A legally binding agreement between ACM Certification Limited (ACM) and the Client. Valid from the point that the Client’s application for Registration is accepted by ACM.

*Please note that the Terms and Conditions of Contract are subject to change following the acquisition of ACM Certification by Amtivo Group.

1. Introduction

ACM is an independent certification body and these rules have been drawn up in accordance with the requirements placed on ACM by Accreditation Bodies. ACM shall abide by these requirements as specified in ISO 17021 and other related documents and standards. If a sector is outside the scope of accreditation then an unaccredited certificate may be offered at the discretion of ACM.

Although not a statement guaranteeing that the product or services actually meet specified requirements, accredited certification of a management system is a measure of compliance, at the time of audit, with the appropriate international standards.

2. Definitions

For the purpose of these Terms and Conditions:

Applicant; means an individual, body corporate or body unincorporated applying for a Certificate of Registration.

Audit/Assessment; means verification of the effectiveness of the relevant management systems and processes operated by an Applicant through the examination of materials, finished product, methods of test, records, systems, environmental and other activities established by the Applicant within its Management System.

Certificate of Registration; means a document issued by ACM in recognition that the management system operated by the Applicant meets the requirements of the applicable Standard or Scheme and these Terms and Conditions.

Client; Companies, organisations or parts thereof that are audited and certified by ACM.

Major non-conformance; where there is a lack of evidence to demonstrate that a clause within a standard has been met. For example, no evidence, records or documents can be found or non-conformities raised at a previous audit have not been properly closed.

Minor non-conformance; where there is a lack of evidence to demonstrate that a clause within a standard has been fully met. For example, some evidence, records or documents are available.

Observer/Witness; means a person who accompanies the audit team but does not act as an auditor.  An observer can be an Accreditation Body or another interested party.  In addition, a technical expert may accompany an auditor but does not act as an auditor in the audit team unless qualified to do so.

Registration; The process by which Clients gain and maintain certification against a standard. Registration covers all certification activities, including all activities required outside the certification process required to maintain Registration. For example, payment terms and conditions, and regulatory requirements.

Registered Company; means an individual, body corporate or body unincorporated which has been granted a Certificate of Registration.

Services; as set out in the quotation.

Scope of Registration; means the range of products, services, and activities covered by the management system of a registered company specified on the Certificate of Registration.

Standard; means the Standards or other requirements for which the applicant organisation is seeking certification.

3. Scope of the Rules of Registration

These rules of registration are applicable to all audits undertaken by ACM (or its local representatives) within the current scope of accreditation. In fulfilling this scope, the Client agrees to supply all necessary information to ACM so that a full and fair assessment can be undertaken. ACM will give due notice of any changes to its requirements and will verify that each certified Client complies with the new requirements. This agreement is applicable to all sites as listed on the certificate or attached schedule.

ISO 45001 requirements: – This contract requires that the certified Client informs the Certification Body, without delay, of the occurrence of a serious incident or breach of regulation necessitating the involvement of the competent regulatory authority.

4. Personnel, Impartiality and Confidentiality

ACM undertakes to provide suitably qualified and technically competent personnel for all audit and surveillance activities using their own staff or suitable qualified and competent associates. All members of ACM (full-time employees, associates or local representatives) are required to sign confidentiality agreements concerning all confidential information to which they may be exposed. They are required to declare any conflict of interest prior to an auditor as soon as they become aware of a threat to the impartiality of the audit.

The Client will be notified in advance of the lead auditor’s name and who will be attending.

To maintain impartiality, it is a condition of the Passport Scheme and ACS Standard Route Scheme that applicants/ registered companies allow the certification body to rotate its assessors at least once in a three year period.

All information acquired by ACM about an applicant or a registered company shall be confidential and, except as required by an accreditation body or regulator or for input to required industry databases, shall not be disclosed to a third party without the prior written agreement of the company concerned. ACM does reserve the right to inform the relevant authorities if breaches of legislation are found as part of the audit process.  Click Here to see our privacy notice.

All certification activities and the management of impartiality are overseen by the Directors of ACM Ltd.  Risks to impartiality are reviewed by an Independent Certification Board.

5. Access and Safety

The Client is responsible for ensuring that when ACM visits your site ACM has adequate protective equipment for the working environment to be assessed. Where specialist training is required this shall be disclosed to ACM at the outset. Clients shall raise these issues with ACM in advance of a visit.

To ensure an effective audit, Clients are required to make all necessary arrangements for the conduct of the audit, including access to all processes and areas within the organisation, records and personnel. This policy also applies to follow up audits following a complaint received from an interested party, for example, about the products/services provided by the certified organisation.

6. Application for Initial Registration

On receiving a completed Application Form/Request for Quotation ACM or its local representative will prepare a quotation detailing audit cost which will be forwarded to the Client. You agree to accept these terms and conditions by signing and returning your quotation document.

On receipt of the signed acceptance of the quote, ACM or its local representative will issue an invoice to the Client who in turn will make payment to ACM or its local representative. The audit will then be planned and carried out in accordance with ACM accredited management system processes.

The process for initial registration normally involves an on-site stage 1 audit of the management system and a subsequent on-site stage 2 audit of the implementation of that system.

It is the responsibility of the applicant to satisfy themselves that the proposed scope of registration meets their requirements. Changes to the scope following acceptance of the quotation could result in amendment to the fees.

7. Changes to your Organisation

It is a condition of this agreement that you inform ACM of any substantive changes that take place or are planned to take place in or to your structure, strategy, management or culture (a “change”) which could affect your certificate.

Without limitation, a change may include any mergers, acquisitions, takeovers, new brands using existing people, cases of significant growth or reduction in employee numbers and changes in name or ownership. You must inform ACM prior to the change taking place or, if this is not possible, as soon as is reasonably practicable following the change.

ACM reserves the right to investigate the nature of any change and its impact on your certification. Wherever possible, this investigation shall be timed to take place with a routine assessment of your certification. There may be a requirement to re-quote in line with the new changes and you will be notified of this prior to the assessment taking place.

8. Audit Method

The first stage of the audit requires the Auditor to conduct an on-site readiness review of the Client’s management system to assess the documentation and if the implementation of the management system is at a level sufficient to progress to the Stage two audit.

When satisfied with the compliance of the documentation and system readiness the Auditor will produce a report and will agree on a date with the Client for the Stage 2 audit. The Stage 2 audit will then be conducted in accordance with ACM accredited management system processes. If further visits are required, due to non-compliances found, these will be undertaken and the Client will be liable for any extra charges incurred based on the current audit day rate in the quotation. The audit will be carried out against agreed audit criteria.

Once registration has been obtained the Client will be under a duty to notify ACM of any changes that significantly affect the registration. ACM may re-audit if necessary (short notice) due to the significant changes or as a result of any complaint, or follow up on suspended clients. If any additional charges are incurred ACM reserve the right to pass these additional charges on to the Client.

ISO 45001 requirements: If the Client provides services at another organisation’s premises, we will verify that the client’s OH&SMS covers these offsite activities (notwithstanding the OH&SMS obligations of the other organization). In determining the time to be spent for audit, we shall consider auditing periodically any organization site where these employees work. Whether all sites shall be audited will depend on various factors such as OH&S risks associated with the activities therein performed, contract agreements, being certified by another accredited CAB, internal audit system, and statistics on accidents and near misses.

Audit methodology will include interviews, observation of activities, electronic and hard copy documents and record review. Conclusions will be based on the evidence obtained during the audit. The auditor(s) will use sampling techniques to obtain the evidence and no guarantee can be given that a different conclusion may have been reached previously or if a different sample had been taken.

9. Certification

Upon completion of the audit, the Auditor will submit the report with a recommendation for either granting or refusing registration. A suitably qualified, independent and authorised member of the ACM team will make the certification decision and authorise the issue of the certificate.

Any non-conformities raised during an audit must be corrected and closed prior to a certification decision being made. The Client agrees to meet the extra visit or documentation review costs involved in closing out the non-conformities.

Certificates will not be issued unless payment in full has been received.  The certificate remains the property of ACM and is valid for three years, providing the client maintains the management system to the required standard.

10. Annual Registration, Surveillance, Re-certification and  Special / Short Notice Visits

After the issue of a certificate, planned surveillance visits will be carried out by an Auditor at the Client’s premises at least annually in order to maintain registration. If areas of concern are identified, more visits may be carried out at the discretion of the ACM Management. Major non-conformities identified at a surveillance visit must be corrected by the Client within the timescales agreed with the auditor and closed out by ACM either by document/record review or additional site visit.  The Client agrees to meet the extra costs relating to any additional closeout work required.

Minor non-conformities identified at surveillance must be corrected in the agreed timescale. The action taken will be checked at the next scheduled audit. ACM may require the Client to send evidence to confirm that effective action has been taken. Failure to address minor non-conformities may result in escalation to a major non-conformance and in such cases, the Client agrees to meet extra costs relating to additional closeout work.

Following a Stage 2 audit Clients must undertake their first surveillance before the first-anniversary date of their certificate. If this is not completed on time for any reason the certificate will be suspended. Following the suspension, failure to complete within three months will result in certificate withdrawal.

Re-Certification: A certificate will normally be valid for a period of three years (subject to ongoing compliance as detailed in these terms and conditions) A re-certification audit is required to maintain registration. The Client will notify ACM without delay of any matters incurred that may affect the capability of the management system to fulfil requirements.

The re-certification audit must take place prior to the expiry of the certificate. Should the audit identify any non-conformities these must be corrected by the Client within the agreed timescale agreed with the auditor and subsequently closed out by ACM.

Special Visits: Work required to close out improvements needs or non-conformities on, for example, ISO/ ACS Passport Assessments may require additional revisit audits. The Client agrees to meet the additional costs and these will be quoted by ACM in advance.

In addition, if a complaint is made about a certified Client, or we have received notification of any changes we reserve the right to undertake a special / revisit audit to investigate whether the company is still meeting the requirements of the appropriate standard they are approved to. The client agrees to meet these additional costs.

Independently from the involvement of the competent regulatory authority, a special / revisit audit may be necessary in the event that ACM becomes aware that there has been a serious incident related to occupational health and safety, for example, a serious accident, or a serious breach of regulation, in order to investigate if the management system has not been compromised and did function effectively. ACM shall document the outcome of its investigation.

Information on incidents such as a serious accident, or a serious breach of regulation necessitating the involvement of the competent regulatory authority, provided by the certified Client or directly gathered by the audit team during the special / revisit audit, shall provide grounds for CCAS to decide on the actions to be taken, including a suspension or withdrawal of the certification, in cases where it can be demonstrated that the system seriously failed to meet the OH&S certification requirements.

11. Extension or Revision to the Scope of Registration

This may be applied in the same way as the initial audit, indicating the increased scope of registration required. The audit will be carried out in the areas not previously audited. If successful, a new certificate indicating the new scope will be issued by ACM. There will be a charge for extensions to the scope and the re-issuing of the certificate. Should a certified scope be reduced, the Client will amend all advertising matters.

If a Client is already registered to a particular standard, for example, ISO 45001 and subsequently wishes to add an additional standard such as ISO 9001, this will be treated as a new application and the Rules of Registration relating to initial audits shall be followed.

12. Publicity & Privacy

When a certificate has been issued, the Client has the right to publish the fact. The relevant accreditation marks and logos can be used on stationery and websites relating only to the audited scope of registration and standard. A separate document relating to the use of certification marks and logos will be issued by ACM at the time of registration. ACM will make available on request, the certification status of any client.  The use of any logos must abide by the ACM branding guidelines.

Once certified, the certificate information is placed onto the ACM Certification Certificate Checker which is public domain, the following information will be available: the organisation’s name, the standards, the certificate number and the expiry date.

The Client must not make or permit any misleading statement regarding its certification, the scope and/or standards covered, or the Client’s locations covered by the certification. Any references to a Client’s management system must not imply that ACM certifies a product, service or process.

The Client must not apply certification marks or accreditation marks to laboratory tests, calibration or inspection reports as such reports are deemed to be products.

ACM will contact the Client in relation to organising their certification and to inform/provide information or facts of relevance to their certification.  A copy of the Privacy Notice can be found by clicking here and is available on the ACM website.

13. Logo and Certificate Misuse

The Client shall adhere to the ACM branding guidelines, throughout the certification.  The branding guidelines will be sent to the Client with the certification marks and logos on the successful outcome of the initial certification.

ACM will take all necessary steps to ensure that there is no misuse of the accreditation marks and logos or the certificate by the Client. The Client undertakes not to misuse or misrepresent the marks and logos or the certificate in any way.

14. Fees

ACM will always quote for any work in advance of delivery and ensure Clients are fully aware of their obligations.

All fees are strictly non-refundable and will be paid in accordance with the terms indicated on the invoice.

All fees for audits and annual registration are reviewed annually and are available on request. All fees are subject to VAT and are strictly non-refundable.

Annual fees are payable in advance of audit dates and are to maintain registration.

Fees include mileage and travel but not accommodation which will be arranged separately when required unless included as part of the quotation and noted as included.

Fees include the issue of 1 certificate per standard for new certifications or re-certification cycles. For extra copies required for multiple sites, or at surveillance stages for transfers, an additional cost is incurred.

Additional fees are payable where ACM is required to close out non-conformities raised during an audit. These can be additional document reviews, special visits or on-site audits.

Fees for reinstatement of Registration following a period of suspension or withdrawal will be incurred.  ACM will specify the fees required in advance along with any conditions.

Certificates will not be issued to Clients unless payment has been received.

Instalments are only permissible if the previous year’s fees have been paid in full and on time.

Certificates re-issued as a result of changes to the Clients circumstance like a change of address, or company name. etc., at the client’s request, shall attract a nominal administration fee of £25 + VAT per certificate.

The fee payable for cancellation will be on a sliding scale based on a percentage of ACM’s current day rate for certification days quoted for the job.

ACM may cancel a planned audit which may also result in Registration being suspended or withdrawn if the Client fails to make payment in full on the due date.

Fees include mileage and travel but not accommodation which will be arranged separately when required unless included as part of the quotation and noted as included.

15. Certification Suspension, Withdrawal or Restoring Certification

On completion of the audit, to the appropriate standards or specifications, the certificate:

May be suspended due to:

  • Continued misuse of certification marks and / or ACM logos.
  • Failure to apply corrective action as a result of non-conformities found during an audit or surveillance visits.
  • Failure to allow an audit to be conducted as planned, e.g. surveillance.
  • Breaches in legislation relevant to the Scope of Registration.
  • Failure to pay on time.
  • Any other breach of ACM’s Rules of registration and Terms and Conditions of Contract.

Or withdrawn due to:

  • Failure to respond to requests made by ACM after suspension of certificate.
  • Failure of a Client to settle a financial account.
  • At the Client’s request.
  • Failure to pay.
  • Ceasing to carry on business or threatening to do so, application for insolvency or bankruptcy petition presented against it, entry into voluntary or compulsory liquidation or having a receiver, or administrator appointed over its assets.

Following either the suspension or withdrawal of a certificate the client will discontinue its use and return the original certificate to ACM and discontinue to claim accredited management system registration.

If the Client continues to claim certification following withdrawal then ACM maintains the right to report the Client to the relevant legal authority and to take appropriate legal action.

Certificates cannot be extended beyond the expiry date and if it does expire the consequences will be explained. Following withdrawal, the certificate can be restored if the Client re-applies within the first 6 months of withdrawal, subject to technical review and completion of the re-certification audit process.  After 6 months the Client will need to re-apply and at least be subject to a stage 2 audit. The stage 1 audit can be waived if a technical review confirms no significant changes have occurred since the last audit.

ISO 45001 requirements:- Information on incidents such as a serious accident, or a serious breach of regulation necessitating the involvement of the competent regulatory authority, provided by the certified Client or directly gathered by the audit team during the special audit, shall provide grounds for the Certification Body to decide on the actions to be taken, including a suspension or withdrawal of the certification, in cases where it can be demonstrated that the system seriously failed to meet the OH&S certification requirements. Such requirements shall be part of the contractual agreements between the CAB and the organization.

16. Cancellation of Planned Audits

ACM is committing resources when agreeing on audit dates. Future audit dates are normally agreed between the auditor and Client during an audit and will be recorded in the report. Also, ACM and the Client will agree on dates which will be confirmed by ACM in writing.  It is not our policy to issue reminders and it is the Client’s responsibility to ensure that the audit can be delivered in accordance with the plan.  Consequently, a fee will be charged if a visit is postponed or cancelled within 20 working days of the first day on site. The cancellation fee will be on a sliding scale, based on a percentage of the quoted days.

Where ACM incurs a cost for technical experts, or other accreditation body observers as a result of a Client postponement or cancellation these fees will be charged at cost to the Client.

17. Appeals Procedure

If for any reason a Client disagrees with the Auditor’s verdict they are at liberty to lodge an appeal with ACM’s Managing Director. All appeals will be held in the presence of an Independent Certification Board sub-committee. The sub-committee will hear evidence from the Client’s representative and the relevant Auditor. The decision of the Independent Certification Board is final and binding on both the Client and ACM. No counterclaims will be allowed by either party. No costs, for whatever reason, will be allowed for either party as a result of an appeal. Expenses of the appeal will be met in full by the party who has the decision against them.

18. Client Complaints against ACM Personnel

If a Client has a reason for a complaint this should be submitted in writing to ACM. Documented procedures for handling complaints can be found on the ACM website. All complaints will be responded to in line with the timelines set out in our procedures and will be investigated thoroughly. Results will be sent in writing to the Client.  Following the investigation, if the Client is not satisfied with the outcome it will be referred to a Director or the Client may be asked to lodge an appeal.

19. Complaints against the Registered Company

The Client agrees to make available to ACM or its representative all information pertaining to complaints received by the client from customers, regulators and any other interested parties. In the event of an alleged breach of a relevant legislative or regulatory requirement, the ACM Client/registered company must inform ACM as soon as possible.

20. Audit Team

ACM will provide an appropriately qualified, competent and impartial audit team or individual auditor to deliver the agreed audit plan. In addition, the auditor/audit team may be accompanied by a technical expert, translator or interpreter. The Client has the right to object to any individual auditor but must do so immediately upon notification of the auditor/audit team. ACM reserves the right to change the assigned auditor(s) or add additional auditors to meet operational requirements.

The Client does not have the right to require that a specifically named auditor conducts a particular audit.

To maintain impartiality ACM will review from time to time the frequency of audits undertaken by an auditor with a particular Client. If ACM considers that impartiality is threatened due to familiarity then it may be necessary to change the auditor.

From time to time the auditor/audit team may be accompanied by a trainee. A trainee has no status on the audit and will at all times be under the supervision of a lead auditor. Clients will not be charged for a trainee and advance permission for attendance will always be sought from the Client.

The Client is agreeing with the Rules of Registration and also agrees that no pressure, intimidation or inducement will be offered to ACM auditors or staff designed to change or alter a decision. All instances will be reported to ACM.

21. Witnessed Audits by Accreditation and Authorised Bodies

It is a condition of these Rules of Registration that all ACM certificated Clients should if requested, allow representatives of accreditation or regulatory bodies to witness ACM staff carrying out audits. Failure to allow this could jeopardise the Client’s registration. The presence of any observers will be agreed upon prior to any audit. Observers will have no influence over the outcome of the audit.


22. Terms of Payment

Charges for services will be those agreed in advance with the Client in the quotation and any additional charges as outlined in the Rules of Registration. A quotation will only be deemed to be valid when ACM receives the signed acceptance agreeing to these Rules and Contract Terms

All fees are payable in advance of audits for initial and re-certification. Annual registration fees will be invoiced prior to the anniversary date of the stage two assessment and should be paid in full within 30 days from receipt of invoice or earlier if the anniversary date is within this period.

ACM reserves the right to carry out an annual review of charges and shall endeavour to notify the Client of any resulting changes to the charges at least 30 days prior to implementation.

The Client may cancel this contract by giving notice no later than one month prior to delivery of service.   The Rules of Registration for suspension or withdrawal will apply.

Cancellation of this contract, the audit or surveillance dates by the Client within twenty working days of the agreed dates will result in a cancellation fee. This will be on a sliding scale, based on a percentage of the quoted days as follows; 20 working days or less – 25%, 15 working days or less – 50%, 10 working days or less 100%.

ACM will be unable to deliver services if the Client fails to pay in accordance with the invoice terms and Rules of Registration.

23. Liability

Neither ACM nor any of its servants or agents shall be liable for any loss, expense or damage however so sustained by any company, Client or person due to any act whatsoever taken by ACM or its servants or agents, save to the extent that any attempted exclusion or liability would be contrary to law.  All work and information obtained during an audit will be treated as confidential and not disclosed to any third party unless required by law.

All warranties and conditions and other terms implied by statute or common law are to the fullest extent permitted by law, excluded by this agreement.

The Client acknowledges and accepts that where services are required to change to comply with guidelines or any other legal requirements, ACM shall not be liable for breach under this Agreement.

Nothing in this agreement limits or excludes the liability of ACM for:

  • Death or personal injury resulting from negligence; or
  • Any damage or liability incurred by the Client as a result of fraud, or fraudulent misinterpretation by ACM.

ACM shall not be liable for:

  • Loss of profit;
  • Loss of business;
  • Depletion of goodwill and/or similar losses;
  • Loss of contract
  • Loss or corruption of data or information or
  • Any special indirect, consequential or pure economic loss, costs, damages, charges or expenses;

ACM‘s total liability in contract, (including negligence or breach of statutory duty), misinterpretation, restitution, or otherwise arising in connection with the performance of this agreement shall be limited to the Services Fee.

24. Indemnity

The Client will indemnify and keep indemnified ACM against all and any claims or losses, proceedings, lost profits, damages, awards, expenses, claims and costs suffered by ACM as a result of misuse or misrepresentation by the Client of any certification marks, logos, approval or registration given to the client by ACM under these Rules of Registration Terms and Conditions.

25. Entire Agreement

This Contract constitutes the whole agreement between the parties and supersedes all previous agreements between the parties relating to its subject manner.

Each Party acknowledges that in entering into this Contract it has not relied upon any representation, inducement promise or agreement, whether oral, written or otherwise made by or on behalf of the other Party and which has not been incorporated within or specifically referred to in this Contract, and that no other agreement, statement or promise not contained in this Contract shall be valid or binding.

26. Governed Law and Jurisdiction

This Contract shall be governed and construed in accordance with the Laws of England and Wales. The Parties hereby submit to the exclusive jurisdiction and procedure of the English Courts.

27. Notice and Communication

Any notice to be given under this Agreement shall be in writing and shall be deemed to have been duly given if left at or sent by first class post, registered post or facsimile or other electronic media (email is deemed an acceptable form of communication) to a party at the address or relevant telecommunication number for such party or such other address as the party may from time to time designate by written notice to the other.

Any notice or other document shall be deemed to have been received by the addressee two working days following the date of despatch of the notice or other document by post or, where the notice or other document is sent by hand or is given by facsimile or other electronic media simultaneously with the delivery or transmission.

28. Changes to Terms and Conditions

No variation of the contract shall be valid unless it is in writing and signed by duly authorised representatives of both parties.

A person who is not a party to this contract shall not have any rights under or in connection with it.

Both parties shall comply and shall ensure that each of their sub-contractors, agents and personnel comply with any relevant and applicable anti-bribery and corruption laws, regulations and/or legislation related to delivery and receipt of the services.

29. Anti-Bribery and Corruption

The Client warrants and represents to ACM that it complies with the Bribery Act 2010 and that it has not and shall not, in connection with the services contracted, make, promise or offer to make an offer of payment or transfer of anything of value, directly or indirectly; i) to any government official or to any intermediary for payment to a government official, or ii) to any political party for the purpose of influencing any act or decision of such official or securing an improper advantage to assist ACM in obtaining or retaining business. Failure by the Client to comply with this clause shall constitute a breach of contract

30. Data Protection

  1. Definitions

Processor Personnel: means all directors, officers, employees, agents, consultants and contractors of the Processor and/or of any Sub-Processor engaged in the performance of its obligations under this Agreement.

Data Protection Legislation: (i) the GDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018; (iiii) all applicable Law about the processing of personal data and privacy.

Data Protection Impact Assessment: an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer take the meaning given in the GDPR.

Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by the Processor under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach.

Data Subject Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.

DPA 2018: Data Protection Act 2018.

GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679).

Joint Controllers: where two or more Controllers jointly determine the purposes and means of processing, and Joint Control shall be construed accordingly.

LED:  Law Enforcement Directive (Directive (EU) 2016/680).

Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.

Sub-processor: any third Party appointed to process Personal Data on behalf of that Processor related to this Agreement.

    • The Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Controller and the Contractor is the Processor unless otherwise specified in Annex A. The only processing that the Processor is authorised to do is listed in Annex A by the Controller and may not be determined by the Processor.
    • The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation.
    • The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:
      • a systematic description of the envisaged processing operations and the purpose of the processing;
      • an assessment of the necessity and proportionality of the processing operations in relation to the Services;
      • an assessment of the risks to the rights and freedoms of Data Subjects; and
      • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
    • The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
      • process that Personal Data only in accordance with Annex A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law;
      • ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the:
        • nature of the data to be protected;
        • harm that might result from a Data Loss Event;
        • state of technological development; and
        • cost of implementing any measures;
      • ensure that :
        • the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Annex A);
        • it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
      • are aware of and comply with the Processor’s duties under this clause;
      • are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor;
      • are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and
      • have undergone adequate training in the use, care, protection and handling of Personal Data; and
        • not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
          • the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller;
          • the Data Subject has enforceable rights and effective legal remedies;
          • the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
          • the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
        • at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.
      • Subject to clause 2.6, the Processor shall notify the Controller immediately if it:
        • receives a Data Subject Request (or purported Data Subject Request);
        • receives a request to rectify, block or erase any Personal Data;
        • receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation;
        • receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
        • receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
        • becomes aware of a Data Loss Event.
      • The Processor’s obligation to notify under clause 2.5 shall include the provision of further information to the Controller in phases, as details become available.
      • Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 2.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing:
        • the Controller with full details and copies of the complaint, communication or request;
        • such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
        • the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
        • assistance as requested by the Controller following any Data Loss Event;
        • assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner’s Office.
      • The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless:
        • the Controller determines that the processing is not occasional;
        • the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
        • the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
      • The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
      • Each Party shall designate its own data protection officer if required by the Data Protection Legislation.
      • Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
        • notify the Controller in writing of the intended Sub-processor and processing;
        • obtain the written consent of the Controller;
        • enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 2 such that they apply to the Sub-processor; and
        • provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
      • The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors.
      • The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause 2 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
      • The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this clause and/or the Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
      • If the Parties elect to be, or are deemed to be, separate Data Controllers over the Personal Data relating to the Agreement, then the Parties shall execute a variation to the Agreement (and a revised Annex A) to confirm that the terms of Annex B shall apply to the Agreement.
      • The Parties do not intend to establish a Joint Controllers relationship. However, where the Parties include two or more Joint Controllers in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller agreement in replacement of Clauses 2.1-2.14 for the Personal Data under Joint Control.

References to any regulations or statutes are deemed to include any subsequent revisions or re-enactments.

Annex A

Subject matter of the processing The processing of personal data to the extent necessary for the provision of Services by ACM
Duration of the processing The certification cycle (which is usually three years depending on the continuation of certification service requirements of the Client).

After the certification cycle, ACM shall retain client records in accordance with its document retention requirements.

Nature of the processing The processing of personal data to the extent necessary to provide the Services, and specifically in order to facilitate certification and maintenance of certification to the contracted standard or scheme
Purpose of the processing The processing of personal data to the extent necessary for the provision of the Services by ACM
Personal data types Limited to Client contact employee data (including but not limited to) names, contact addresses, emails and contact telephone numbers
Categories of data subjects Limited to Client employees
Obligations and rights of the controller As set out in the Agreement
Appointed sub-processors ACM uses a number of sub-contractors to provide services. This includes a pool of sole trader auditors who undertake audits on behalf of ACM as required. Clients will be notified in advance of the Auditor. ACM sometimes uses sub contracted technical experts to verify the competence requirements of ACM auditors providing the Services and to undertake file reviews to determine / check the certification decision. ACM is part of the EMB Group and uses the support of the Group to provide corporate financial, HR, ICT, reporting and governance in support of delivery of the Services.


More details about ACM’s processing of personal data is set out in the ACM Privacy Notice, which can be viewed at:

31. Confidentiality

Both parties shall keep in strict confidence and treat the other parties confidential information as confidential and use it only for the purposes of the contract except in so far as may be necessary for the performance of any obligations of the contract or to the extent that such information is generally available to the public or to the extent that disclosure of information is required to be made by law.

Each party agrees that this obligation shall continue in force without limitation in point of time irrespective of the termination of the contract for any reason but shall cease to apply to information once it enters into the public domain. It shall also cease to apply to information which is received independently from another source without the imposition of any duty of confidence.

32. Force Majeure

Neither party shall have any liability to the other if it is prevented from, or delayed in performing, its obligations under the contract, or from carrying on its business by any event(s) or combination of events where such event(s) arises from, or is attributable to acts, events, omissions or accidents beyond the reasonable control of the relevant party including, but not limited to, acts of God, terrorism, war or flood (force majeure event). In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed due to the force majeure event.

33. Contact Permission

By agreeing to these terms and conditions you give permission for ACM to contact you by email or telephone for the purpose of certification or certification training.