his is the privacy statement that applies to the platform known as Crewdentials for Crew (the "Platform") and relates to the personal data collected by Crewdentials when you sign up to a Crewdentials account and store your data in that account.
Crewdentials Limited, a company registered in Guernsey with company number 67547 and registered office at La Cherverie, Ruette Des Cherfs, Castel, Guernsey, GY5 7HQ (Crewdentials) is the data controller in respect of certain aspects of your data, and a processor in respect of other aspects. Crewdentials is registered with Office of the Data Protection Authority of Guernsey. The nominated data protection officer is Dan Armsden, contactable on +44(0) 1481 524 524 or email@example.com.
The protection and security of your personal information is of vital importance to us. Our business model is not in any way based on the sale of your personal data and we pride ourselves on this.
Crewdentials provides the tools to allow you to store the documents, certificates and information you choose and allows you to choose which of those to share. You can choose to share with any person, including recruiters, managers and employers (we will call these recipients “Managers” for the purposes of this statement). We will never make these decisions on your behalf. However in order to provide the Platform to you we are required to share your data with some of our service providers. Further details on this can be found at Data Sharing below.
Crewdentials has a separate statement that applies to personal data collected when a Manager uses Crewdentials for Managers and a separate statement which applies to those who contact Crewdentials via the website (e.g. for marketing purposes or to hear about Crewdentials products and services). For residents of California, please see our additional statement in compliance with the California Data Protection law.
Changes to this privacy statement will be published on www.crewdentials.co and will be available when you next log in. Where appropriate or necessary any changes will be notified to you by email. By continuing to maintain an account or by logging on you will be deemed to have accepted the updated policy. The date of this policy is 19 November 2020.
You must only upload your own personal data other than your emergency contact details. You undertake that you have permission from your emergency contact(s) to provide their details. Please make them aware of this privacy statement.
Subject to a few exceptions referred to below, we do not collect personal data on you from third party sources. Therefore all personal data that we collect is provided by you and can be summarised as follows. Other than registration details no fields are mandatory and you can choose how much information to include.
(name, email address, mobile phone number)
(including contact details)
(including the data extracted or data you type into the fields provided)
(including the data extracted or data you type into the fields provided)
Where we are the data controller we must have a lawful basis on which to process your data which we have set out above.
We have provided further details on the lawful bases as follows:
We can rely on this basis where we need to process your data in order to deliver contractual service to you (i.e. your Crewdentials for Crew account). In using this basis we only process what is necessary and in a way which is the least intrusive to your rights.
We can rely on this basis where we are using your data in a way which you would reasonably expect and which have a minimal privacy impact. We have undertaken an exercise to identify our and others’ legitimate interests in processing the data and balance that against your rights and freedoms. You have the right to object to our processing based on legitimate interest.
We only rely on your consent where there is no other lawful basis for our processing. Consent means offering individuals real choice and control. Where we rely on your consent to process your data, you may withdraw your consent at any point.
Certain categories of personal data are considered to be “special category data” and attract further protections under the law. By inputting your health details, medical fitness certificates or other medical records or certificates into the Platform you are explicitly acknowledging and consenting to the fact that such information will be stored in the Platform. We will never share this information with anyone unless you choose to do so in accordance with Data Sharing below.
We may use some anonymised and aggregated data of our users. For example we may use certificate type and date of expiry so that we may provide information on trends and potential demand for certain qualifications or we may aggregate your usage data to calculate the percentage of users accessing a specific feature. Anonymous data is not personal data for the purposes of the data protection law as this data will not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy statement.
Under certain circumstances you have the following rights under data protection laws in relation to your personal data:
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us at firstname.lastname@example.org or by mailing us at La Cherverie, Ruette Des Cherfs, Castel, Guernsey, GY5 7HQ. You may also contact the Office of Data Protection in Guernsey using the contact details at this link https://odpa.gg/exercising-your-rights/.
Guernsey is not in the EEA, but the European Commission has deemed that Guernsey provides an adequate level of protection for personal data. In order to provide the Platform to you, we may need to transfer your personal data and such transfers may be to third parties also outside of the EEA. These third parties may be processors (where we are data controller) or sub-processors (where we are processor). You consent to us engaging such sub-processors, details of which are available on request.
Whenever we transfer your data to third parties, we will ensure that the necessary contractual provisions are in place to protect your rights by way of a processing or sub-processing agreement. In addition where we transfer your data to a third party outside of the EEA, we ensure that a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Please contact us if you would like any further information about how we transfer your data out of the EEA.
You choose whether you want to use Crewdentials to share your information with other companies. When you elect to share any of the data stored in the Platform with a Manager, a secure link is sent to the Manager’s email address that you provide. In order to access the link, the Manager will need the email and the password provided in the email. The link can be revoked at any point. Once the Manager has the information and data you have provided, Crewdentials is not responsible for how the Manager deals with that information and data.
When we launch Crewdentials for Managers later in 2020, if you receive a request from a Manager for your information, you choose whether to agree to the request. We will be encouraging Managers to request only the information which they need from you.
You can view a log of all data you have shared, and who it was shared with in the Share section of your Account.
There are limited circumstances in which Crewdentials may share your personal data, such as suspected or confirmed identity fraud or other offences, valid and legally binding requests for information from third parties.
We do not sell your personal data to any person, including but not limited to managers, employers, recruiters, training centres or advertisers.
All information you provide to us is stored on secure third party servers located in the EU. We have built multi-factor authentication into the Platform to improve the security of your account. You are responsible for keeping your password confidential. We ask you not to share a password with anyone. PWAs are served via HTTPS so all data will automatically undergo end to end encryption.
As part of the PWA functionality your browser will collect and store personal data on your device using browser web storage. You may have the option within your browser settings to choose not to store such data automatically. We only store data on our device for performance and offline functionality.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
If you wish to close your account, you may do so by emailing email@example.com. Your data will be deleted within 30 days unless we are obliged to keep it for legal or regulatory purposes (such as an ongoing investigation). We may also be required to keep basic information about our customers for legal, regulatory or tax purposes.
We will monitor account activity such as frequency of log ins. Where a user has not accessed their Crewdentials account for 2 years or more we will email you to request that you actively confirm you still want your account. If you do not confirm, we will delete your account and all data and information stored.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.