Driver Codes — Data Sharing Agreement (Standard)
Provider: RSMT Limited trading as Driver Codes
Version:v1.1 — 15th May 2026
Document use: Standard controller-to-controller terms for self-serve customers, applying automatically to every account created at app.driver.codes. Incorporated by reference into the Self-Serve Business Terms.
Published location: app.driver.codes/documents/dsa
This Data Sharing Agreement ("DSA") records the data protection responsibilities of Driver Codes and the Customer for the parts of the Service where each acts as an independent data controller. For processing where Driver Codes acts as the Customer's data processor (the Customer Portal layer), the Data Processing Addendum (Standard) applies instead — see app.driver.codes/documents/dpa.
This DSA is non-negotiable for the self-serve track. Customers needing bespoke terms should request an Enterprise Agreement at hello@driver.codes.
1. Definitions
Terms have the meanings given in the Self-Serve Business Terms and the UK GDPR.
2. Roles — sequential, independent controllers
2.1 Driver Codes is registered with DVLA under the Access to Driver Data (ADD) Controller Operating Model. The driver gives their signed authority to Driver Codes (not to the Customer), and Driver Codes interacts with DVLA in its own name under that registration.
2.2 For the activities below, each party acts as an independent data controller for its own purposes:
| Activity | Controller |
|---|---|
| Capturing, evidencing and retaining each driver's signed authority | Driver Codes |
| Retrieving Driver Record Information from DVLA (concierge or ADD) and, where the driver has linked their account, DVSA CPC training data | Driver Codes |
| Delivering Driver Record Information to the Customer | Driver Codes (for delivery) |
| Receiving the result; deciding which drivers to invite; using the result in the Customer's employment, contractor management, fleet-risk or compliance processes | Customer |
| Driver Codes' platform security, fraud prevention and audit logging | Driver Codes |
2.3 The parties are not joint controllers. Each is independently responsible for its own processing. If, contrary to the parties' intention, a regulator or court ever finds joint controllership, this DSA constitutes the parties' Article 26 arrangement, and the essence of it is communicated to drivers through the parties' respective privacy notices.
3. Each party's responsibilities
3.1 Each party will, for the processing it controls:
3.2 Driver Codes provides its Driver Checks Privacy Notice at driver.codes/legal/checks-privacy. The Customer is responsible for issuing its own workforce or contractor privacy information covering its use of the results.
3.3 The Customer will not request a check, or instruct Driver Codes to act, in any way inconsistent with Driver Codes' DVLA registration. Driver Codes may decline or stop a check that we reasonably believe is being used for an improper purpose or outside the terms of our DVLA registration.
3.4 If a driver revokes their authority, Driver Codes will notify the Customer. The Customer will not request further checks against that driver until a new valid authority has been captured.
4. Criminal offence data
Endorsements and disqualifications are criminal offence data under Article 10 UK GDPR.
- Driver Codes processes this data under paragraph 12 of Schedule 1 Part 2 of the Data Protection Act 2018 (regulatory requirements relating to unlawful acts and dishonesty), with paragraph 10 (preventing or detecting unlawful acts) available as a secondary condition. We maintain an Appropriate Policy Document under Schedule 1 Part 4.
- The Customer is responsible for identifying its own Schedule 1 condition (typically Part 1 paragraph 1 — employment, social security and social protection — for most fleet operators, or paragraphs 10 or 12 as applicable) and maintaining its own Appropriate Policy Document where required.
5. Personal Data Breach notification
If either party becomes aware of a confirmed Personal Data Breach affecting personal data shared under this DSA and likely to require the other party's action, it will notify the other without undue delay and in any event within 48 hours of confirmation, with the information available at the time. The parties will coordinate in good faith on investigation, notification and remediation. Nothing in this clause prevents either party from making any notification it reasonably considers legally required.
6. Data subject rights
6.1 Where a request relates only to one party's processing, that party handles it.
6.2 Where a request reasonably needs input from the other party, the receiving party promptly forwards it and the other party gives reasonable assistance.
6.3 Neither party responds on the other's behalf without authorisation, save where required by law.
7. International transfers
7.1 At the version date of this DSA, Driver Codes processes the core shared driver-check data received from DVLA and delivered to the Customer in the United Kingdom. Ancillary support, communication, payment, push-notification and observability providers may process limited personal data outside the United Kingdom, as described in the Sub-processor List.
7.2 If Driver Codes proposes to make an international transfer in connection with this DSA, it will use a UK-recognised transfer mechanism (UK IDTA, UK Addendum, or successor) supported by a Transfer Risk Assessment.
7.3 The current countries of processing and transfer mechanisms for relevant providers are set out in the Sub-processor List.
8. Retention
8.1 Each party retains shared data only as long as necessary for its own lawful purposes.
8.2 Driver Codes' retention periods for its own controller processing are set out in its Driver Checks Privacy Notice, including (without limitation):
- driver authority records: six years after expiry or revocation;
- driver check audit records: six years after the check;
- platform security and access logs: up to 12 months.
8.3 The Customer maintains its own retention schedule for the Driver Record Information it receives.
9. Cooperation
Each party gives reasonable cooperation to the other on data subject requests, complaints, regulator enquiries, security incidents, or legal challenges relating to the shared data. The parties acknowledge that, given the controller-to-controller nature of this DSA, neither party has audit rights over the other's internal processes beyond what is required by data protection law.
10. Liability
Liability under this DSA is governed by clause 14 of the Self-Serve Business Terms. For the avoidance of doubt, neither party is liable for the other's processing — each is independently responsible for its own.
11. Term and conflicts
11.1 This DSA applies for as long as either party retains personal data derived from the activities in clause 2.
11.2 In the event of conflict between this DSA and the Self-Serve Business Terms, this DSA prevails on data protection matters within its scope. In the event of conflict between this DSA and the Data Processing Addendum (Standard), each instrument prevails for the activity it governs.
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.