CrewPass Ltd (we) are committed to protecting your personal data and respecting your privacy.
CrewPass is available on our site and hosted on www.crewpass.co.uk (Hosted Site).
The CrewPass mobile application software (App) once it has been downloaded or a copy is streamed onto a mobile telephone or handheld device (Device).
Any of the services accessible through the Hosted Site or the App (Services) that are available on the App Site or other sites of ours (Services Sites).
This policy sets out the basis on which any personal data we collect from a user, or that a user provides to us, will be processed by us. The Services are not intended for persons under the age of 18 years and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
This policy is split into sections to explain our practices of using your personal data within the business. Please contact us via email@example.com if you have any queries regarding this policy.
[IMPORTANT INFORMATION AND WHO WE ARE]
[THE DATA WE COLLECT ABOUT USERS]
[HOW PERSONAL DATA COLLECTED?]
[HOW WE USE PERSONAL DATA]
[DISCLOSURES OF PERSONAL DATA]
[YOUR LEGAL RIGHTS]
[DESCRIPTION OF CATEGORIES OF PERSONAL DATA]
[SCHEDULE 1 - APPROPRIATE POLICY DOCUMENT FOR PROCESSING CRIMINAL CONVICTIONS DATA]
Important information and who we are
CrewPass Ltd is the controller and is responsible for your personal data (collectively referred to as "CPL", "we", "us" or "our" in this policy).
Full name of legal entity: CrewPass Ltd
Email address: firstname.lastname@example.org
Postal address: F1 Adanac North, Adanac Drive, Southampton, Hampshire, England SO16 0BT, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues.
This version was last updated on 16th November 2022. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you by SMS, email, or when you next start the App or log onto one of the Services Sites. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.
Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, CrewPass service providers, agencies, vessels and other affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.
The data we collect about Users
We may collect, use, store and transfer different kinds of personal data about you as follows:
Criminal Convictions Data.
Marketing and Communications Data.
We explain these categories of data here.
We collect and process information about criminal convictions and offences as part of our employment eligibility checks and CrewPass Accreditation scheme. Our Appropriate Policy Document attached as Schedule 1 details how we process criminal convictions data. Schedule 1 forms an integral part of this policy.
How is personal data collected?
We will collect and process the following data about users:
Information users give us -This is information (including identity, contact, financial marketing and communications data.) a user consents to give us about the user by filling in forms on the App Site and the Services Sites (together Our Sites), or by corresponding with us (for example, by email or chat). It includes information the user provides when the user registers to use the Services, download or registers the App, subscribe to any of our Services, share data via the App's social media or chat functions, or any other activity carried out in connection with the CrewPass Services, and when the user reports a problem with an App, our Services, or any of Our Sites. If the user contacts us, we will keep a record of that correspondence.
Information we collect about the user and the user’s device - Each time a user visits our Site or uses the App we will automatically collect personal data including Device, Content and Usage Data.
Location Data - We may use GPS or similar technology to determine a user’s current location. Some of our location-enabled Services require user personal data for the feature to work.
Information we receive from other sources including third parties and publicly available sources
We will receive personal data about users from various third parties and public sources as set out below:
Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the UK;
Identity and Contact Data from data brokers or aggregators based inside or outside the UK;
Identity and Contact Data from publicly available sources inside or outside the UK; and
Criminal Convictions Data from screening agents as well as publicly available sources inside or outside the UK.
Unique application numbers - When a user wants to install or uninstall a Service containing a unique application number or when such a Service searches for automatic updates, that number and information about the user’s installation, for example, the type of operating system, may be sent to us.
During the verification process, our app collects and shares data with Veriff, a third-party identity verification service. This includes personal information, document details, identity verification data, contact details, technical data, machine-readable data, metadata, device and network information, photos and videos, data from external registries, and data from communications with Veriff. Veriff uses this data to authenticate your identity, and the collected data may be shared with us. For more information on how Veriff uses and processes your data, please visit https://www.veriff.com/ privacy-notice.
How we use personal data
We will only use personal data when the law allows us to do so. Most commonly we will use personal data in the following circumstances:
Where a user has consented before the processing.
Where we need to perform a contract we are about to enter or have entered with the user.
Where it is necessary for our legitimate interests (or those of a third party) and the user’s interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.
Click here to find out more about the types of lawful basis that we will rely on to process your personal data.
Purposes for which we will use your personal data
The following examples show types of personal data and reasons for processing personal data collected by CrewPass when an individual submits this data to CrewPass, thus consenting to its use.
Identity - Identifiable personal data for example an individual's name, postal address and date of birth will be processed when an individual creates a CrewPass account in order to carry out a background check and verify the individual's identity, allow them to install the CrewPass mobile application and participate in the CrewPass Accreditation Scheme.
Contact - Contact information including personal telephone and mobile contact numbers, account names and email addresses will be used to contact individuals to manage and maintain our relationship with them, carry out contractual obligations including notifying them of changes to the app or any service updates, or carry out marketing and communications.
Financial - An individual's financial data including transaction information, financial or bank details and payment information are necessary for our legitimate interests (to collect subscription fees from you and to facilitate employment eligibility checks – background and criminal records checks and ID verification).
Marketing and Communications - We will get a user’s express opt-in consent before we share personal data with any third party for marketing purposes.
Usage - Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services) and to also monitor trends so we can improve the service and the App.
Device - Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security)
Profile - To manage our relationship with you including notifying you of changes to the App or any Services and to deliver content to you.
Criminal Convictions Data - Performance of a contract with you
Location - Necessary for our legitimate interests (to develop our products/Services and grow our business)
Disclosures of personal data
When a user consent to providing us with their personal data, we will also ask the user for their consent to share that personal data with the third parties set out below for the purposes set out in the table above (Purposes for which we will use your personal data):
Internal Third Parties as set out in the Glossary.
External Third Parties as set out in the Glossary.
Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be using TLS/SSL v1.2 encrypted HTTPS. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
Certain Services include social networking, chat room or forum features. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected or used by other users.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
We retain a user’s personal data for the duration of their contract with us for the provision of services to them for CrewPass.
By law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for seven years after they cease being customers for tax purposes.
In some circumstances you can ask us to delete your data: see Your legal rights below for further information.
In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your legal rights
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data.
Please click on the links below to find out more about these rights:
You can exercise any of these rights at any time by contacting us at email@example.com
Consent: Processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.
Legitimate Interest: The interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract: Processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Internal third parties: Other companies in the CrewPass Group acting as joint controllers or processors who are based globally and provide IT and system administration and maintenance services.
External third parties: Service providers acting as processors and screening agents based in countries around the world who provide IT and system administration services, background and criminal record check services. Some examples of this include
Employment or placement agencies based in countries around the world that provide crew placement services to marine vessels and who have registered with CrewPass
Marine vessels employing crew members, using CrewPass for crew management and vessel operations services.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based anywhere in the world who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based anywhere in the world who require reporting of processing activities in certain circumstances.
Your legal rights
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy
- Where our use of the data is unlawful but you do not want us to erase it
We also suspend processing in situations where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims OR you have objected to our use of your data. We need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time when we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Description of categories of personal data
A user’s personal data can include one or all of the following categories of personal data (including any whole or part of the specific category listed):
Identity Data: first name, last name, maiden name, username or similar identifier, marital status, title, date of birth, gender.
Contact Data: billing address, delivery address, email address and telephone numbers.
Financial Data: bank account and payment card details.
Criminal Convictions Data: details about any criminal convictions, active or spent or any legal suits you have been involved with (either as plaintiff or defendant).
Transaction Data: includes details about payments to and from you, use of the App with vessel beacon technology (including check-in and check-out times), and crew management services.
Device Data: includes the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting, interfacing with vessel beacons.
Content Data: includes information stored on your Device, including login information, photos, videos or other digital content, profile information, notice boards, crew rota publications, chat facilities, and other vessel operational uses.
Profile Data: includes your username and password, unique CrewPass ID, crew member’s CrewPass Accreditation, user’s biography including interests, preferences, qualifications, vaccination status, visa status, employment history, and feedback and survey responses.
Usage Data: includes details of your use of the App or visits to Our Sites including, but not limited to, traffic data and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Location Data: includes your current location disclosed by GPS technology or any similar or successor technology.
SCHEDULE 1 - APPROPRIATE POLICY DOCUMENT FOR PROCESSING CRIMINAL CONVICTIONS DATA AND SPECIAL CATEGORIES OF PERSONAL DATA
About this policy
This is the "appropriate policy document" for CrewPass Ltd setting out how we will protect Criminal Convictions Data and Special Categories of Personal Data.
This document meets the requirement of the Data Protection Act 2018 that an appropriate policy document is in place, where Processing Criminal Convictions Data within certain circumstances.
Controller: the person or organisation that determines when why and how to Process Personal Data.
Criminal Convictions Data: personal data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.
DPA 2018: the Data Protection Act 2018.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the UK GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointments of a DPO or refers to the organisation's data privacy team with responsibility for data protection compliance.
UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR).
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess. Personal Data includes Special Categories of Personal Data.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
Why do we process Special Categories of Personal Data and Criminal Convictions Data?
We process Special Categories of Personal Data and Criminal Convictions Data for the following purposes:
Assessing an employee's fitness to work;
Complying with health and safety obligations;
Complying with the Equality Act 2010;
Checking applicants' and employees' right to work; and
Verifying that candidates are suitable for employment or continued employment.
Personal data protection principles
The UK GDPR requires personal data to be processed in accordance with the six principles set out in Article 5(1). Article 5(2) requires controllers to be able to demonstrate compliance with Article 5(1).
We comply with the principles relating to the processing of personal data set out in the UK GDPR which require Personal Data to be:
Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
Collected only for specified, explicit and legitimate purposes (Purpose Limitation);
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
Accurate and where necessary kept up to date (Accuracy);
Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and
Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
Compliance with data protection principles
Lawfulness, fairness and transparency
Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We will only Process Personal Data fairly and lawfully and for specified purposes. The UK GDPR restricts our actions regarding Personal Data to specified lawful purposes. We can Process Special Categories of Personal Data and Criminal Convictions Data only if we have a legal ground for Processing and one of the specific Processing conditions relating to Special Categories of Personal Data or Criminal Convictions Data applies. We will identify and document the legal ground and specific Processing conditions relied on for each Processing activity.
When collecting Special Categories of Personal Data and Criminal Convictions Data from Data Subjects, either directly from Data Subjects or indirectly (for example from a third party or publicly available source), we will provide Data Subjects with all the information required by the UK GDPR in a privacy notice which is concise, transparent, intelligible, easily accessible and in clear plain language which can be easily understood.
Data concerning health
Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract with the Data Subject (Article 6(1)(b)).
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security or social protection.
(Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Criminal Convictions Data
In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Meets one of the substantial public interest conditions set out in Schedule 1 to the DPA 2018 (such as employment, social security or social protection and consent of Data Subject).(Schedule 1, DPA 2018.)
Equal opportunity data
In the organisation's legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.
Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.
(Paragraph 8(1)(b), Schedule 1, DPA 2018.)
Personal Data must be collected only for specified, explicit and legitimate purposes. They must not be further Processed in any manner incompatible with those purposes.
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We will only collect or disclose the minimum Personal Data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the Personal Data collected is adequate and relevant for the intended purposes.
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
We will ensure that the Personal Data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
We only keep Personal Data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need Personal Data it shall be deleted or rendered permanently anonymous.
Security, integrity, and confidentiality
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data.
We are responsible for demonstrating compliance with these principles. Our DPO is responsible for ensuring that we are compliant with these principles. Any questions about this policy should be submitted to the DPO.
Ensure that records are kept of all Personal Data Processing activities and that these are provided to the Information Commissioner on request.
Carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate.
Ensure that a DPO is appointed to provide independent advice and monitoring of Personal Data handling and that the DPO has access to report to the highest management level.
Have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.
Controller's policies on retention and erasure of personal data
We take the security of Special Categories of Personal Data and Criminal Convictions Data very seriously. We have administrative, physical and technical safeguards in place to protect Personal Data against unlawful or unauthorised Processing, or accidental loss or damage. We will ensure, where Special Categories of Personal Data or Criminal Convictions Data are Processed that:
The Processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.
Where we no longer require Special Categories of Personal Data or Criminal Convictions Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.
Where records are destroyed, we will ensure that they are safely and permanently disposed of.
This policy on Processing Special Categories of Personal Data and Criminal Convictions Data is reviewed annually.
The policy will be retained when we process Special Categories of Personal Data and Criminal Convictions Data and for a period of at least six months after we stop carrying out such processing.
A copy of this policy will be provided to the Information Commissioner upon request and free of charge.