Three parts of the service, three distinct roles
Driver Codes operates three separate service areas. Our data protection role differs across each one — it is not a single label applied to the whole platform.
Consumer app
Drivers who use Driver Codes as a personal utility. This has no involvement from you as a business customer — Driver Codes is the sole controller for all processing in this context.
Driver check service
The capture of driver authority, retrieval of DVLA records via concierge or ADD, and maintenance of mandate records. Driver Codes acts as an independent controller — not a processor on your behalf.
Driver checks portal
You control which drivers to invite or cancel based on your employment decisions. Driver Codes hosts and operates the portal environment on your instructions as processor under Article 28.
When you use the portal to decide which drivers to invite, monitor or remove, you are exercising your own controller function — Driver Codes has no role in that employment or fleet decision. At the same time, Driver Codes operates the portal infrastructure itself as your processor. These two layers sit within the same interface but carry different data protection roles, which is why both a Data Sharing Agreement and a Data Processing Addendum are required.
Role allocation by activity
Activities are grouped by service area. Where you see both parties marked as controller, they act independently — neither party instructs the other for that processing.
| Processing activity | Driver Codes | You (customer) | Instrument |
|---|---|---|---|
| Consumer app · driver.codes | |||
| Personal app account & securityDriver-initiated, no company involvement | Sole controller | Not involved | Consumer T&Cs & privacy notice |
| Driver checks portal · app.driver.codes — your controller decisions | |||
| Decision to invite a driverChoosing which employees or contractors to check | Not decision-maker | Sole controller | Data sharing agreement |
| Decision to cancel or remove a driverRevoking access based on employment status or risk | Not decision-maker | Sole controller | Data sharing agreement |
| Review, storage & use of check resultsEmployment, fleet-risk & contractor decisions | Not decision-maker | Sole controller | Data sharing agreement |
| Driver checks portal · app.driver.codes — Driver Codes as processor | |||
| Portal hosting & administrationWorkspace environment, admin accounts, exports | Processor (Art. 28) | Controller | Data processing addendum |
| Driver check service — licence verification | |||
| Driver invitation workflow executionSending invite & managing the authority flow | Independent controller | Independent controller | Data sharing agreement |
| Driver authority captureMandate, declaration & signature | Sole controller | Not involved | Data sharing agreement |
| DVLA record retrievalConcierge workflow & ADD fallback | Sole controller | Not involved | Data sharing agreement |
| Platform security & audit logsFraud prevention, mandate retention | Sole controller | Not involved | Business customer terms |
Why Driver Codes is controller for the check service
This is the question we are asked most often. The answer is grounded in our DVLA registration, not a drafting choice.
What each party is responsible for
Driver Codes
- Maintaining the DVLA ADD access agreement
- Capturing and retaining valid driver authority records
- Executing checks lawfully via concierge or ADD
- Providing drivers with a Driver Checks Privacy Notice
- Maintaining its own LIA, APD and ROPA
- Retaining mandate records for up to six years
- Executing the Article 28 DPA for the portal
You (business customer)
- Deciding which drivers to invite, monitor or remove
- Documenting your own Article 6 lawful basis
- Identifying a Schedule 1 DPA 2018 condition for criminal offence data
- Maintaining an Appropriate Policy Document where required
- Issuing workforce privacy information covering your use of check results
- Acting on results lawfully and fairly in employment decisions
- Controlling portal access and reviewing user permissions
- Applying your own retention rules to exported reports
Legal documents
All documents are available at app.driver.codes/documents. Two instruments are required for enterprise customers alongside the Business Customer Terms.
Business Customer Terms
Master service agreement governing the supply of Driver Codes enterprise services.
Data Sharing Agreement Required
Controller-to-controller instrument covering invitation decisions, authority capture and results delivery.
Data Processing Addendum Required
Article 28 instrument covering Driver Codes' processor role for the portal workspace.
Driver Checks Privacy Notice
Provided to drivers invited by your company through the Driver Codes platform.
Security & Technical Measures Schedule
Baseline technical and organisational measures maintained by Driver Codes.
Data & Role Allocation Schedule
Full activity-by-activity breakdown of controller and processor roles across the service.
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.