CREWPASS® PRIVACY POLICY

Introduction 

CrewPass Ltd (we) are committed to protecting your personal data and respecting your privacy.

This policy (together with our user terms and conditions (Agreement) and any additional terms of use incorporated by reference into the Agreement, together our Terms of Use) applies to any use of:

This policy sets out the basis on which any personal data we collect from a user, or that a user provides to us, will be processed by us. The Services are not intended for persons under the age of 18 years and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

This policy is split into sections to explain our practices of using your personal data within the business. Please contact us via info@crewpass.co.uk if you have any queries regarding this policy.

[IMPORTANT INFORMATION AND WHO WE ARE]

[THE DATA WE COLLECT ABOUT USERS]

[HOW PERSONAL DATA COLLECTED?]

[HOW WE USE PERSONAL DATA]

[DISCLOSURES OF PERSONAL DATA]

[INTERNATIONAL TRANSFERS]

[DATA SECURITY]

[DATA RETENTION]

[YOUR LEGAL RIGHTS]

[GLOSSARY]

[DESCRIPTION OF CATEGORIES OF PERSONAL DATA]

[SCHEDULE 1 - APPROPRIATE POLICY DOCUMENT FOR PROCESSING CRIMINAL CONVICTIONS DATA]


Important information and who we are

CrewPass Ltd is the controller and is responsible for your personal data (collectively referred to as "CPL", "we", "us" or "our" in this policy).

If you have any questions about this privacy policy, please contact us using the details set out below:

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. 

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. 

This version was last updated on 16th November 2022. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you by SMS, email, or when you next start the App or log onto one of the Services Sites. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 

Third-party links

Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, CrewPass service providers, agencies, vessels and other affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.


The data we collect about Users

We may collect, use, store and transfer different kinds of personal data about you as follows:

We explain these categories of data here.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from a user’s personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate any Usage Data to calculate the percentage of users accessing a specific Service or App feature. However, if we combine or connect Aggregated Data with specific personal data so that it can directly or indirectly identify a user, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We collect and process information about criminal convictions and offences as part of our employment eligibility checks and CrewPass Accreditation scheme. Our Appropriate Policy Document attached as Schedule 1 details how we process criminal convictions data. Schedule 1 forms an integral part of this policy.


How is personal data collected?

We will collect and process the following data about users:

Information we receive from other sources including third parties and publicly available sources

We will receive personal data about users from various third parties and public sources as set out below:

Cookies

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.


How we use personal data

We will only use personal data when the law allows us to do so. Most commonly we will use personal data in the following circumstances: 

Click here to find out more about the types of lawful basis that we will rely on to process your personal data.

Purposes for which we will use your personal data

The following examples show types of personal data and reasons for processing personal data collected by CrewPass when an individual submits this data to CrewPass, thus consenting to its use.

Identity - Identifiable personal data for example an individual's name, postal address and date of birth will be processed when an individual creates a CrewPass account in order to carry out a background check and verify the individual's identity, allow them to install the CrewPass mobile application and participate in the CrewPass Accreditation Scheme.

Contact - Contact information including personal telephone and mobile contact numbers, account names and email addresses will be used to contact individuals to manage and maintain our relationship with them, carry out contractual obligations including notifying them of changes to the app or any service updates, or carry out marketing and communications.

Financial - An individual's financial data including transaction information, financial or bank details and payment information are necessary for our legitimate interests (to collect subscription fees from you and to facilitate employment eligibility checks – background and criminal records checks and ID verification).

Marketing and Communications  -  We will get a user’s express opt-in consent before we share personal data with any third party for marketing purposes. 

Usage - Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services) and to also monitor trends so we can improve the service and the App.

Device - Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security) 

Profile - To manage our relationship with you including notifying you of changes to the App or any Services and to deliver content to you. 

Criminal Convictions Data - Performance of a contract with you

Location - Necessary for our legitimate interests (to develop our products/Services and grow our business)


Disclosures of personal data

When a user consent to providing us with their personal data, we will also ask the user for their consent to share that personal data with the third parties set out below for the purposes set out in the table above (Purposes for which we will use your personal data):


International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.


Data security

All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be using TLS/SSL v1.2 encrypted HTTPS. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. 

Certain Services include social networking, chat room or forum features. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected or used by other users.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.


Data retention

We retain a user’s personal data for the duration of their contract with us for the provision of services to them for CrewPass.

By law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for seven years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.


Your legal rights

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data. 

Please click on the links below to find out more about these rights: 

Request access to your personal data.

Request correction of your personal data.

Request erasure of your personal data. 

Object to processing of your personal data.

Request restriction of processing your personal data.

Request transfer of your personal data.

Right to withdraw consent. 

You can exercise any of these rights at any time by contacting us at customerservice@crewpass.co.uk 

Glossary

Consent: Processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us. 

Legitimate Interest: The interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract: Processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Internal third parties: Other companies in the CrewPass Group acting as joint controllers or processors who are based globally and provide IT and system administration and maintenance services.

External third parties: Service providers acting as processors and screening agents based in countries around the world who provide IT and system administration services, background and criminal record check services. Some examples of this include

Your legal rights

You have the right to:

- If you want us to establish the data's accuracy

- Where our use of the data is unlawful but you do not want us to erase it

We also suspend processing in situations where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims OR you have objected to our use of your data. We need to verify whether we have overriding legitimate grounds to use it.


Description of categories of personal data

A user’s personal data can include one or all of the following categories of personal data (including any whole or part of the specific category listed):


SCHEDULE 1 - APPROPRIATE POLICY DOCUMENT FOR PROCESSING CRIMINAL CONVICTIONS DATA AND SPECIAL CATEGORIES OF PERSONAL DATA

About this policy

  1. This is the "appropriate policy document" for CrewPass Ltd setting out how we will protect Criminal Convictions Data and Special Categories of Personal Data.

  2. This policy supports CrewPass’ Privacy Policy and adopts its definitions.

  3. This document meets the requirement of the Data Protection Act 2018 that an appropriate policy document is in place, where Processing Criminal Convictions Data within certain circumstances.

Definitions 

Controller: the person or organisation that determines when why and how to Process Personal Data.

Criminal Convictions Data: personal data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.

DPA 2018: the Data Protection Act 2018.

Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the UK GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointments of a DPO or refers to the organisation's data privacy team with responsibility for data protection compliance.

UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR).

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess. Personal Data includes Special Categories of Personal Data.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

Why do we process Special Categories of Personal Data and Criminal Convictions Data? 

We process Special Categories of Personal Data and Criminal Convictions Data for the following purposes:

Personal data protection principles

The UK GDPR requires personal data to be processed in accordance with the six principles set out in Article 5(1). Article 5(2) requires controllers to be able to demonstrate compliance with Article 5(1).

We comply with the principles relating to the processing of personal data set out in the UK GDPR which require Personal Data to be:

Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

We will only Process Personal Data fairly and lawfully and for specified purposes. The UK GDPR restricts our actions regarding Personal Data to specified lawful purposes. We can Process Special Categories of Personal Data and Criminal Convictions Data only if we have a legal ground for Processing and one of the specific Processing conditions relating to Special Categories of Personal Data or Criminal Convictions Data applies. We will identify and document the legal ground and specific Processing conditions relied on for each Processing activity.

When collecting Special Categories of Personal Data and Criminal Convictions Data from Data Subjects, either directly from Data Subjects or indirectly (for example from a third party or publicly available source), we will provide Data Subjects with all the information required by the UK GDPR in a privacy notice which is concise, transparent, intelligible, easily accessible and in clear plain language which can be easily understood.

Data concerning health 

Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract with the Data Subject (Article 6(1)(b)). 

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection.

(Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Criminal Convictions Data 

In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.

Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)

Meets one of the substantial public interest conditions set out in Schedule 1 to the DPA 2018 (such as employment, social security or social protection and consent of Data Subject).(Schedule 1, DPA 2018.)

Equal opportunity data 

In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.

Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

(Paragraph 8(1)(b), Schedule 1, DPA 2018.)

Purpose limitation 

Personal Data must be collected only for specified, explicit and legitimate purposes. They must not be further Processed in any manner incompatible with those purposes.

We will only collect personal data for specified purposes and will inform Data Subjects what those purposes are in the Privacy Policy. We will not use Personal Data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.

Data minimisation

Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

We will only collect or disclose the minimum Personal Data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the Personal Data collected is adequate and relevant for the intended purposes.

Accuracy 

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

We will ensure that the Personal Data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

Storage limitation 

We only keep Personal Data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need Personal Data it shall be deleted or rendered permanently anonymous.

We will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in the Privacy Policy.

Security, integrity, and confidentiality

Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data.

Accountability principle

We are responsible for demonstrating compliance with these principles. Our DPO is responsible for ensuring that we are compliant with these principles. Any questions about this policy should be submitted to the DPO.

We will:

  1. Ensure that records are kept of all Personal Data Processing activities and that these are provided to the Information Commissioner on request.

  2. Carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate.

  3. Ensure that a DPO is appointed to provide independent advice and monitoring of Personal Data handling and that the DPO has access to report to the highest management level.

  4. Have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.

Controller's policies on retention and erasure of personal data

We take the security of Special Categories of Personal Data and Criminal Convictions Data very seriously. We have administrative, physical and technical safeguards in place to protect Personal Data against unlawful or unauthorised Processing, or accidental loss or damage. We will ensure, where Special Categories of Personal Data or Criminal Convictions Data are Processed that:

  1. The Processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.

  2. Where we no longer require Special Categories of Personal Data or Criminal Convictions Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.

  3. Where records are destroyed, we will ensure that they are safely and permanently disposed of.

Data Subjects receive our Privacy Policy setting out how their Personal Data will be handled when we first obtain their Personal Data, and this will include the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.

Review 

  1. This policy on Processing Special Categories of Personal Data and Criminal Convictions Data is reviewed annually. 

  2. The policy will be retained when we process Special Categories of Personal Data and Criminal Convictions Data and for a period of at least six months after we stop carrying out such processing. 

  3. A copy of this policy will be provided to the Information Commissioner upon request and free of charge.

Dated: 16/11/2022

Review date:16/11/2022

Next review:16/11/2023