Terms and Conditions (Employer)

Service: European Criminal Record Check

Version 1.3 updated on 17th March 2019

PLEASE READ THE TERMS AND CONDITIONS CAREFULLY BEFORE ORDERING OUR SERVICES. By ordering our services, you agree to abide by the Terms and Conditions and the Data Processing Agreement described on this page.

IF YOU DO NOT AGREE TO ALL OF THE TERMS AND CONDITIONS SET FORTH HEREIN, PLEASE DO NOT USE THE SERVICE IN ANY WAY. The Terms and Conditions and its integral part, the Data Protection Agreement, are  binding agreements between European Criminal Records Information Services and you.

European Criminal Records Information Services (“we”, “our”) is continually improving and adding new services. These improvements (or changes in the law) may require changes to these Terms and Conditions. Accordingly, we reserve the right to update or modify these Terms and Conditions at any time without prior notice. We will do so by posting an updated or modified version of these Terms and Conditions on this Site. Your use of our services following any such change constitutes your agreement to comply with and be bound by these Terms and Conditions. For this reason, we encourage you to review these Terms and Conditions and Data Processing Agreement regularly.


  1. Definitions

Client (“you”, “yours”) means any organisation or business using or intending to use our services that has  verifiable identification and registered information;

Subject means the person on whom the criminal records check is conducted;

Site means the website located at www.ecris.eu;

Application Form means the form to be used for ordering our services as set forth in Section 4 of these Terms and Conditions;

Criminal Records Certificate (“CRC”) means a document that shows a criminal record of a Subject or lack of thereof issued by the NCRB of the Intermediate Country based on the information provided by the NCRB of the Target Country;

Report means a scan of a CRC along with its ordinary English translation in a portable document format (PDF);

National Criminal Records Bureau (“NCRB”) means the state agency of the respective country that governs nationwide court register of convicted and detained persons in that country.

Target Country means the country from which the information appearing in the CRC is gathered.

Intermediate Country means the country where the NCRB through which the CRC is obtained is headquartered;

National Criminal Records Bureau of the Intermediate Country (“NCRBIC”) means the state agency of the Intermediate Country that governs nationwide court register of convicted and detained persons in that country, requests information on criminal convictions from NCRBs of the Target Countries, collects replies to such requests and releases it in the CRCs it issues.

Business day means any day, which is a business day in the United Kingdom, in the Intermediate Country and in the Target Country at the same time.

Turnaround time (“TAT”) means a number of business days taken to fulfill our service.

GDPR means the General Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.

  1. Our Service

We provide CRCs for all countries listed on our Site. Where all required information is made available, we will initiate the process to obtain CRCs the same or the following Business Day the Application Form completed by the Subject is received as a hard copy, original document. We return a complete Report via email same or the following Business Day the CRC is collected from the NCRBIC.

Although the reply issued by the NCRBIC may consist of the Intermediate Country specific CRC and the reply from the Target Country, the Report contains only the latter. You may request to obtain the full documentation released by the NCRBIC after further arrangements.

As part of our standard service we provide ordinary translations of the CRCs into English. Should you request us to perform tasks or services, which are outside the scope of our standard service, a separate fee shall be agreed in advance.

We do not obtain any information through enforced subject access requests under Data Protection Act 2018 (United Kingdom) or under Data Protection Acts 2018 (Republic of Ireland).

  1. Terms of Service

You acknowledge that:

  1. You are a data controller liable for obtaining a lawful legal basis for processing the Subject’s data in the context of this service or you are a data processor to such a data controller.
  2. As your data processor or data sub-processor we are not liable to the Subject directly under GDPR, unless agreed otherwise. You shall guarantee any obligations towards the Subject under GDPR will be fulfilled and/or any rights of the Subject will be exercised by you or another party if you act as a data processor to another data controller in relation to the Subject’s data. The above will apply also if we become a data controller of some of the Subjec’s data as a result of provision of the service.
  3. The CRC and its translations may have diacritical marks replaced with plain letters.
  4. Format of CRC included in the Report depends on the document received from the NCRB of the Target Country.
  5. We are acting as your data processor. You instruct us to process your orders on the basis of personal power of attorney granted by the Subject to our representative.
  6. Some fields of the CRCs may include descriptions of offences and penalties in the native tongue of the Target Country, which are not translated into English as a standard service.
  7. Convictions revealed in the CRCs may contain naming, description or legal qualification specific to the law of the Target Country. We do not provide explanation to the meaning of such description of the convictions.
  8. In the event your order includes CRCs from multiple Target Countries, the complete Report is released after CRCs from all the Target Countries have been returned to the NCRBIC.
  9. If the CRC obtained from the Target Country contains errors in Subject’s personal details, the faulty CRC is returned to the NCRBIC for correction. We shall not release the faulty CRCs.
  10. We provide our Reports in Portable Document Format (PDF) and that you have technical means to view such files.
  11. In the event the Target Country decides not to carry out the search or we believe that the CRC does not represent the actual state of the matter, we will contact you and advise accordingly.
  12. NCRB in the Target Country may in some cases provide a comment in the CRC implying that the check has not been carried out or that the application has been rejected, even though the check was actually carried out and represents informative value. You acknowledge that these comments do not represent the actual state of the matter and appear due to technical purposes and that the service is deemed completed, thus these comments do not constitute grounds for refund of our service charges. Description and sample reports including examples of such misleading comments in the CRCs are available on our Site.
  13. In the event you decide to resubmit the application you agree you may have to provide us with a new Application Form as set forth in Section 4.
  14. CRCs may contain spent convictions and other information, which do not have legal significance or do not have it any longer. It is your sole responsibility to determine which information may be used in the process, for which the CRC was requested.
  15. Average TATs are based on the historical performance records. The most recent average TATs, measured from receipt of the hard copy by our indicated office, are available on our Site and are updated at least once a month. These TATs are not guaranteed by us and its exceeding does not constitute a basis for any claims.
  16. In the event the Subject provided the birth name and the surname, CRCs from certain Target Countries may contain only one of the two. In such cases Intermediate Country specific CRC including all the personal details used as input data by the NCRBIC to make requests to the NCRBs of Target Countries can be provided as a proof of the search having been carried out against all available Subject’s personal details.
  17. In some cases the CRC from the country of the Subject’s citizenship may include information on convictions from EU member states other than the Target Countries, which is transferred to the NCRB of the country of Subject’s citizenship as a mandatory procedure regulated by European laws, and you acknowledge this information cannot be removed from the Report.
  18. There are certain limitations of the service pertinent to the CRCs from particular countries, as outlined on the Site. These may change from time to time, therefore we encourage you to review description of the service in each country before placing an order.
  19. We provide customer support in English only.
  20. We are not affiliated with the European Criminal Records Information System scheme.
  1. Application Form

The Application Form should be completed in full, hand signed by the Subject and sent as a hard copy, original document to the postal address we specify, which may differ from the business registered address.

Scans of the completed Application Form sent to us via email help us determining its completeness, however do not allow us to initiate the check.

The Application Form must be dated within 120 days of the order for the Services for a given Subject.

In the event the Application Form is not completed in full, you shall provide the missing details no later than 90 days after the initial submission of the Application Form, absence of which after this period of time will result in the Application Form being considered as abandoned and Subject data being removed. Abandoned Application Form is subject to a full charge.

COMPANY: You declare that through third party agents or clients in each specific case, you have verified identity of signatories of written Application Forms and consent forms, which give authorisation to ECRIS to perform checks outlined in the abovementioned consents. You confirm that Subject’s signatures as provided on consent forms have been verified as matching signatures on relevant proof of ID made available by the Subject.

If you provide the application form to the Subject in an electronic format, you agree to provide it in an uneditable file format only.

Any changes to the content of the application form without our authorisation render it useless.

Application Form must be printed out on separate sheets of paper, leaving the back side of each page blank, and contain a handwritten, ‘wet’ signature of the Subject made with a pen, ballpoint pen or a permanent marker. Cross outs and other correction of errors are not allowed and a new application form shall be completed if an error was made. The application form may not contain any comments. Overwriting a signature with handwriting on a photocopy or a print out of a scan of a completed form already containing a signature renders the Application Form invalid.

Information made available to us by you, will not be made available to any third parties, not directly involved in the background screening process and will be used only for the intended purpose of our services.

If the lawful legal basis for processing Subject’s data by the data controller described in Section 3.1. derives from the Subject consent, the consent must be freely given, specific, informed and unambiguous indication of the Subject’s wishes by which he/she by a statement signifies agreement to the processing of his/her personal data within the GDPR meaning.

The Application Form does not constitute the Subject’s consent to the data controller under GDPR, which needs to be obtained separately unless you provide different lawful legal basis for Subject’s data processing.

If the Subject’s consent constitutes the legal basis for processing of the Subject’s data the Subject has the right to withdraw their consent to the criminal record check at any time. If the Subject notifies you of the consent withdrawal, or if you deem the Subject’s objection to processing of his/her data valid, you must notify us accordingly. On receipt of your notification we will cease processing the Subject’s personal data and confirm data processing has ceased. If the Subject notifies us directly we will cease processing the Subject’s personal data and notify the Subject and you that the Subject’s data processing has ceased.

You undertake to obtain and keep a proof of the Subject’s consent given to a named  representative of ours to release the certificate obtained from a named public authority to you. At the same time you may instruct us to perform this task on your behalf.

  1. Payment Terms

A. Billing Policies. 

If you elect to order our services, you agree to the pricing and payment listed on the Site which we may update from time to time. You will receive an email with a binding quotation for the services you requested, before you are asked to complete the payment. We may add new services for additional fees and charges, or amend fees and charges for existing services, at any time in our sole discretion. Charges for any services exceeding the limits of the standard services shall be agreed on an individual basis.

B. General Payment Terms.

All payments of our services are subject to the following conditions:

  1. You can make the payment at any stage of the ordering process.
  2. We will initiate the CRC checks only for fully paid orders.
  3. We accept bank transfer and PayPal payment.
  4. Due to the way transactions are processed, delays in updating your payment in our ledger may occur.
  5. Orders will be cancelled if your payment is not received within 90 days of the order date.
  6. Payments are to be transferred to: European Criminal Records Services, 35-37 Ludgate Hill, London EC4M 7JN, United Kingdom bank account, or via PayPal, as per our payment instructions following your order.
  7. We do not accept payment made by cheque, however alternative methods of payment can be arranged on an individual basis. You agree to cover any additional fees and charges resulting from the use of such alternative payment methods.
  8. Upon receipt of your order we send you a draft invoice for the ordered services to be paid for in advance.
  9. We will invoice you only for completed services, which were fully paid for in advance.
  10. You shall make the payment using your own account either with a bank or an alternative payments operator’s. We are not liable for the processing of any personal data of third parties obtained as a result of you completing the payment using third party’s account or delegating the payment to be completed by a third party.

C. Refunds Policy.

  1. In the event an initiated check was put on hold by the NCRBIC or NCRB of the Target Country due to incorrect or insufficient personal information provided and you do not provide us with all required details within 90 days from that event, you understand and agree that the service is deemed initiated and that you shall receive no refund.
  2. In the event the Target Country did not provide the requested CRC, you are entitled to a refund for our services.
  3. In the event the requested CRC processed basing on the incorrect data you provided (directly or indirectly), is initiated or returned complete, you understand and agree that you shall receive no refund.
  4. Orders paid for in advance but not initiated due to the reasons laying on your side are refunded automatically after 90 days from the order date or at your request, whichever is sooner, subject to the Cancelation Policy as described in Section 6.
  5. We reserve the right to chose the payment method for any refunds.
  6. You agree any fees imposed by the banks or alternative payment operators relating to the refunds not caused by our unavailability to provide the service  will be deducted from the refunded amount and if the said fee exceeds the amount to be refunded, no refund will be made. 
  1. Cancelation Policy

You can receive a full cancelation refund of your order if you submit the cancellation notice before we submit the request to the NCRBIC for the CRC you ordered. In case of the refunds made by international bank transfer, any relevant bank fees (currently 17.00 GBP) will be deducted from the refunded amount.

You will not be eligible for a cancelation refund based on cancellation notices submitted after we have lodged the request to the NCRBIC for the CRC you ordered. 

  1. Disclaimer of Warranties

We reserve the right to discontinue or alter any or all of our Site services, and to stop publishing our Site, at any time in our sole discretion without notice or explanation.

To the maximum extent permitted by applicable law, we exclude all representations and warranties relating to the subject matter of these terms and conditions, our Site and our services.

  1. Limitation of Liability

You acknowledge that CRCs we obtain from the Target Country in specific cases may not be used in lieu of the criminal records certificates required by special laws (for specific regulated professions, industries or for formal purposes) in the respective country/countries which obligate the employers to have themselves or their employees undergo a criminal records check. Whenever you intend to use the Report for official purposes, including, but not limited to, visa applications, immigration or naturalisation procedures, lawsuits, administrative proceedings, you are solely responsible for establishing whether our Report would be regarded by relevant authorities a legally recognized and enforceable proof of your criminal record. You acknowledge that we shall not be held liable for any use of our Reports in such a manner and that we do not provide legal counseling in this matter.

You acknowledge that TATs largely depend on the response time of the NCRBIC and NCRBs involved in the process of obtaining CRCs, which is beyond our control, therefore, despite our best effort, we cannot guarantee the TATs.

You acknowledge that providing the Application Form signed by a person other than the one, whose personal details appear in this document or on behalf of such person constitutes a criminal offence of forgery. You shall be held liable for any kind of negative consequences of us processing the forged Application Forms you provide, including, but not limited to consequences of: administrative proceedings, criminal investigation, criminal prosecution, criminal conviction or civil suits, and you will compensate for any such consequences to us, our employees, other representatives of ours or any parties involved in processing of the forged Application Forms, who suffered from the said consequences.

You acknowledge that we prepare our Reports from information supplied by various NCRBs, and though we make every effort to insure the accuracy of the information, the information is provided “AS IS” and we in no way warrant or assume any liability whether directly or indirectly for the accuracy and/or completeness of the information and the turnaround time of the NCRBIC and NCRBs.

We shall not be held liable for any loss or damage including any indirect or consequential losses or damages sustained by you or any third parties directly or indirectly as a result of the services and/or from making use of the information including but not limited to any loss or damage resulting from any inaccuracies or omissions in the information or for any delays in providing the information.

We shall not be held liable for the consequences of your decisions or decisions of any third parties made based on the Report or lack of thereof.

If you order delivery of the hard copy CRCs by mail, you agree that we shall not be held liable for any undelivered, lost or damaged mail that is beyond our control.

You do hereby release and forever discharge and hold harmless us and our successors and assigns from any and all liability, claims, and demands of whatever kind or nature, either in law or in equity, which arise or may hereafter arise from your activities with us relating to a given service, after 90 days from its completion.

  1. Confidential Information

Each party agrees to maintain the confidentiality of all documents and information that the other party consider to be confidential, secret, and/or proprietary (the „Confidential Information”) received or arising during the term of or in connection with this Agreement. We shall use your Confidential Information only in connection with services rendered under this Agreement. Confidential Information does not include information that (1) is in or becomes in the public domain without violation of this Agreement, (2) is already rightfully in the possession of the party, as evidenced by written documents, prior to the disclosure thereof by the other party, or (3) is rightfully received from a third entity having no obligation to the party and without violation of this Agreement. Confidential Information shall include, but not be limited to, all financial information and personal information. The parties agree not to disclose the content or the existence of this Agreement except by mutual consent. This provision shall survive termination of this Agreement.

  1. Retention of the information

Subjects’ data is removed from our databases and the physical documentation is destroyed in accordance with the below Data Protection Agreement and your Instructions.

Order history associated with particular Data Subjects is kept on the record for the period allowed by the Data Processing Agreement. If you require this period to be extended, your reference number associated with a given Data Subject must be provided to allow us to anonymize Data Subject’s personal details for further processing.

  1. Severability

If any provision of these Terms and Conditions is held by a court of competent jurisdiction to be contrary to law, such provision shall be changed and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law and the remaining provisions of these Terms and Conditions shall remain in full force and effect.

  1. Force Majeure

Neither party shall be liable to the other for any delay in performance or failure to perform its obligations in accordance with these Terms and Conditions where such delay or failure is due to circumstances beyond its control and unknown to it at the date of these Terms and Conditions, such circumstances including but not restricted to fire, flood, government act, and legislative constraints.

  1. Governing Law and Jurisdiction

These Terms and Conditions shall be governed by and construed in accordance with the law of the United Kingdom and any dispute arising shall be subject to the exclusive jurisdiction of the Courts of the United Kingdom.

  1. Third Party Rights

The agreement under these Terms and Conditions is for our benefit and your benefit, and is not intended to benefit or be enforceable by any third party.

  1. Entire Agreement

These Terms and Conditions constitute the entire agreement between you and us with respect to your access to and/or use of this Site and our services.

Questions or comments regarding these Terms and Conditions should be directed to info@ecris.eu.

European Criminal Records Information Services CONTACT INFORMATION:

 Office 7

35-37 Ludgate Hill

London EC4M 7JN

United Kingdom

Telephone: +44 (0) 845 557 1082

Fax: +44 (0) 845 557 1083

Email info@ecris.eu

Website: www.ecris.eu



  1. Introduction

1.1 This agreement re processing of personal data (the “Data Processing Agreement”) regulates European Criminal Records Information Services (the “Data Processor”) processing of personal data on behalf of you (the “Data Controller”) and is attached as an addendum to the Terms and Conditions in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.

  1. Legislation

2.1 The Data Processing Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

  1. Processing of personal data

3.1 Purpose: The purpose of the processing under this Agreement is the provision of the service of criminal record check by the Data Processor as specified in the Terms and Conditions and Data Processing Agreement.

3.2 In connection with the Data Processor’s delivery of the service, as described in the Terms and Conditions and the Data Processing Agreement to the Data Controller, the Data Processor will process the below categories and types of data on behalf of the Data Controller:

Data Subjects undergoing criminal records check order by the Data Controller:


-second name(s)

-surname (s)

-maiden name

-date of birth

-place of birth (town, country)


-parents’ first names

-mother’s maiden name

-current address

-ID card / passport number

-ID card / passport scan or digital picture

-national identification number (whenever required by law for the purpose of obtaining the criminal records certificate)

-information on criminal convictions (criminal offence date, type, location, ruling court), penalties and penal measures or lack of thereof from (a) given EU member state(s) criminal register(s) (the scope of information on criminal convictions is regulated by each EU member state’s national laws)

-information on criminal convictions (criminal offence date, type, location, ruling court), penalties and penal measures or lack of thereof from (a) given EU member state(s) criminal register(s) (the scope of information on criminal convictions is regulated by each EU member state’s national laws)


3.3 ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services.

3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 30 (2).

  1. Instruction

4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), as specified in the Appendix A, unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processing Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the service as described in the Terms and Conditions. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

4.2 The Data Controller guarantees to process Personal Data in accordance with the requirements of GDPR and local Data Protection Laws and Regulations. The Data Controller’s instructions for the processing of Personal Data shall comply with GDPR and Applicable Laws. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

4.3 The Data Processor will inform the Data Controller if it discovers the Personal Data provided by the Controller lacks accuracy, quality or legality.

4.4 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.

  1. The Data Processor’s obligations

5.1 Confidentiality

5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller has agreed in writing.

5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.

5.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Main Services and this Data Processing Agreement.

5.2 The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.

5.3 Security

5.3.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

5.4 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

5.5 Data protection impact assessments and prior consultation

5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36, at the time of the duration of the agreement between the parties.

5.6 Rights of the data subjects

5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly, unless the request concerns the cease of processing of Subject’s data, in which case general Terms and Conditions apply.

5.7 Personal Data Breaches

5.7.1 The Data Processor shall give immediate notice to the Data Controller without undue delay, if a breach is detected, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

5.7.2 The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

5.8 Documentation of compliance and Audit Rights

5.8.1 Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA.

5.8.2 The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

5.9 Data Transfers

5.9.1 Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area (EEA), unless the Data Controller is established outside of the EEA.

  1. Sub-Processors

6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller.

6.2 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processing Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub- Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

6.3 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

  1. Remuneration and costs

7.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processing Agreement based on the Data Processor’s hourly rate.

7.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.

  1. Limitation of Liability

8.1 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Terms and Conditions.

8.2 Nothing in this DPA will relieves the Processor of its own direct responsibilities and liabilities under the GDPR.

  1. Duration

9.1 The Data Processing Agreement shall remain in force until processing of Personal Data belonging to the Data Controller in connection with the fulfillment of the Main Service by the Data Processor, as per the Terms and Conditions, takes place.

  1. Termination

10.1 Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor has legal basis for processing as a separate data controller or is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

In case the Data Processor effectively becomes a data controller of some of the Subject Data as a result of the termination of this agreement or otherwise, Data Controller undertakes to fulfill any information obligation towards the Data Subjects on the Data Processor’s behalf.



Instructions to the Data Processor

Apart from the circumstances described in the section 10.1 of the Data Processing Agreement all Subject Data should be removed not earlier than 90 days and no later than 120 days  from the day the complete report was returned to the Data Controller. Any Subject Data the Data Controller made available to the Data Processor not resulting in the initiation of the service should be removed no earlier than 90 days and no later than 120 from the day it was made available to the Data Processor, unless otherwise directed by the Data Controller. Data removal means destruction of hard copy documents and permanent removal of data in electronic format, or such a modification of the data, that makes the identification of the Data Subject impossible. During the above indicated retention period data should be stored for evidence purposed, unless the Data Controller requires the original certificates issued by the public authorities containing Data Subject details to be returned in hard copy. In such a case Data Controller advises the Data Processor on the manner of the dispatch. Electronic data should be permanently erased from the data storage media and hard copy documents should be shredded. Whenever there is a reference to data “removal” it means the overall process as described in this paragraph.

Data Controller requires the Data Processor to retain the document, further referred to as ‘ authorisation for the Data Processor to lawfully release the information to the Data Controller’ for a period of six years from the date the complete report was returned to the Data Controller.

Data Controller requires the Data Processor to lodge requests on behalf of the Data Subjects (acting as a Data Subjects’ proxy) to the national criminal register named in the Application Form (further known as National Criminal Register – NCR), and respectively to collect Criminal Records Certificates (CRCs). Data Processor provides the Data Controller with a sample Application Form, which content is strictly dependent on the requirements of the law governing the NCR. The Application Form consists of the questionnaire requesting Data Subjects to provide all personal details required by the said law to lodge the request, authorisation for the Data Processor to lawfully release the information to the Data Controller and personal power of attorney allowing the Data Subject an opportunity to explicitly point out the EU member states, which should be included in the EU criminal records check by matching appropriate boxes pertinent to listed EU member states where he/she lives or used to live.

Data Processor will follow the below process:

-Receiving scanned Application Forms via email and advising the Data Controller whether the Application Forms are legible, meet formal requirements and if information provided by the Data Subject is complete.

-Verifying the signatures on the Application Forms match the signature specimen available in the scan of the Subject’s ID provided by the Data Controller and discarding the said scan immediately afterwards, no later than within one business day.

-Receiving hard copy Application Forms sent by the Data Controller or directly by the Data Subjects, inspecting the Application Forms to verify whether they are original documents and if they are printed properly and advising the Data Controller upon receipt of the Application Forms. Data Processor advises the Data Controller on the received unexpected Application Forms and accordingly to the Data Controller’s direction initiates the checks, stores or removes them.

-Producing hard copy NCR Application (consisting of a written request to the NCR for providing information on a natural person, power of attorney, proof of the CRC request fees being paid and a signature of the Data Subject or a person authorised by a Data Subject to lodge the request on his/her behalf), completing them with the personal details provided by the Data Subjects and signing the NCR Application on behalf of the Data Subject and naming the EU member states, where the EU criminal record check should be processed, as per the Data Controller’s instructions.

-Storing the authorisation (part of the Application Form) which enables the Data Processor to release the CRCs to the Data Controller for a period necessary to defend possible future legal claims arising from performance of Data Processor’s or Data Controller’s services.

-Removing any pages of the application form holding personal data, which are no longer required in the process.

-Making relevant payments to the NCR and relevant public authorities for each NCR Application.

– Lodging the NCR Application to the NCR same or the following business day the hard copy application form pertinent to a confirmed order was received.

-Liaising as necessary with the NCR in regards to the submitted NCR Applications.

-Collecting the criminal records certificates from the same or the following business day the NCR notified the Data Processor the complete CRC is available for collection.

-Removing any unwanted parts of the reply from the NCR.

-Scanning the CRCs, translating its content into English and producing reports in PDF format consisting of the English translation of the CRC and its scan.

-Password-protecting any reports including CRCs with information on criminal convictions.

-Returning complete PDF reports to the Data Controller via email same or the following business day the CRCs were collected from the NCR.