This is the privacy statement that applies to the platform known as Crewdentials for Managers (the Platform) and relates to the personal data collected by Crewdentials where, as a Customer, you sign up to Crewdentials for Managers, or a User Account is created for you by one of our Customers.
Crewdentials Limited, a company registered in Guernsey with company number 67547 and registered office at Victoria House, 29 – 31 High Street, St Peter Port, Guernsey GY1 2JX (Crewdentials) is registered with Office of the Data Protection Authority of Guernsey. The nominated data protection officer is Ellen Armsden, contactable on +44 (0)1481 524 524 or firstname.lastname@example.org.
Crewdentials for Managers provides the tools to allow you to store data, documents, certificates and information and collaborate on them with your Clients and Crew Members. In relation to that service, Crewdentials acts as data processor, or data sub-processor (where you are the processor on behalf of your Client). Given the nature of that relationship, our Manager Terms and Conditions act as a data processing agreement compliant with the various data protection laws and standards.
Personal Data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Subject to a few exceptions referred to below, we do not collect personal data on you from third party sources. Therefore all personal data that we collect is provided by you or on your behalf (for example by your employer) and can be summarised as follows.
Changes to this privacy statement will be published on crewdentials.com and will be available when you next log in to the Platform. Where appropriate or necessary any changes will be notified to you by email. By continuing to maintain an account or by logging on you will be deemed to have accepted the updated policy. The date of this policy is April 2022.
Data Controller Activities
Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect. We must have a lawful basis on which to process your data which we have set out below:
We have provided further details on the lawful bases as follows:
Contract: We can rely on this basis where we need to process your data in order to deliver contractual service to you (ie your Crewdentials for Managers account). In using this basis we only process what is necessary and in a way which is the least intrusive to your rights.
Legitimate Interests: We can rely on this basis where we are using your data in a way which you would reasonably expect and which have a minimal privacy impact. We have undertaken an exercise to identify our and others’ legitimate interests in processing the data and balance that against your rights and freedoms. You have the right to object to our processing based on legitimate interest.
Your Consent: We only rely on your consent where there is no other lawful basis for our processing. Consent means offering individuals real choice and control. Where we rely on your consent to process your data, you may withdraw your consent at any point.
Your Data Rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us at email@example.com or mailing us at Victoria House, 29 – 31 High Street, St Peter Port, Guernsey, GY1 2JX.
If you are not satisfied with our response, you may also contact the Office of Data Protection in Guernsey using the contact details at this link https://odpa.gg/exercising-your-rights/.
We do not collect any special category data such as medical details, religious or philosophical beliefs.
We will only use your data for the purpose for which we have collected it unless we believe that any additional purpose is compatible with the original purpose. We will happily give an explanation as to the compatibility should you wish.
Data Sharing and Data Processing
Guernsey is not in the EEA but the European Commission has deemed that Guernsey provides an adequate level of protection for personal data. In order to provide the Platform to you, we may need to transfer your personal data and such transfers may be to third parties also outside of the EEA. These third parties may be processors (where we are data controller).
We keep any data sharing to a minimum but there are certain elements of our service and product provision that mean data sharing is necessary (for example the providers of certain software components within the Platform such as the multi factor authentication). We may need to share data with other service providers, our employees, agents and any relevant authorities.
Whenever we transfer your data to third parties, we will ensure that the necessary contractual provisions are in place to protect your rights by way of an agreement containing processing or sub-processing clauses if necessary
In addition where we transfer your data to a third party outside of the EEA, we ensure that a similar degree of protection is afforded to it by ensuring there is an appropriate safeguard in place Please contact us if you would like any further information about how we transfer your data out of the EEA.
There are limited circumstances in which Crewdentials may share your personal data, such as suspected or confirmed identity fraud or other offences, valid and legally binding requests for information from third parties.
We do not sell your personal data to any person.
All information you provide to us is stored on secure third party servers located in the EU. We have built multifactor authentication into the Platform to improve the security of your account. You are responsible for keeping your password confidential. We ask you not to share a password with anyone. PWAs are served via HTTPS so all data will automatically undergo end to end encryption.
As part of the PWA functionality your browser will collect and store personal data on your device using browser web storage. You may have the option within your browser settings to choose not to store such data automatically. We only store data on our device for performance and offline functionality.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
We have contracted with the Customer to provide the Platform to you and the Customer has established your Account and is responsible for closing your account. Should you wish to close your Account you can do so by asking our Customer.
If you are a Customer in your own right, you can close your Account in accordance with the Manager Terms and Conditions.
Upon closure of your Account, we may still be required to keep some or all of your personal data for legal or regulatory purposes (such as an ongoing investigation). We may also be required to keep basic information about our customers for legal, regulatory or tax purposes.
We will monitor account activity such as frequency of log ins.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.