Skip to content
HelpContact usLogin

Terms and conditions - Data processing

1. Definitions

In the Agreement the following definitions shall have the following meanings unless the context otherwise requires:

Agreement: these Data Processing Terms and Conditions.

Candidate: any person Introduced by us to you for an Engagement;

Controller, Data Subject, Personal Data, Processing, Processor: shall have the meanings given to those terms in the GDPR. “Process” and “Processed” shall be construed accordingly;

Data Protection Particulars: describes the Processing of Personal Data to be carried out under the terms of the Agreement as detailed below:

  • type of Personal Data to be Processed: name, address, contact telephone numbers, email address, date of birth, gender, driving licence, qualifications, employment history, disability, ethnic origin and any other information provided in a CV, covering letter or application. Information provided to support the Candidate’s application contained within: notes of a telephone interview, assessments undertaken that are relevant to the role and/or responses to additional recruitment questions;

  • reason for Processing: to assess a Candidate for potential Engagement;

  • categories of Data Subject: Candidates only; and

  • duration of Processing: the term of the Agreement;

Data Request: a complaint, notice or communication which relates directly or indirectly to the Processing under the Agreement, including: (a) requests made or notices given by Data Subjects for their data to be accessed, amended, erased, ported to a third party and/or for Processing to be restricted; or (c) correspondence from a regulatory body;  

Data Retention Period: two years from the date the Personal Data is first passed to you by us;

Data Security Incident: any (i) unauthorised: access, disclosure, use, alteration, storage, Processing, transfer, deletion or reproduction of Personal Data; or (ii) loss, damage, destruction or corruption of Personal Data;

Data Security Particulars:   means the minimum information to be provided by you to us in the event of a Data Security including: (a) a description of the Data Security Incident; (b) the approximate number of Data Subjects impacted; (c) the categories and the approximate number of data records involved; (d) the name and contact information of your representative who is  dealing with the Data Security Incident; and (e) a description of the measures you have taken, or propose to take, to mitigate adverse effects from the Data Security Incident;

DP Records: records of Processing activities you undertake on our behalf including a record of: (a) the technical and organisational measures in place; (b) training programmes governing the handling of Personal Data; and (c) compliance policies;

DP Law: the GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to the Processing of Personal Data and privacy, including where applicable, the guidance notes and codes of practice issued by a regulatory body or any replacement EU or UK data protection or related privacy legislation as updated from time to time;

Engagement: your engagement of a Candidate under a contract of employment (with a view to offering the Candidate an apprenticeship) or a contract of apprenticeship (and “Engage” shall have the same meaning);

GDPR: the General Data Protection Regulation (EU) 2016/679;

Introduction: the passing to you of a CV/application/covering letter or other Personal Data of a Candidate (and “Introduce” shall have the same meaning);

Misuse:  unauthorised or unlawful Processing or accidental disclosure, alteration, access, loss, destruction of, or damage to, Personal Data transmitted, stored or otherwise Processed;

Representative: employees, directors, officers, representatives or advisers.

Services: the apprentice recruitment services as detailed in the Apprentice Recruitment Form.

2. Application

2.1 The Agreement shall apply to all Personal Data provided to you or your Representatives by BPP or BPP’s Representatives.

2.2 You are the Processor of any Personal Data provided to you by BPP pursuant to the Services.

2.3 In performing the Agreement each party shall comply with the obligations imposed upon it under DP Law.       

3. Obligations of the Processor

3.1 As Processor, you shall:

3.1.1 only Process Personal Data in accordance with our written instructions, except where otherwise required by law;

3.1.2 only use Personal Data for the specific vacancies we have provided the Candidate for;

3.1.3 not use any Personal Data to market your products and services (or those of third parties you work with) unless you have obtained the Candidate’s express consent;

3.1.4 not copy any Personal Data you receive from us onto your own systems or to hard copy, except where necessary for the purposes of seeking to Engage a Candidate, which includes tracking Candidates’ progress through the Engagement process (provided always that you comply with the DP Law);

3.1.5 restrict access to the Personal Data to those Representatives who need to access it for the purposes of the Services and ensure they are appropriately trained in DP Law; and

3.1.6 promptly comply with our request requiring you to delete, amend or transfer any Personal Data.

3.2 You will become a Controller in your own right when you make an offer of Engagement to a Candidate.

3.3 You warrant that you:

3.3.1 have and will maintain throughout the term of the Agreement appropriate technical and organisational measures to Process Personal Data which shall ensure a level of security appropriate to the risk of Misuse, including (as appropriate) the measures referred to in Article 32(1) of the GDPR;

3.3.2 will provide reasonable assistance to BPP where we are required by DP Law to carry out any privacy impact assessment (or similar) in relation to the Processing under the Agreement; and

3.3.3 will not transfer or otherwise Process any Personal Data outside of the European Economic Area without our prior written consent.

3.4 You shall notify us without delay (and in any event within 24 hours) if you become:

3.4.1 aware that any instruction we provide would, in your reasonable opinion, infringe DP Law;

3.4.2 aware of any Data Security Incident; and/or

3.4.3 the subject of monitoring or investigation by a regulatory body.

3.5 You shall notify us as soon as reasonably practicable after receiving a Data Request. You shall provide us with reasonable assistance to enable us to respond to the Data Request as required by DP Law. You shall not respond to any Data Request directly unless we ask you to do so (in writing, email sufficient). This obligation shall not apply where you are obligated by DP Law to respond to the Data Request and/or where you are prevented from meeting your obligations on important grounds of public interest. 

3.6 On the occurrence of a Data Security Incident you shall:

3.6.1 promptly investigate and shall use reasonable endeavours to identify the root cause and prevent a reoccurrence;

3.6.2 take appropriate measures to secure the Personal Data and reverse or mitigate the impact of the Data Security Incident on Data Subjects (at your cost);

3.6.3 offer cooperation and assistance to BPP, including the provision, without delay, of the Data Security Particulars to enable us to fulfil its data breach reporting obligations in the timescales prescribed by DP Law; and

3.6.4 not make any public statements, without our prior written consent (email included).

3.7 You must not sub-contract Processing of Personal Data to a third party without our prior written consent (email excluded). Where provided, you must have a written contract in place with the sub-processor containing (at a minimum) the same data protection terms as outlined in the Agreement and must provide us with a copy of the contract on request.

3.8 You are fully liable for any breach of this contract by your sub-processors.

3.9 You shall maintain complete and accurate DP Records in order to demonstrate compliance with DP Law and the Agreement.

3.10 We may, on giving you reasonable prior written notice (email sufficient), enter onto your premises in order to inspect the DP Records and documentation which relates to Processing under the contract to assess compliance with this contract and DP Law. You shall provide us with access to all information, systems and Representatives that we may request.

3.11 You shall, if we ask, provide us with a copy of all Personal Data held by you and your Representatives in the format and on the media we reasonably specify and within the reasonable timescales we direct.

3.12 You shall at any time on written demand from us, or latest upon the expiry of the Data Retention Period, return or destroy (at our sole option) Personal Data you hold (or held by your Representatives). This obligation will not apply to the extent:

3.12.1 you hold the Personal Data as Controller (having made an offer to Engage a Candidate);

3.12.2 you are required to retain the Personal Data by reason of law; or

3.12.3 the Personal Data has been anonymised.

3.13 You agree to indemnify us and keep us indemnified from and against any loss which we suffer or incur as a result of a breach by you (or your Representatives) of your obligations under the Agreement and/or your obligations under DP Law.

3.14 Your total liability to us arising under the indemnity above shall in all circumstances be limited to £5 million.

4. Term and termination

4.1 The Agreement will be effective from the date the Apprentice Recruitment Form is signed and shall be in effect until termination in accordance with this clause 4.

4.2 Either party may terminate the Agreement:

4.2.1 for material breach of the Agreement at any time on notice to you;

4.2.2 if you repeatedly breach any of the terms of the Agreement in such a manner as to reasonably justify the opinion that your conduct is inconsistent with it having the intention or ability to give effect to the terms of the Agreement; or

4.2.3 if any warranty given by you within the Agreement is found to be untrue or misleading, including the fact that appropriate technical and organisational measures are not in place.

4.3 Either party may terminate the Agreement by giving the other 30 days’ notice at any time.

4.4 The provisions of clauses 2.3, 3.1, 3.4.2, 3.5, 3.6, 3.8, 3.11, 3.12, 3.13, 3.14, 4.4 and 5 together with those provisions that either are expressed to survive the expiry or termination of the Agreement or from their nature or context it is contemplated that they are to survive termination, shall survive termination or expiry of the Agreement.

5.     General

5.1 Any notice or other communication given under the Agreement must be given in writing (which includes email), addressed to that party at its registered office and shall be delivered personally, sent by pre-paid first class post or other next working day delivery service or by email. Any notice or other communication given shall be deemed to have been received: (a) if delivered personally, when left at the registered office address; (b)  if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second business day after posting; (c) if delivered by commercial courier, on the date and at the time that the courier's delivery receipt is signed; or (d) if delivered by email at the time of receipt of the electronic transmission (as evidenced by a delivery receipt). This clause shall not apply to the service of any proceedings or other documents in any legal action.

5.2 No failure or delay by a party to exercise any right or remedy provided under the Agreement or by law shall constitute a waiver of that or any other right or remedy.

5.3 Any provision of the Agreement which is invalid or unenforceable shall be deleted (so far as invalid or enforceable) without affecting the remaining provisions of this Agreement.

5.4 No variation of the Agreement shall be effective unless it is in writing (email excluded) and signed by the parties (or their authorised representatives).

5.5 The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with English law and the parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.