product to provide Individual Look Ups.
3. Liability of Royal Mail
3.1 The End User acknowledges that Royal Mail does not warrant:
3.1.1 the accuracy and/or completeness of the Suppression Data;
3.1.2 that the NCOA® Suppress Database contains the names and addresses of all Redirection Customers; nor
3.1.3 that the NCOA® Suppress Database does not infringe the Intellectual Property Rights of any third party.
3.2 The End User agrees that Royal Mail will not be liable for any loss or damage (whether direct or indirect) however arising from the use by the End User, or performance of, Suppression Data, with the exception of death or personal injury caused by Royal Mail’s negligence.
3.3 The End User acknowledges that Royal Mail will not be liable to the End User in respect of its use of the Product.
3.4 The End User acknowledges that Royal Mail will not be obliged in any circumstances to provide Suppression Data or related services directly to the End User.
4. Property Rights in Suppression Data
4.1 The Intellectual Property Rights in Suppression Data supplied to the End User as part its use of the Product shall remain at all times the property of Royal Mail.
4.2 The licence to use the Suppression Data is personal to the End User. The End User may not license or assign the Intellectual Property Rights in the Suppression Data except as expressly permitted under this EULA or as otherwise agreed in writing by Royal Mail. For the avoidance of doubt, this EULA does not operate as an assignment by Royal Mail to the End User of any Intellectual Property Rights that might subsist in or relate to the Suppression Data.
4.3 The End User acknowledges that it will not acquire any rights of any nature in or in relation to the Suppression Data as a result of the End User’s use beyond those rights specifically granted in this EULA. If the End User challenges the validity of the Intellectual Property Rights in or relating to the Suppression Data or Royal Mail’s title to those Intellectual Property Rights Royal Mail may suspend or terminate this EULA with immediate effect by giving notice to the End User.
4.4 The End User will not do or permit the doing of anything within its control which will prejudice in any way whatsoever the name of Royal Mail or the rights of Royal Mail in the Suppression Data and will give immediate notice to Royal Mail upon the End User becoming aware of anything which may prejudice the name of Royal Mail or the rights of Royal Mail in the Suppression Data.
4.5 The End User undertakes to Royal Mail that it will give immediate notice to Royal Mail upon its becoming aware of any unauthorised use of the Suppression Data or any other of the Intellectual Property Rights of Royal Mail.
4.6 Royal Mail may bring any action for any such unauthorised use on behalf of itself and at its cost and the End User shall cooperate fully in any such action. The End User is not granted any separate right of action relating to Royal Mail’s Intellectual Property Rights in respect of any such unauthorised use and disclaims any such separate right that it may have as far as such a disclaimer is permitted by Law.
4.7 Upon termination of this EULA, the licence in Clause 2 shall continue in respect of Suppression Data that has been supplied to the End User through its use of the Product and incorporated into the Customer Database as at the date of termination provided that the End User continues to use such Suppression Data for the Permitted Purpose and in accordance with the limits on use of Suppression Data contained in this EULA which shall continue to operate in respect of such Suppression Data after the termination of this EULA.
4.8 The provisions of this Clause will continue to operate after the termination of this EULA.
5. Data Protection
5.1 For the purposes of this clause 5 data “controller”, data “processor”, “data subject”, “personal data” and “processing” (and “process” and “processes” shall be construed accordingly) shall have the meanings ascribed to them in the Data Protection Legislation.
5.2 The Parties’ attention is drawn to the Data Protection Legislation The Parties’ acknowledge and agree that it is the factual arrangement between them which dictates the role and status of each party under Data Protection Legislation in respect of processing any personal data under this EULA. Notwithstanding the foregoing, the parties anticipate that they shall, subject to the terms of this EULA, each separately determine the purposes for which and the manner in which any personal data is required to process in connection with this EULA, and therefore, for the proposes of the this EULA are each a data controller in respect of such personal data.
5.3
5.4 The End User acknowledges that the terms of this EULA are structured in order to comply with the Data Protection Legislation. The End User undertakes that it will use the Suppression Data only in accordance with the Permitted Purpose and will not do or omit to do any act which would place it or Royal Mail in breach of the Data Protection Legislation.
5.5 Each Party undertakes to the other that it will duly observe all its obligations under the Data Protection Legislation which arise in connection with the performance of this EULA.
5.5.1
5.6 The End User agrees to comply with the Data Protection Legislation as it applies to its use of Suppression Data (including compliance with any data protection notices and opt out and/or opt in wording on the Redirections Form as amended from time to time by Royal Mail) 5.7 The End User must not disclose, pass or sell all or part of the Suppression Data outside the EEA without the prior written consent of Royal Mail.
6. Assignment
The End User must not assign, sub-contract or otherwise deal with this EULA, or any part of it.
7. Termination
7.1 If the Reseller Agreement expires or is terminated for any reason, this EULA will automatically be terminated.
7.2 Royal Mail may terminate this EULA at any time if the End User fails to comply with any of its terms.
7.3 Royal Mail may terminate this EULA immediately if the End User brings Royal Mail into disrepute.
7.4 Royal Mail may terminate this EULA immediately if (i) the End User becomes unable to pay its debts (within the meaning of section 123(1)(e) or (2) of the Insolvency Act 1986), admits its inability to pay its debts or becomes insolvent; or (ii) a petition is presented, an order made or a resolution passed for the liquidation (otherwise than for the purposes of a solvent amalgamation or reconstruction), administration, bankruptcy or dissolution of the End User; or (iii) an administrative or other receiver, manager, trustee, liquidator, administrator or similar person or officer is appointed to the End User and/or over all or any part of the assets of the End User; or (iv) the End User enters into or proposes any composition or arrangement concerning its debts with its creditors (or any class of its creditors) generally; or (v) anything equivalent to any of the events or circumstances stated in (i) to (iv) inclusive occurs in any applicable jurisdiction.
7.5 The termination of this EULA will not affect liability for preceding breaches.
8. Confidentiality
8.1 The End User agrees that it shall, in relation to any Confidential Information:
8.1.1 keep it confidential and not disclose it to any other person other than to its professional advisers, employees, agents and sub-contractors on a need to know basis;
8.1.2 not copy or reproduce any part of the Confidential Information except as permitted under this EULA without the prior written approval of the other Party;
8.1.3 apply to the Confidential Information no lesser security measures and degree of care than those which it takes in protecting its own confidential information and in any event no less than that which a reasonable person or business would take in protecting its own confidential information; and
8.1.4 use the Confidential Information only for the purposes of this EULA.
8.2 The End User shall take all reasonable measures to ensure that its professional advisers, employees, agents and sub
contractors comply with the terms of this Clause 8.
8.3 The obligations contained in this Clause 8 shall not apply to any Confidential Information which:
8.3.1 was, is or has become lawfully available to the public otherwise than through breach of this EULA;
8.3.2 was disclosed to either Party by a third party legally in possession of the Confidential Information and who was not restricted from disclosing it; and
8.3.3 was independently created by or already in the possession of either Party.
8.4 The Parties agree that Clause 8.3.1 shall not apply to any Suppression Data.
8.5 Either Party who is required by a court of law or other competent jurisdiction or any other regulatory authority to disclose any Confidential Information in order to comply with any such law or order of any such Court or regulatory authority may do so, but that Party must, where reasonably practicable, give the other Party not less than seven (7) days’ notice of such disclosure.
9. General
9.1 This EULA records the entire agreement between the Parties and supersedes all earlier agreements and representations by the Parties on the subject matter of the EULA. This Clause does not exclude liability for any fraudulent misrepresentation by either Party.
9.2 The rights, powers and remedies provided in this EULA are (except as expressly provided) cumulative and not exclusive of any rights, powers and remedies provided by Law, or otherwise.
9.3 Nothing in this EULA shall (except as expressly provided) be deemed to constitute a partnership, or create a relationship of principal and agent for any purpose between the Parties.
9.4 The failure to exercise, or delay in exercising, a right, power or remedy provided by this EULA or by Law shall not constitute a waiver of that right, power or remedy. If a Party waives a breach of any provision of this EULA this shall not operate as a waiver of a subsequent breach of that provision, or as a waiver of a breach of any other provision.
9.5 This EULA is subject to English Law. The Parties agree to submit to the exclusive jurisdiction of the English courts.
9.6 In the event that the Product Reseller and the End User enter into a separate licence relating to the access and use of the Product, the terms of this EULA may not be varied or superseded by, and will prevail over, any such licence.
