Driver Checks Privacy Notice
Provider: RSMT Limited trading as Driver Codes
Version: v1.2 — May 16th 2026
Audience: Drivers, applicants and contracted drivers invited by a company to complete a check through Driver Codes
Published location: driver.codes/legal/checks-privacy
This notice explains how RSMT Limited (trading as Driver Codes) uses your personal data when you are invited by a company to complete a driving licence check through Driver Codes.
It does not cover:
- visiting the driver.codes website (marketing pages, contact forms, blog) — see the Website Privacy Policy;
- using the Driver Codes mobile app for personal driving information outside a company invitation — see the Consumer App Privacy Notice.
If you use the Driver Codes app for both personal use and a company-check workflow, both relevant notices apply to their respective parts.
How to read this notice
This notice describes how Driver Codes processes your personal data, and what each party's responsibilities are when a company invites you to complete a driving licence check.
Throughout this notice, references to "the inviting company" mean the specific business that has invited you to complete a check. The inviting company will be named to you in the Driver Codes app at the point you are asked to sign your authority, in the invitation email or message you receive, and in any in-app context shown alongside this notice.
The inviting company has its own privacy responsibilities for the parts of the processing it controls. The inviting company should provide you with its own workforce or contractor privacy information separately. If you have not received that information, ask the inviting company directly.
You should read this notice alongside:
- the Digital Driver Authority and Declaration that you are asked to sign in the Driver Codes app at the start of a check, which explains in plain terms what you are authorising; and
- the inviting company's own privacy information, which explains how that company uses the result of the check in its employment, contractor, fleet-risk, or other business processes.
1. Who is processing your data
RSMT Limited (trading as Driver Codes) is the controller for the Driver Codes app and the company-check service. Our registered address is 19A Queens Road, Hale, WA15 9HF. Our company number is 11744436. We are registered with the Information Commission under number ZA788385.
We are registered with the DVLA under the Access to Driver Data (ADD) Permitted Operating Model as a controller. This means that when you complete a check through Driver Codes, we obtain your driving record information from DVLA in our own name and under our own DVLA agreement — we are not acting as the agent of the inviting company. We then provide the information to the inviting company as part of a fully managed compliance service.
The inviting company is a separate and independent controller for its own processing. It decides whether to invite you to complete a check, reviews the result, and uses the information in its own employment, contractor management, safety or fleet-risk processes.
Driver Codes and the inviting company act as sequential, independent controllers — not joint controllers — for their respective processing activities. Each party is responsible for the parts of the processing it controls.
2. Information we process about you
We process the following categories of personal data:
Identity and contact details — your name, date of birth, address and (optionally) an employer reference number you provide.
Driver identifiers — your driving licence number and any related identifiers needed to access the driver register or linked services.
Authority records — your signed declaration, digital signature, the date of signing, the version of the declaration text shown to you when you signed, and associated technical signing metadata (device, IP address, timestamp, signature hash).
Driver record information obtained from DVLA — your licence entitlements, associated restriction codes, endorsements, disqualifications and, where available, your photo image. Where relevant to your role, this also includes Certificate of Professional Competence (CPC) data, Driver Qualification Card (DQC) status and digital tachograph card details.
DVSA Driver CPC periodic training data — only where you have linked your DVSA CPC training account to the Driver Codes app and authorised us to retrieve this information.
Check status and workflow data — invitation status, acceptance history, check outcomes and any related communications.
Technical and security data — your app login, IP address, device identifiers, and audit log entries relating to your use of the service.
3. How we obtain your information
Directly from you, when you create or use the Driver Codes app, accept an invitation, complete your profile, or sign the Digital Driver Authority.
From the inviting company, typically your work contact details and any reference number used to identify you.
From DVLA, once you have signed your authority — by generating a DVLA share code on your behalf and using it with the View Driving Licence service (our primary method) or, where that route is not available, by making an enquiry under the DVLA Access to Driver Data (ADD) service.
From DVSA, only where you have linked your DVSA CPC training account.
4. Why we use your information — our lawful bases
We rely on the following lawful bases under Article 6 UK GDPR. We do not rely on consent (Article 6(1)(a)) in the company-check workflow. Your signed authority is a DVLA scheme requirement and an evidential record of your authorisation — it is not a UK GDPR Article 6 lawful basis.
| Purpose | Controller | Article 6 basis |
|---|---|---|
| Operate your Driver Codes app account, login and core features | Driver Codes | Article 6(1)(b) contract |
| Capture and evidence your signed authority | Driver Codes | Article 6(1)(f) legitimate interests in operating a lawful, auditable compliance service |
| Obtain your driver record from DVLA, and CPC training data from DVSA where linked | Driver Codes | Article 6(1)(f) legitimate interests in delivering a fully managed compliance service under our DVLA registration |
| Share driver record information with the inviting company as part of the service | Driver Codes | Article 6(1)(f) legitimate interests, supported by your signed authority |
| The inviting company's receipt, review, storage and use of the results in employment, contractor or fleet-risk decisions | The inviting company | Article 6(1)(f) legitimate interests for most drivers; Article 6(1)(c) legal obligation for operator-licensed HGV/PSV drivers, tachograph-covered drivers and other regulated populations |
| Maintain service security, prevent fraud and misuse, retain audit records, and establish, exercise or defend legal claims | Driver Codes | Article 6(1)(f) legitimate interests; where applicable, Article 6(1)(c) legal obligation |
Where we rely on legitimate interests, we have carried out a documented Legitimate Interests Assessment. You may ask us for a summary.
5. Criminal offence data
Some of the information in your driving record — in particular, endorsements and disqualifications — is personal data relating to criminal convictions and offences under Article 10 UK GDPR.
We process this information in reliance on paragraph 12 of Schedule 1 Part 2 to the Data Protection Act 2018 (regulatory requirements relating to unlawful acts and dishonesty), with paragraph 10 (preventing or detecting unlawful acts) available as a secondary condition. We maintain an Appropriate Policy Document under Schedule 1 Part 4 governing how we process this data. A summary is available from the contact in section 14 on request.
The inviting company is responsible for identifying its own Schedule 1 condition for its own processing and maintaining its own Appropriate Policy Document where required.
6. Automated decision-making
We do not make solely automated decisions about you that produce legal effects or similarly significant effects. Check outcomes are presented to human reviewers at the inviting company, who make their own decisions.
If the inviting company uses check results as part of its own automated decision-making processes, the inviting company is responsible for explaining that to you separately. You may ask the inviting company directly.
7. Who we share your information with
The inviting company and its authorised administrators, as part of the service it has invited you to complete.
RSMT Limited staff and our service providers who support, secure or operate the Driver Codes platform. Our current sub-processor list is published at app.driver.codes/documents/subprocessors. We notify customers of material changes.
DVLA and DVSA, as needed to run the check.
Regulators, courts, law enforcement, professional advisers and similar, where disclosure is required by law or reasonably necessary to protect our service, our legal rights, or the safety of others.
8. Where your data is stored and international transfers
Your core driver-check records are stored in the United Kingdom. We use Amazon Web Services in the London region, eu-west-2, for production hosting.
Some ancillary service providers used for support, push notifications, payments, error monitoring or observability may process limited personal data outside the United Kingdom. These providers, locations and transfer mechanisms are listed in our Sub-processor List. Where a transfer outside the UK takes place, we use a UK-recognised transfer mechanism, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, supported by a documented Transfer Risk Assessment.
9. How long we keep your information
| Category | Retention period |
|---|---|
| Driver authority / mandate records, including signing metadata | Six years after expiry or revocation |
| Completed check records in the inviting company's workspace | During the inviting company's use of Driver Codes, plus a closure period (currently up to 90 days for self-serve customers) for orderly export and handover |
| Service security and access logs | Up to 12 months |
| Rejected or unaccepted invitations | Up to 12 months |
| Billing, contract and dispute records | Six years plus the current financial year |
We may keep information for longer where the law requires, where there is a live dispute, or where we need to establish, exercise or defend legal claims.
10. Security
We maintain a documented information security programme. A public summary is published at app.driver.codes/documents/security and a fuller security pack is available to enterprise customers under non-disclosure on request.
Controls include role-based access, mandatory multi-factor authentication on the customer-facing checks portal, encryption in transit using TLS, encryption at rest, continuous 24x7 automated security monitoring, daily encrypted backups, documented incident response procedures, and UK-hosted core production services and driver-check records.
Limited personal data may be processed outside the UK by ancillary support, payment, communication, push-notification, error-monitoring or observability providers listed in our Sub-processor List, under UK-recognised transfer safeguards.
11. Your rights
Subject to UK data protection law, you have the right to:
- request access to your personal data;
- ask for inaccurate information to be corrected;
- ask for deletion or restriction of processing, where the conditions for those rights are met;
- object to processing that we base on legitimate interests, where you have particular reasons relating to your situation;
- receive a portable copy of certain information, where the conditions apply;
- not be subject to solely automated decisions producing legal or similarly significant effects, with limited exceptions; and
- complain about our handling of your data (see section 13 below).
To exercise a right, contact privacy@driver.codes. We will respond within one calendar month of receiving a valid request, and will let you know if we need an extension in complex cases.
Where your request concerns how the inviting company uses your check results in its own business processes, you may need to contact the inviting company directly — it is the controller for that use, and its privacy contact is identified in its own privacy information and (where available) in the Driver Codes app.
12. Revoking your authority
You may revoke your authority for future checks at any time through the Company checks section of the Driver Codes app. When you do, the inviting company will be notified, and we will carry out no further checks using that authority.
Revocation applies going forward only. It does not make past checks unlawful, and it does not require us to delete mandate records, audit logs or other data we are required to retain for the periods in section 9.
If you want to stop using Driver Codes entirely, you can ask us to close your Driver Codes account, subject to our retention obligations.
13. Complaints
You have the right to complain to us about how we handle your personal data. Our Data Protection Complaints Procedure explains how to do this, how we will respond, and your right to escalate to the Information Commission if you are not satisfied. Our complaints procedure complies with section 164A of the Data Protection Act 2018 (in force 19 June 2026).
The fastest route is to email privacy@driver.codes. We will acknowledge your complaint within 30 days of receipt and aim to provide a substantive response within the same period for routine complaints.
If you are not satisfied with our response, you have the right to complain to the Information Commission (formerly the Information Commissioner's Office), the UK's data protection regulator. Their website is ico.org.uk.
14. Contact
Driver Codes privacy contact: privacy@driver.codes
RSMT Limited: 19A Queens Road, Hale, WA15 9HF
Company number: 11744436
Information Commission registration: ZA788385
For the inviting company's privacy contact, see the in-app context shown alongside your check, the inviting company's own privacy information, or the company's website.