Auto Trader Connect - Vehicle Check Additional Terms and Conditions

Terms and Conditions

Auto Trader Connect: Vehicle Check Additional Terms and Conditions (Integrators)

Last updated: 10 December 2021

Application

Auto Trader Connect: Vehicle Check is a product which allows automotive retailers to run vehicle history checks for vehicles they are looking to buy or take in part-exchange.

These additional terms and conditions apply to integrator customers of Auto Trader who have entered into an Auto Trader API licence agreement with Auto Trader and who subsequently integrate with Auto Trader’s systems to facilitate access to Auto Trader Connect: Vehicle Check data by automotive retailer customers of Auto Trader through the integrator’s own dealer/stock management system software. The use of such Auto Trader Connect: Vehicle Check data is restricted solely to the use by such automotive retailer customers under the terms of their agreement with Auto Trader, and the integrator customer shall not be permitted to use or access such Auto Trader Connect: Vehicle Check data for any other purpose.

These additional terms and conditions do not apply to automotive retailer customers who have entered into an Auto Trader API licence agreement with Auto Trader and who subsequently integrate with Auto Trader’s systems to directly access to Auto Trader Connect: Vehicle Check data themselves. Such automotive retailer customers shall instead be bound by the terms and conditions for Auto Trader’s ‘Vehicle Check’ retailer product.

Additional Terms and Conditions

To the extent that you are receiving products/services via API pursuant to an Auto Trader API licence agreement with Auto Trader which include the Auto Trader Connect: Vehicle Check data, you agree to comply with these additional terms and conditions.

These additional terms and conditions shall apply to the use of any data contained within the Vehicle Provenance data which has been supplied by the Driver and Vehicle Licensing Agency (“DVLA”), and such data is defined below as the “Data”. The DVLA has stipulated that the following terms and conditions shall apply to all access to and use of the Data and any third party who receives the Data must agree to these terms and conditions. These terms and conditions have been imposed by the DVLA and Auto Trader does not have any authority or ability to agree any amendments.

For the purposes of the below, the following terms and conditions shall apply to you as though you are “the Client”, unless expressly stated otherwise.

Whilst these terms and conditions form part of the binding legal agreement between Auto Trader and you, each of Experian Limited and the DVLA is entitled to enforce the terms of these Conditions in accordance with the Contracts (Rights of Third Parties) Act 1999.

Definition	Meaning
Caching	Means the process of storing Data in a temporary storage area (a “Cache”) for further use within a defined period of time. A Cache is a hardware or software component that stores Data so that future requests for that Data can be served faster
Conviction	Other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding-over orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974 (as amended) by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) (as amended) or any replacement or amendment to that Order, or being placed on a list kept pursuant to the safeguarding of Vulnerable Groups Act 2006 (as amended);
Data	DVLA data that is provided or to be provided to the Client;
Data Governance Assessment	A form used by the DVLA to assess data governance measures in place as a measure against the contract.
Data Subject	The meaning given to that term in Data Protection Legislation, means an identified or identifiable natural person, directly or indirectly through Personal Data;
Default	Any breach of the obligations of the relevant party (including but not limited to fundamental breach or breach of a fundamental term) or any other default, act, omission, negligence or negligent statement of the relevant party or the Staff in connection with or in relation to the subject matter of the Agreement and in respect of which such party is liable to the other;
Equipment	The Client’s equipment, plant, materials and such other items used by the Client in the performance of its obligations under the Agreement, or otherwise used to access or store Data.
Fraud	Any offence under Applicable Law creating offences in respect of fraudulent acts or at common law in respect of fraudulent acts in relation to the Agreement or defrauding or attempting to defraud or conspiring to defraud the Crown;
Industry Best Practice	At any time the exercise of that degree of skill, care, diligence, prudence, efficiency, foresight, standards, practices, methods, procedures and timeliness which would be expected at such time from a leading and expert company within the industry, such company seeking to comply with its contractual obligations in full and complying with all Applicable Laws;
Intermediary	An organisation who receives the Data from the Client and uses it to provide products and services to other organisations (to be referred to as “Third Party Customers”) that demonstrate Reasonable Cause;
Malicious Software	Any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, Data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence;
Personal Data Breach	Any event that results, or may result in a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Premises	The location where the Data is to be supplied to the Client, or accessed, stored or destroyed by the Client;
Reasonable Cause	Products or services that have one or more of the following benefits: Improving vehicle and road safety Reducing vehicle crime Consumer Protection Environmental impact (greener transport).
Relevant Conviction	A Conviction which the Client, acting reasonably and in accordance with Industry Best Practice, deems to preclude a person from being involved in any way with use of the Data
Removable Media	All physical items and devices that can carry and transfer electronic information. Examples include but are not limited to DVDs, CD-ROMs, floppy disks, portable hard disk drives, USB memory sticks, flash drives, portable music and video players including mobile phones, hand held devices such as smartphones and personal digital assistants;
Requestor	A person who is making an enquiry for Data about a particular vehicle, using products or services provided by the Customer or an Intermediary or a Third Party Customer;
Staff	All persons employed by a party to perform its obligations under the Agreement together with the party’s servants, agents, suppliers and subcontractors used in the performance of its obligations under the Agreement;
Third Party Customer	Any organisation that: is not an Intermediary; and receives Data from the Customer or an Intermediary providing Reasonable Cause can be demonstrated;

APPENDIX 1: MINIMUM DATA SECURITY REQUIREMENTS

Data Security Requirements
1. The Client shall abide by the minimum security requirements, which are as follows:
  1. Data, including back-up data, must be retained in secure premises and locked away;
  2. The Data supplied may only be copied for back-up and for the purposes of Processing the Data. Copies must be erased immediately thereafter and they must not be otherwise duplicated;
  3. The Client will retain the Data only for as long as necessary with reference to the Reasonable Cause for which it was shared in accordance with the Data Protection Legislation;
  4. The Client, in accordance to Data Protection Legislation, should dispose of the Data where there is no business need to retain it;
  5. Data, including back-up Data, must be protected from unauthorised access, release or loss;
  6. A user ID and a robust password must be required to enter all databases on which the Data is stored;
  7. A unique user ID and password must be attributable to an individual and must be allocated to each person with access to the Data or the Bulk Data Service;
  8. User IDs and passwords must not be shared between the Client’s Staff;
  9. Access to the Data must be minimised so that only where necessary are individuals given the following levels of access:
    - ability to view material from single identifiable records
    - ability to view material from many identifiable records
    - functional access, including: searching, amendment, deletion, printing, downloading or transferring information;
  10. The Data must not then be copied onto or stored on Removable Media. Laptops may be used but only if the devise has full disk encryption installed in line with Industry Best Practice and the devices are securely protected when not in use;
  11. Data must be used only for the Reasonable Cause for which it was obtained;
  12. Paper records must be destroyed by incineration, pulping or shredding finely so that reconstruction is unlikely;
  13. Electronic Data must be securely destroyed or deleted in accordance with current guidance from the Information Commissioner’s Office as soon as it is no longer needed;
  14. All premises and buildings in which the Data is stored must be secure;
  15. The Client must be registered with the Information Commissioner and the permission must cover all activities actually carried out;
  16. Information must not be passed to third parties except with the prior written approval of the DVLA; and
  17. transfer of the Data to third parties (where approval has been granted by DVLA) must be in accordance with the principles of Data Protection Legislation. Any other conditions required by the DVLA in giving permission for disclosure to third parties must be satisfied.
  18. Caching of Data by the Client must be in accordance with Appendix 2 of these terms.
Inspection, Internal Compliance and Audit
1. The Data Governance Assessment form shall be completed upon DVLA request and shall confirm whether or not the following requirements have been complied with:
  1. all of the Data Security requirements in paragraph 1 above;
  2. the requirements set out in APPENDIX 2 and APPENDIX 3.
Minimum Requirements for the Client’s Staff Vetting and Disciplinary Procedures
1. The minimum requirements for the Client’s Staff vetting procedures are as follows:
  1. The Client shall confirm the identity of its entire new Staff.
  2. The Client shall confirm the references of its entire Staff.
  3. The Client shall require all persons who are to have access to the Bulk Data Service or to the Data to complete and sign a written declaration of any unspent criminal Convictions.
  4. The Client shall not allow any person with unspent criminal convictions to have access to the Data, except with the prior written permission of the DVLA.
  5. The Client shall ensure that no person who discloses that he or she has a Relevant Conviction, or who is found by the Client to have any Relevant Conviction is allowed access to the Data.
  6. The Client shall either (i) require that all persons who are to have access to the Data shall complete and sign an agreement to use the Data only for the Reasonable Causes set out in this Agreement and in accordance with the Customer’s procedures or where not feasible, (ii) upon the request of Auto Trader and/or Experian, provide a written undertaking confirming that the Customer has put in place sufficient procedures to ensure that all persons wo are to have access to the data will use the Data only for the Reasonable Causes set out in the Agreement and in accordance with the Customer’s procedures.
  7. The Client shall ensure that each person who has access to the Data shall act with all due skill, care and diligence and shall possess such qualifications, skills and experience as are necessary for the proper use of the Data.
  8. The Client shall ensure that each person who has access to the Data is appropriately trained in and aware of his or her duties and responsibilities under the Data Protection Legislation and this Agreement.
  9. The Client shall create and maintain a unique user account ID for each person who has access to the Data.
  10. The Client shall maintain a procedure for authorising the creation of user accounts and for the prompt deletion of accounts that are no longer required. The Client must ensure that the person or persons carrying out this work are appropriately trained and that their duties are separate from that of a normal user account. A normal user must not be able to manage their own account.
  11. The Client’s disciplinary policy shall state that misuse of the Bulk Data Service or the Data by any person shall constitute gross misconduct and may result in summary dismissal of that person. The Client shall notify such misuse to the DVLA and the person involved shall be refused all future access to DVLA Data.
  12. System administrators must receive appropriate training.
  13. The system administration role must be separated from any other role to ensure a separation of duties.
  The Client shall, upon Auto Trader’s and/or Experian’s written request, provide written confirmation that these procedures are followed, along with any reasonable supporting evidence that Auto Trader and/or Experian may require.

APPENDIX 2: REQUIREMENTS IN RELATION TO INTERMEDIARIES, THIRD PARTY CLIENTS AND REQUESTORS

Contractual Obligations of all Third Party Customers
1. If the Client is an Intermediary (which shall be determined by Auto Trader at its sole discretion), the provisions of this paragraph 1 form part of the Agreement. The Client shall also include the provisions in this Appendix 2 in its contracts with Third Party Customers, where they have been permitted by Auto Trader, with references to Auto Trader in that contract being replaced with references to the Client and references to the Client being replaced with references to the Third Party Customer. Notwithstanding the foregoing, regardless of whether or not the Client is an Intermediary, it shall comply with the terms of this paragraph 1 on its own behalf.
  1. Purpose For Which Data Is Provided
    1. The Client will provide Auto Trader and Experian with a statement detailing the type of business it conducts and a description of products or services it offers to its customers that involve the use of DVLA Data.
    2. Auto Trader and Experian will only consider requests for services that involve the provision of DVLA Data from organisations that can demonstrate a Reasonable Cause for access to the Data. Organisations that cannot prove a Reasonable Cause will not be considered further.
    3. The Client will notify Auto Trader and Experian of any changes to their business need for access to the service.
    4. The requirements for transfer of the Data outside the UK set out below apply, including to the Client’s backup or disaster recovery sites.
    5. The Client will not sell or permit the Data to be sold to any third party.
  2. The Client’s Key Staff
    1. The Client shall complete the list at ANNEX A (CLIENT’S KEY STAFF) of the individuals (or those individuals carrying out equivalent roles) who have direct responsibilities for the use of the Data and for the Client’s other obligations under this Agreement, giving their names and business addresses and other contact details and specifying the capacities in which they are concerned with the Data.
    2. As a minimum, the list shall include details of the Client’s registered office, as recorded by Companies’ House and:
      1. the manager who shall be responsible for the Client’s general Contractual matters and shall receive notices sent to the Client under this Agreement, and who shall be referred to in this Agreement as the Commercial Manager (or equivalent role); and
      2. the manager who is responsible for the management of the Data once in the hands of the Client, to be referred to in this Agreement as the Data Manager (or equivalent role).
    3. The Client shall inform Auto Trader and Experian immediately of any changes in personnel listed in ANNEX A (CLIENT’S KEY STAFF) or their business contact details.
  3. Prevention of Corruption
    1. The Client shall not offer or give, or agree to give, to the DVLA, Experian, Auto Trader or any other public body or person employed by or on behalf of the DVLA, Experian, Auto Trader or any other public body any gift or consideration of any kind as an inducement or reward for doing, refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of the Agreement or any other contract with the DVLA, Experian, Auto Trader or any other public body, or for showing or refraining from showing favour or disfavour to any person in relation to the Agreement or any such contract.
    2. If the Client, its Staff or anyone acting on the Client’s behalf, engages in conduct prohibited by paragraph 1.1.3.1 or the Bribery Act 2010 (amended), Auto Trader and/or Experian may:
      1. terminate and recover from the Client the amount of any loss suffered by Auto Trader and/or Experian resulting from the termination; or
      2. recover in full from the Client any other loss sustained by Auto Trader and/or Experian in consequence of any breach of that paragraph.
  4. Prevention of Fraud
    1. The Client shall take all reasonable steps, in accordance with Industry Best Practice, to prevent Fraud by the Client’s Staff and the Client (including its shareholder, members, and directors) in connection with the receipt of the Services.
    2. The Client shall notify Auto Trader and Experian immediately, within a maximum of 24 hours of becoming aware, if it has reason to suspect that any Fraud has occurred or is occurring or is likely to occur.
    3. If the Client or its Staff commits Fraud in relation to this Agreement or any other contract, Auto Trader and/or Experian may:
      1. terminate the Agreement and recover from the Client the amount of any loss suffered by Auto Trader and/or Experian resulting from the termination; or
      2. recover in full from the Client any other loss sustained by Auto Trader and/or Experian in consequence of any breach of this paragraph.
  5. Discrimination
    1. The Client must not unlawfully discriminate either directly or indirectly or by way of victimisation or harassment against a person on such grounds as age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, colour, ethnic or national origin, sex or sexual orientation, and without prejudice to the generality of the foregoing the Client must not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010 (as amended) the Human Rights Act 1998 (as amended) or other relevant or equivalent legislation, or any statutory modification or re-enactment thereof.
    2. The Client shall take all reasonable steps to secure the observance of paragraph 1.1.5.1 by all of its Staff.
  6. Health & Safety
    1. The Client shall promptly notify Auto Trader and Experian of any health and safety hazards which may arise in connection with the performance of its obligations under the Agreement, including but not limited to, on inspection by Experian.
    2. While on the Client’s premises, Auto Trader and Experian shall comply with any health and safety measures implemented by the Client in respect of its Staff and other persons working there.
    3. Auto Trader and/or Experian shall notify the Client immediately in the event of any incident occurring in the performance of its obligations under the Agreement on the Premises where that incident causes any personal injury or damage to property which could give rise to personal injury.
    4. The Client must comply with the requirements of the Health & Safety at Work etc. Act 1974 (as amended) and any other acts, orders, regulations and codes of practice relating to health and safety, which may apply to the Client’s Staff and other persons working on the Premises in the performance of its obligations under the Agreement.
  7. Publicity and Media
    1. The Client shall notify Auto Trader and Experian immediately if any circumstances arise which could result in publicity or media attention to the Client which could adversely reflect on the DVLA, Experian, Auto Trader or the Services.
    2. The Client shall not use the DVLA, Experian or Auto Trader logos, create or approve any publicity implying or stating that the DVLA, Experian and/or Auto Trader has a connection with any service provided by the Client without the prior written approval of the DVLA, Experian and/or Auto Trader. Prior written approval of the DVLA, Experian and/or Auto Trader shall be obtained for each individual piece of publicity.
  8. Transfer and Sub-contracting
    1. The Client shall not assign, sub-contract or in any other way dispose of the Agreement or any part of it without the prior written permission of Auto Trader and Experian.
    2. Sub-Contracting any part of the Agreement shall not relieve the Client of any of its obligations or duties under the Agreement. The Client shall be responsible for the acts and omissions of its sub-contractors as though they are its own. Where Auto Trader and Experian has given approval to the placing of sub-contracts, copies of each sub-contract shall, at the request of Auto Trader and Experian, be sent by the Client to Auto Trader and Experian as soon as reasonably practicable
  9. Insolvency
    1. The Client shall notify Auto Trader and Experian immediately in writing where the Customer undertakes, undergoes or performs an insolvency event. Insolvency events are any action or event described in the clause of the Terms and Conditions permitting termination for an insolvency event, being:in version 4.4 of the Terms & Conditions, clause 10.1.3.;
  10. Change of Control
    1. The Client shall seek the prior written agreement of Auto Trader and Experian to any change of control within the meaning of section 450 of the Corporation Taxes Act 2010 (as amended) (“Change of Control”). Where Auto Trader and Experian has not given their written agreement before the Change of Control, Auto Trader and Experian may terminate the Agreement by notice in writing with immediate effect within 26 weeks of:
      1. being notified that that change of control has occurred; or
      2. where no notification has been made, the date that Auto Trader and/or Experian becomes aware of that change of control.
  11. Consequences of Suspension and Termination
    1. After the Services have been suspended or the Agreement has been terminated or both, the Client shall continue to comply with its obligations under this Agreement and under Data Protection Legislation in relation to the Data which it holds, including as to the proper use of the Data, retention of the Data and secure destruction of the Data.
    2. After the Services have been suspended or the Agreement has been terminated or both, the Client will no longer have the right to use the Data already supplied by Auto Trader and/or Experian.
    3. During the suspension period, the Client is not permitted to process or transfer the Data received prior to suspension.
    4. Save as otherwise expressly provided in the Agreement:
      1. termination of the Agreement shall be without prejudice to any rights, remedies or obligations accrued under the Agreement prior to termination or expiration and nothing in the Agreement shall prejudice the right of either party to recover any amount outstanding at such termination or expiry; and
      2. termination of the Agreement shall not affect the continuing rights, remedies or obligations of Auto Trader, Experian or the Client under any provision of this Agreement which expressly or by implication is intended to come into or to continue in force on or after termination of this Agreement.
  12. Transfer of the Data outside the UK
    1. The Client shall not transfer Personal Data outside of the EU or UK unless the prior written approval of Auto Trader and Experian has been obtained and the following conditions are fulfilled:
      1. Auto Trader, Experian or the Client has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by Auto Trader and Experian;
      2. the Data Subject has enforceable rights and effective legal remedies;
      3. the Client complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist Auto Trader and Experian in meeting their obligations); and
      4. the Client complies with any reasonable instructions notified to it in advance by Auto Trader and Experian with respect to the processing of Personal Data.
    2. Where Auto Trader and Experian give the prior and express written approval referred to in paragraph 1.12.1, the Client shall disclose the Data only to the extent agreed and in accordance with any conditions attached to the giving of that approval.
Contractual Obligations of Intermediaries or Third Party Clients with Access to the Data
If the Client is an Intermediary (which shall be determined by Auto Trader and Experian at their sole discretion), the provisions of this paragraph 2 and paragraph 3, below, form part of the Agreement. The Client shall also include the provisions in this Appendix 2 in its contracts with Third Party Customers, where they have been permitted by Auto Trader, with references to Auto Trader in that contract being replaced with references to the Client and references to the Client being replaced with references to the Third Party Customer. Notwithstanding the foregoing, regardless of whether or not the Client is an Intermediary, it shall comply with the terms of this paragraph 2 and paragraph 3, below, on its own behalf.
1. Technical Requirements for Secure Transmission of the Data
  1. The Data shall be requested from Auto Trader by the Client under this Agreement. The Client warrants that it has ensured that the method of provision of the Data by Auto Trader is suitable and satisfactory to meet the Client’s needs.
  2. The Client shall ensure that it has sufficient technical knowledge and expertise to understand, implement and support the Services.
  3. The Client must ensure that Caching of Data is only possible where the Client is compliant with all requirements of this Agreement and only in the following circumstances:
    1. for a limited period of 24 hours to allow multiple hits against a single record as part of continuous enquiry (e.g. multiple insurance quotes from a website or call centre);
    2. The Cache is protected from unauthorised access by way of encryption in accordance with Industry Best Practice;
    3. The Customer must ensure that Intermediaries and Third Party Customers (where applicable and permitted) are made aware that they must not use Data to fulfil further enquiries or transactions on that Intermediary’s behalf or from Requestor’s or any other actual or potential customers of the Intermediary or Third Party Customer, not to fulfil multiple enquiries such as insurance or financial quotes after the 24 hour period permitted above has expired;
    4. The Client must make customers aware of the above and that storage of the Data for future use/to create an alternative database is not permitted. In addition, the Client should also note the requirements of Appendix 3 (Restrictions on Disclosure of Vehicle Identification Number (VIN))
2. Reviews and Meetings
  1. The Client shall upon receipt of reasonable notice and during normal office hours attend all meetings arranged by Auto Trader for the discussion of matters connected with the performance of the Agreement.
  2. Without prejudice to any other requirement in this Agreement, the Client shall provide such reports on the performance of the Agreement or any other information relating to the Client’s requests for and use of the Data as Auto Trader may reasonably require.
  3. Auto Trader reserves the right to review the Agreement with the Client at any time. Where required by Auto Trader, the parties shall meet in person or via video or telephone conference to review:
    1. the ongoing need for the Services as defined and any consequential variation to the terms of the Agreement;
    2. the Reasonable Causes for which the Data is provided;
    3. the performance of the Services;
    4. the security arrangements governing the Client’s safe receipt of the Data and the Client’s further use of the Data;
    5. the arrangements that the Client has in place relating to the retention and secure destruction of the Data;
    6. any audits that have been carried out that have relevance to the way that the Client is Processing the Data;
    7. any security incidents that have occurred with the Data;
    8. the continued registration of the Client’s company under the same registered number;
    9. the training and experience of the Client’s Staff in their duties and responsibilities under the Data Protection Legislation;
3. The Data Protection Legislation
  1. For the purpose of this paragraph 2.3, the terms “Data”, “Data Controller”, “Data Processor”, “Data Subject”, “Information Commissioner”, “Information Commissioner’s Office”, “Personal Data”, and “Processing” shall have the meanings prescribed under Data Protection Legislation.
  2. The parties agree that the Data constitutes Personal Data as they relate to a living individual who can be directly or indirectly identified from the Data.
  3. It is the duty of the Data Controller to comply with Data Protection Legislation. The Client, separately from Auto Trader, shall be the Data Controller of each item of Data received from Auto Trader from the point of receipt of that Data by the Client and shall be responsible for complying with data protection principles in relation to its further Processing of that Data.
  4. Auto Trader is satisfied that providing the Data to the Client for the Reasonable Causes is compliant with Data Protection Legislation.
  5. The Client shall ensure that the individual rights of the Data Subject are taken into account in responding to any Data Subject Access Request.
  6. The Client shall notify Auto Trader immediately if it received a request from any third party for disclosure of the Data where compliance with such request is required or purported to be required by Law.
  7. The parties agree to take into account of any guidance issued by the Information Commissioner’s Office. DVLA may on not less than 30 working days’ notice to the Client amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioners Office.
4. Data Security
  1. Both parties shall ensure the safe transportation/transmission of the Data in accordance with the appropriate technical and organisational measures.
  2. The Client shall ensure the Data is processed in accordance with Data Protection Legislation guidance and codes of practice.
  3. The Client shall comply with all the security requirements of Auto Trader, including as a minimum those set out in APPENDIX 1 (MINIMUM DATA SECURITY REQUIREMENTS) and any other requirements that Auto Trader shall make from time to time.
  4. The Client shall notify the DVLA immediately, within a maximum of 24 hours of becoming aware, of any failure to comply with the requirements set out in APPENDIX 1 (MINIMUM DATA SECURITY REQUIREMENTS) of this Agreement.
  5. The Client shall not transfer or in any way make Data available to third parties unconnected with the Reasonable Causes.
5. Malicious Software
  1. The Client shall, as an enduring obligation throughout the term of this Agreement, use the latest versions of anti-virus software available from an industry accepted anti-virus software vendor to check for and remove Malicious Software from the ICT environment.
  2. Notwithstanding paragraph 2.5.1, if Malicious Software is found, the parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Data, assist each other to mitigate any losses and to restore the Bulk Service to their desired operating efficiency.
  3. Cost arising out of the actions of the parties taken in compliance with the provisions of paragraph 2.5.2 shall be borne by the Parties as follows:
    1. by the Client where the Malicious Software originates from the Client’s software (or a sub-contractor of the Client) or the Client’s data;
    2. by Auto Trader if the Malicious Software originates from the Auto Trader’s software or the Data.
6. Retention of Data and Evidence
  1. In accordance with the Data Protection Legislation, the Client shall retain each item of Data only for as long as is necessary with reference to the Reasonable Cause for which it was shared.
  2. The Client shall arrange for the secure destruction or deletion of each item of Data, in accordance with the requirements of the Data Protection Legislation, as soon as it is no longer necessary to retain it.
  3. The Client shall retain for two years after Processing of the Data, to allow inspection by Auto Trader, the evidence that the Client relies on to show its compliance with the requirements of this Agreement. There is no need, for Auto Trader’s inspection purposes, for the Data to be retained as part of this requirement. The Data must be disposed of in accordance with the provision of paragraph 2.6.2 above.
7. The Client’s Vetting and Disciplinary Policies
  1. The Client shall maintain policies for vetting, hiring, training and disciplining the Client’s Staff and shall comply with these in respect of each person who has access to the Services. The minimum requirements for such vetting procedures are set out in APPENDIX 1 (MINIMUM DATA SECURITY REQUIREMENTS).
8. The Client’s Internal Compliance Checks
  1. The Client shall ensure that its business processes, records of customer interactions and transactions, audit procedures on business activities and financial reporting are appropriate and effective to ensure proper use of the Data in compliance with this Agreement and the requirements of the Data Protection Legislation The minimum requirements for such internal compliance are set out in APPENDIX 1 (MINIMUM DATA SECURITY REQUIREMENTS).
  2. The Client shall carry out its own internal compliance checks at least annually and shall, upon the request of Auto Trader, provide details of the outcome of such checks using the Data Governance Assessment form provided by Auto Trader.
9. Audits and Reviews
  1. The Client shall share with Auto Trader the outcome of any other checks, audits or reviews that have been carried out on its activities as a Data Controller that are relevant to the Processing of the Data.
  2. The Client shall notify Auto Trader immediately, within a maximum of 24 hours of becoming aware, of any audits that are being carried out by the Information Commissioner’s Office under Data Protection Legislation that are relevant to the Processing of the Data.
10. Incidents
  1. The Client shall notify Auto Trader immediately, within a maximum of 24 hours of becoming aware, of any losses, compromise or misuse of the Data or any Personal Data Breach and keep Auto Trader informed of any communications about the incident with; the individuals whose Personal Data is affected; the Information Commissioner’s Office; or the media.
  2. The Client understands that as the Data Controller it shall be responsible for taking any action necessary to resolve any such incident.
11. Inspection by Auto Trader
  1. Auto Trader or an agent acting on its behalf reserves the right to carry out an inspection at any time of the Client’s compliance with the terms of this Agreement. Where possible, Auto Trader shall give the Client 7 days’ written notice of any such inspection.
  2. The Client agrees to co-operate fully with any such inspection and to allow Auto Trader or an agent acting on its behalf access to its Premises, Equipment, evidence and the Client’s Staff for the purposes of the inspection.
  3. The Client will respond as required to the findings and recommendations of any Auto Trader inspection and will provide updates as required on the implementation of any required actions.
  4. Auto Trader may, by written notice to the Client, forbid access to the Data, or withdraw permission for continued access to the Data, to:
    1. any member of the Client’s Staff; or
    2. any person employed or engaged by any member of the Client’s Staff; whose access to or use of the Data would, in the reasonable opinion of Auto Trader, be undesirable.
  5. The decision of Auto Trader as to whether any person is to be forbidden from accessing the Data and as to whether the Client has failed to comply with this clause shall be final and conclusive.
  6. Auto Trader will be entitled to be reimbursed by the Client for all Auto Trader’s reasonable costs incurred in the course of the inspection.
12. Action on Complaint
  1. Where a complaint is received about the Client or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Client’s obligations under the Agreement or the use of Data, Auto Trader may notify the Client, and where considered appropriate by Auto Trader, investigate the complaint. Auto Trader may, in its sole discretion, acting reasonably, uphold the complaint and take further action in accordance with the Terms and Conditions of this Agreement.
Contractual Rights and Powers
1. Inspection by the DVLA
  1. The DVLA or an agent acting on its behalf reserves the right to carry out an inspection at any time of the Client’s compliance with the terms of this Contract. Where possible, the DVLA shall give the Client 7 Days’ written notice of any such inspection.
  2. The Client agrees to co-operate fully with any such inspection and to allow the DVLA or an agent acting on its behalf access to its Premises, Equipment, evidence and the Client’s Staff for the purposes of the inspection.
  3. The Client will respond as required to the findings and recommendations of any DVLA inspection and will provide updates as required on the implementation of any required actions.
  4. The DVLA may, by written notice to the Client, forbid access to the Data, or withdraw permission for continued access to the Data, to: a) any member of the Client’s Staff; or b) any person employed or engaged by any member of the Client’s Staff; whose access to or use of the Data would, in the reasonable opinion of the DVLA, be undesirable.
  5. The decision of the DVLA as to whether any person is to be forbidden from accessing the Data and as to whether the Client has failed to comply with this clause shall be final and conclusive.
  6. The DVLA will be entitled to be reimbursed by the Client for all DVLA’s reasonable costs incurred in the course of the inspection.
2. Action on Complaint
  1. Where a complaint is received about the Client or the manner in which its services have been supplied or work has been performed or procedures used or about any other matter connected with the performance of the Client’s obligations under the Contract or the use of Data, the DVLA may notify the Client, and where considered appropriate by the DVLA, investigate the complaint. The DVLA may, in its sole discretion, acting reasonably;
    1. uphold the complaint and take further action at their discretion.
    2. instruct Auto Trader to terminate the contract, in accordance with the Terms and Conditions of this Agreement.
3. Termination
  1. Without prejudice to any termination rights Auto Trader may have under the Main Advertising Terms and Conditions or the Business Rules above, Auto Trader may terminate the Agreement with immediate effect by written notice to the Client if the Client commits any three or more Defaults, whether simultaneously or singly at any time during the operation of the Agreement, irrespective of whether any or all of such breaches is minimal or trivial in nature;
4. Other Termination Rights
  1. Auto Trader may terminate the Contract by written notice with immediate effect if in the reasonable view of Auto Trader, during any period of suspension of the Services the Client:
    1. fails to co-operate with any investigation, audit or review:
    2. fails to provide any assurances or take any actions within the reasonable period set by Auto Trader under the Terms and Conditions of this Agreement; or
    3. fails to provide assurances that satisfy Auto Trader (acting reasonably) that the Client has complied and shall continue to comply with the requirements of this Agreement and of Data Protection Legislation.
  2. Auto Trader may terminate the Agreement by written notice with immediate effect if the Client fails to pay Auto Trader any undisputed sums of money.
  3. Auto Trader may terminate the Agreement by written notice with immediate effect if the Client is found to be in breach of any aspect of Applicable Law that could, in the reasonable opinion of Auto Trader, bring Auto Trader and/or Experian into disrepute.
  4. Auto Trader may terminate the Agreement by written notice with immediate effect if the Client is an individual and he has died or is adjudged incapable of managing his affairs within the Mental Capacity Act 2005 (as amended).
5. Suspension of the Services
  1. If it comes to the attention of Auto Trader that the Client has committed any Default (including material breaches and all other Defaults), Auto Trader may suspend the Services without further notice and with immediate effect and investigate the nature and effect of the breach.
  2. Auto Trader may from time to time issue guidance on its principles on suspending the Services and terminating contracts to supply Data using the Services. The guidance may include guidance concerning: types of Defaults which Auto Trader may consider to be material breaches; guidance as to specific types of breach that Auto Trader will consider to be remediable; how such breaches may be remedied; how long suspension may last; and guidance as to which types of breach Auto Trader may consider to be irremediable.
6. Effect of Suspension
  1. If Auto Trader suspends the Services at any time, the Client shall co-operate with any further investigation, audit or review that Auto Trader requires to be carried out in relation to the Data provided to the Client.
  2. Auto Trader may refuse to resume the Services until the Client provides assurances that the matter resulting in the suspension has been resolved to the satisfaction of Auto Trader, and takes specified actions within a reasonable period set by Auto Trader.
  3. Auto Trader may require that an inspection is carried out after the Services are resumed, to check the Client’s compliance with the Agreement and Data Protection Legislation.
  4. During any suspension period, Auto Trader shall not provide Data to the Client.
  5. The Client shall reimburse Auto Trader for all Auto Trader’s cost and expenses incurred in relation to the Auto Trader’s right under this paragraph to carry out an inspection, investigation, audit or review of the Client.
7. Insolvency
  1. Where Auto Trader is notified in writing of any of the circumstances listed in paragraph entitled “Insolvency”, Auto Trader may suspend the Services without further notice and with immediate effect and investigate further whether any of the Client’s directors or any liquidator, receiver, administrative receiver, administrator, or other officer is capable of ensuring that the provisions of this Agreement and of Data Protection Legislation are complied with. If Auto Trader is not satisfied that any such person shall ensure such compliance, Auto Trader may terminate the Agreement by written notice with immediate effect.
Ensuring Compliance Intermediaries and Third Party Clients
1. In order to ensure the compliance of its Intermediaries or Third Party Customers (where such are applicable and permitted by Auto Trader) with the obligations in APPENDIX 2, the Client shall:
  1. at all times maintain a written contract with the Third Party Customer that includes all the obligations and rights required to be included under this Agreement;
  2. audit every Intermediary or Third Party Customer at least once in the first calendar year during which the Client discloses Data to each Intermediary or Third Party Customer, and annually thereafter, and make evidence of such audits available to Auto Trader at its request;
  3. notify Auto Trader immediately of any Defaults that the Client considers to have been committed by the Intermediary or Third Party Customer, whether discovered on audit by the Client or at any other time; and
  4. take any additional action the Client considers reasonable to ensure that the Intermediary or Third Party Customer shall comply with all of its obligations.
Conditions on the Use of Vehicle Registration Number (VRN) as Search Criteria
1. Disclosure of the Data (or any extract from it) relating a specific vehicle upon entry of a VRN by a Requestor, an Intermediary or a Third Party Customer are only permitted in the following cases:
  1. The VRN relates to a vehicle where the Requestor is either owner or registered keeper of that vehicle; or
  2. The VRN relates to a vehicle that is being or intended to be marketed or offered for sale; or
  3. The Requestor has a genuine and legitimate interest in determining the provenance, status or technical specification of that vehicle; or
  4. Where confirmation of the vehicle identity is a pre-requisite for the Data being accessed by the Requestor.
  5. The VRN relates to a vehicle that the Requestor, Intermediary or Third Party Customer has involvement in providing services to. This may include where the Requestor, Intermediary or Third Party Client:
    - Has sold, repaired, modified, or serviced that vehicle;
    - Is providing an insurance quotation or vehicle finance for that vehicle;
    - Is involved in reducing crime for that vehicle.
Restrictions on Free Disclosure of The Data
1. In order to restrict excessive amounts of Data from being disclosed to Third Party Customers, Intermediaries or Requestors, the Client is only permitted to disclose the following Data fields free of charge and free of any conditions:
  - Make
  - Model
  - Colour
  - Date of First Registration
  - Body Type
  - Fuel Type
  - Engine Capacity
  - CO2
  - BHP (obtained from SMMT)
  - Year of Manufacture
  - Export Marker
  - Vehicle Type Approval
  - Wheelplan
  - Vehicle/Revenue Weight
  - Tax Data
  - MOT Data
  - Gearbox (obtained from SMMT)

APPENDIX 3: RESTRICTIONS ON DISCLOSURE OF VEHICLE IDENTIFICATION NUMBER (VIN)

Introduction
1. It is necessary to have key identifying criteria and references (such as a serial number) for most assets. The main identifiers for a motor vehicle are the VRN (Vehicle Registration Number) and the VIN (Vehicle Identification Number). As the VRN is only applicable once the vehicle is registered and can be transferred to another vehicle, the most reliable identifier has become the VIN.
2. Within the automotive sector, correctly identifying a vehicle is vital in order to ensure the correct details are recorded and disclosed during the life of that vehicle. This applies in particular when specific events occur such as registration, secured finance, resale, repair, cherished plate transfer process, future finance applications and insurance application/renewal.
3. To address this market need, the Client can release the full VIN in certain circumstances, to agreed trade sectors, in accordance with Reasonable Cause, and subject to specified conditions.
4. The table in section 2 below sets out the specified conditions for disclosure of the full VIN. The full VIN must only be released where absolutely essential and where this is not necessary VIN confirmation or partial VIN release should be the preferred solution.
5. Section 4 below sets out conditions on disclosure of the partial VIN.

Market Sectors Where Disclosure of Full VIN is Permitted

Market Sector	Purpose for Release of VIN	Permitted Disclosure
Motor Dealers Franchised	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.	Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle purchaser / owner, dealership staff, sub-contractors and auditors.
Motor Dealers Non-Franchised	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle	Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle purchaser / owner, dealership staff, sub-contractors and auditors.
Auction Houses	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.	Displayed on the vehicle search report / sale lot. Recorded on the sales systems, vehicle inventory, stock report and ledgers. Information disclosed to vehicle vendor / purchaser, auction staff, sub-contractors and auditors.
Original Equipment Manufacturers	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if vehicle is not yet registered.	Displayed on the vehicle search report / certificate. Recorded on the vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to franchise holders, vehicle owner / purchaser, OEM staff, sub-contractors and auditors.
Finance Companies	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if vehicle is not yet registered.	Recorded on the vehicle asset / inventory files, Contract reports, ledgers and customer database / record. Information disclosed to vehicle operator / owner / purchaser, finance company staff, sub-contractors and auditors.
Insurance Companies	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. Used to help identify and link to replacement parts and accessories.	Recorded on the vehicle policy / claims files, contract reports, ledgers and customer database / record. Information disclosed to vehicle operator / owner / policyholder, insurance company staff, sub-contractors and auditors.
Fleet and Leasing Companies	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To use the VIN as an identifier if vehicle is not yet registered.	Recorded on the vehicle asset / inventory files, Contract reports, ledgers and customer database / service record. Information disclosed to vehicle operator / owner / purchaser, fleet & leasing company staff, sub-contractors and auditors.
Aftermarket Service Providers	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. Used to help identify and link to replacement parts and accessories.	Recorded on the vehicle order record, ledgers and customer database / service record. Information disclosed to vehicle repairer / operator / owner / purchaser, aftermarket company staff, sub-contractors and auditors.
Automotive Systems and Integration Companies (e.g. Vendors of Dealer Management Systems)	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle.	Displayed on the vehicle search report / certificate. Recorded within the application modules to handle vehicle inventory, stock report, ledgers and customer database / service record. Information disclosed to vehicle repairer / systems operator, vehicle owner / purchaser, systems integrator company staff, sub-contractors and auditors.
Law Enforcement Agencies	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle. To use the VIN as an identifier if vehicle is not yet registered.	Displayed on the vehicle search report / certificate. Recorded on the case files, reports and legislative documentation. Information disclosed to authorised individuals and bodies involved in and processing the case / enquiry.
Salvage Companies	To assist in confirming the identity of the vehicle by validating that the VRN searched relates to the correct vehicle. To confirm a correct VIN to be compared to the VIN displayed on the vehicle.	Displayed on the vehicle record / COD (Certificate Of Destruction). Recorded on the vehicle inventory, stock report, ledgers and customer database. Information disclosed to vehicle operator / owner, salvage company staff, sub-contractors and auditors.

Market Sectors Where Disclosure of Full VIN is not Permitted
1. Disclosure of the full VIN is not permitted to the following market sectors:
  1. Consumers
  2. Marketing Companies (other than those working on behalf of approved trade sector clients in respect of their core activities under permitted uses)
  3. Companues, Partnerships and Sole Traders who do not meet the criteria set out in the table in section 2 above.
2. Where there is a requirement to disclose the full VIN to new market sectors or for new purposes other than those set out in the table above in section 2 of these terms, the Customer must detail this in writing and obtain formal written approval from DVLA (via Auto Trader). The Customer shall not disclose the full VIN to any additional market sectors or for any new purposes without a contract variation in accordance with these terms and formal written approval from DVLA.
Conditions on Disclosure of Partial VIN
1. The Society of Motor Manufacturers and Traders (SMMT) has informed DVLA that the release of the end characters of a VIN (so a partial VIN) may lead to the ability to uniquely identify a vehicle in a very limited range of circumstances.
2. Where there are fewer that 500 vehicles of a particular type registered in a year, only the last three characters are needed to uniquely identify a vehicle, assuming that the make and model of that vehicle is known.
3. Where Reasonable Cause cannot be demonstrated to allow a Requester. Intermediary or Third Party Customer to identify a unique vehicle (in accordance with these terms) and where there are fewer than 500 vehicles of a particular vehicle type registered in one year, the Customer must only disclose the final two characters of the VIN.

ANNEX A

CLIENT’S KEY STAFF WITH DIRECT RESPONSIBILITIES FOR THE DVLA DATA AND FOR THE OTHER OBLIGATIONS UNDER THE AGREEMENT

The contact details of the Client’s Key Staff with responsibility for the DVLA Data and the performance of the Agreement, are as follows:
1. The contact details of the Commercial Manager referred to in clause 1.2.2.a are:
  - Name:………………………………………….
  - Job Title:……………………………………….
  - Business Address (The Customer’s Registered Office, as recorded at Companies’ House): ………………………………………………….. ………………………………………………….. …………………………………………………..
  - Postcode:……………………………………….
  - Business telephone number:……………………………………….
  - Business mobile telephone number:……………………………….
  - Business Email address:…………………………………………….
2. The contact details of the Data Manager referred to in clause 1.2.2.b are:
  - Name:………………………………………….
  - Job Title:……………………………………….
  - Business Address:…………………………… ………………………………………………….. ………………………………………………….. …………………………………………………..
  - Postcode:……………………………………….
  - Business telephone number:……………………………………….
  - Business mobile telephone number:……………………………….
  - Business Email address:…………………………………………….
3. The contact details of any other Key Staff, who are responsible for the Data or for supervision of the Staff with access to the Data, should be provided below and on continuation sheets attached to this ANNEX A.
4. The contact details for the Data Protection Officer (DPO) where applicable:
  - Name:………………………………………….
  - Business Address:…………………………… ………………………………………………….. ………………………………………………….. …………………………………………………..
  - Postcode:……………………………………….
  - Business telephone number:……………………………………….
  - Business mobile telephone number:……………………………….
  - Business Email address:…………………………………