Privacy policy

Portico Shipping Limited

Privacy Notice and Policy

Privacy Notice

1. Portico Shipping Limited is committed to respecting privacy and protecting any personal
information that is collected or processed in accordance with the requirements of the EU
General Data Protection Regulation (the “GDPR”) and/or any other applicable Data
Protection laws or regulations (as may be amended from time to time) which safeguards
personal data.

2. This Privacy Notice and Policy is issued by Portico Shipping Limited. All references to
“we”, “our”, “Portico” or “us” in this Notice and Policy are references to Portico Shipping
Limited, which is incorporated in England with company number 02012886. References
to “Customer” are references to any organisation or entity to whom Portico supply
services and/or provide any information in connection with the provision of such services.
References to “you” or “your” are references to any individual to whom services are
supplied or who is otherwise engaged or employed by Portico or one of our Customers.

3. This Privacy Notice provides information about how Portico collects and processes your
personal information. It also sets out our Policy for the protection of any personal data
which may be collected by Portico during your interactions with us for the provision of
services, when you visit our marine container Terminal (which includes the land, premises
and berth space used by Portico within the port of Portsmouth) or when you use our
Website. “Personal data” is any information relating to a living individual, by means of
which information that individual can be identified directly or indirectly. “Processing”
means any operation or set of operations which is performed on personal data, and
includes compiling, keeping, using, sharing or otherwise making available to others,
altering and erasing personal data.

Responsibility for data protection compliance

4. Portico determines the purposes and means of any processing of personal data that it
undertakes. It is therefore a “controller” of personal data for the purposes of the GDPR
and is registered as such with the Information Commissioner’s Office (ICO) with
registration number Z8711731.

5. Any questions in relation to this Policy or regarding Portico’s processing of personal
data (as well as any requests relating to the exercise of rights referred to in paragraphs
16 and 17) should, in the first instance, be addressed to Melanie Bunting, HR Business
Partner, Flathouse Quay, Prospect Road, Portsmouth, PO2 7SP. If you have reason to
believe that the company may be in breach of the General Data Protection Regulations
in their processing of your personal data, please report this to Melanie Bunting, HR
Business Partner or Bruce Corbett, Compliance Manager as soon as possible. The
company is responsible for reporting any breach of GDPR to the ICO.

6. Portico expressly reserves the right to make changes to this Policy from time to time.
Where it is possible to do so, advance notice of any significant changes made to this
Policy will be given. Please visit our Website to keep up to date with any changes to this
Policy. This Privacy Policy was last updated on 1 April 2019.

The lawful basis for processing data

7. The processing of personal data is lawful only if the controller can rely on one of the lawful
bases for processing under the GDPR, which are listed as (a) to (f) in paragraph 1 of
Article 6 of the GDPR, and in which you are described as the “data subject”.

8. For such processing of personal data as Portico engages in, it may rely on bases (a), (b),
(c), and (f) of paragraph 1 of Article 6 of the GDPR as follows:
(a) Consent – (in any cases in which you have consented to processing) “the data subject
has given consent to the processing of his or her personal data for one or more
specific purposes”.
(b) Contract – (in cases where we have a contract with you or such a contract is being
negotiated) “processing is necessary for the performance of a contract to which the
data subject is a party or in order to take steps at the request of the data subject prior
to entering into a contract”. Where you are the Customer, there will be a contract or
prospective contract between you and Portico, pursuant to which Portico will supply
services to you.
(c) Legal Obligation – (where processing by Portico is required in order to comply with
its non-contractual legal obligations, in particular statutory and common law
obligations) “processing is necessary for compliance with a legal obligation to which
the controller is subject”.
(f) Legitimate Interests – “processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular where the data subject is a
child”. Legitimate interests can include commercial interests and non-electronic
marketing activities. Portico has considered its present use of personal data and
concluded that that the processing presents no risk to the interests or fundamental
rights and freedoms of any persons such as would prevent such processing. In
determining whether legitimate interests are involved in the processing, Portico
conducts a purpose test (identifying the legitimate interest), a necessity test (showing
that processing is necessary to achieve the purpose), and a balancing test (that the
processing is proportionate and has a minimal privacy impact on any individual’s
interests, rights and freedoms).

Information held by Portico and how it is used

9. Portico processes various types of personal data including the following:

  • Personal identifiers/details such as name, address, employer, job title, contact details
    (e.g. e-mail and phone numbers), which we use to fulfil any request you make and to
    allow you to participate in any interactive features of our service;
  • Financial information and account details such as national insurance number, bank
    account number or other financial account number and account details;
  • Credit checking information such as details of your credit history, credit reference
    information and credit scores;
  • Professional information (such as educational background, previous positions
    professional qualifications and experience, employment details/references, work
    permits or visas, where relevant);
  • Marketing and business development data relating to people who have expressed
    interest in the services provided by Portico and any survey or consultation responses
    or other information which you may voluntarily provide to Portico;
  • Information collected by our security personnel about your visit and collected from
    our information technology systems, such as access control systems, door entry and
    reception logs, CCTV and surveillance system recordings.

10. When you provide us with personal data relating to third parties such as your employees
or your visitors, you warrant and confirm that you have the consent of the third party to
share such information with us.

11. Portico does not engage in the large-scale processing of personal data, processing
activity considered to be high risk by the ICO, systematic monitoring of the public,
automated decision making, or personal data profiling. It is Portico’s policy not to process
or have any involvement in the processing of data relating to children, or the processing
of special categories of personal data namely:

  • data revealing or concerning a person’s health, racial or ethnic origin, political
    opinions, religious or philosophical beliefs, trade union membership, or sex life or
    sexual orientation, or
  • genetic or biometric data that uniquely identifies a person.

12. Portico does not process any personal data that it holds other than for the purposes listed
below, together with the lawful bases for processing (a), (b), (c), and (f) of the GDPR (as
referred to in paragraph 8 above) that may apply:

  • to provide the services that Customers have instructed us to provide [bases (b) and
    (f)];
  • to help us manage and improve our services to Customers [bases (a), (b) and (f)];
  • to prevent and detect fraud, financial and other crime and money laundering [bases
    (c) and (f)];
  • to ensure the security of our Terminal, land, premises and berth space within the Port,
    protect the health and safety of individuals when visiting the aforementioned areas
    and to control the issue of dock passes or such other formalities as may be required
    in connection with any vessels arriving at the Port [bases (a), (c), and (f)];
  • to ensure that we comply with all legal and regulatory compliance obligations [bases
    (c) and (f)];
  • to enable Portico to pursue its legitimate interests including marketing activities
    [bases (a) and (f)]; and
  • to enable our Customers to pursue their legitimate interests [bases (b) and (f)].

13. It will sometimes be necessary for Portico to pass on information to third parties. For
example, Portico may share your personal data with:

  • Government Agencies, legal advisers, auditors, accountants, insurers and insurance
    brokers or other professional advisors;
  •  third party service providers, contractors or any other organisations which Portico
    may need to liaise in connection with any operations or services provided at the Port.
    Portico’s use of certain cloud computing facilities involves the storage and processing of
    some personal data outside Portico’s own computer systems. It is also possible that
    external companies may occasionally conduct audit or quality checks on the services that
    Portico provides. All such third parties are required to maintain confidentiality in relation
    to your personal data and comply fully with the GDPR.

14. It is also occasionally necessary for Portico to share personal data outside of the

  • European Economic Area (“EEA”). For example (and without limitation):
    with our service providers or any other agencies or organisations located outside of
    the EEA;
  • if any Customer or you are based outside the EEA;

Before any personal data is transferred outside of the EEA, Portico adopts certain
procedures and safeguards with a view to ensuring that any such information is fully
protected in accordance with any applicable data protection law. Further details on the
safeguards implemented by Portico can be provided, upon request, from Melanie Bunting
(at the address set out in paragraph 5 above).

Compliance with data protection principles

15. All processing of your personal data is undertaken in accordance with six data protection
principles (specified in Article 5 of the GDPR). The data protection principles are as
follows:

  • 15.1 Lawfulness, fairness and transparency – Personal data shall be processed
    lawfully, fairly and in a transparent manner.
  • 15.2 Purpose limitation – Personal data shall be collected for specified, explicit
    and legitimate purposes and not further processed in a manner that is incompatible
    with those purposes. Portico collects and processes personal data only when this is
    necessary for any of the purposes indicated in paragraphs 12-14 above.
  • 15.3 Data minimisation – Personal data shall be adequate, relevant and limited to
    the minimum of data necessary to the purposes for which they are processed.
  • 15.4 Accuracy – Personal data shall be accurate and, where necessary, kept up to
    date; every reasonable step must be taken to ensure that personal data that are
    inaccurate, having regard to the purposes for which they are processed, are erased
    or rectified without delay.
  • 15.5 Storage limitation – Personal data shall be kept in a form which permits
    identification of data subjects for no longer than is necessary for the purposes for
    which the personal data are processed. Without prejudice to the rights of individuals
    in respect of personal data held about them and to any legal requirements for the
    retention of data, Portico will ordinarily keep personal data in a form that permits
    individual identification, for so long as it may be necessary to process the data for the
    purposes indicated, and will thereafter entirely erase the data.
  • 15.6 Integrity and Confidentiality – Personal data shall be processed in a manner
    that ensures appropriate security of the personal data, including protection against
    unauthorised or unlawful processing and against accidental loss, destruction or
    damage, using appropriate technical or organisational measures. Portico recognises
    the importance of securing the data it holds and has put in place appropriate security
    measures to prevent your personal data being accidentally lost, or used, altered or
    disclosed to third parties in an unauthorised way. The measures include the
    protection of mobile devices against theft and preventing third parties from gaining
    access to data on stolen devices. Portico limits access to your personal data to those
    employees, agents, contractors and other third parties who have a need to know.
    They are subject to a duty of confidentiality and will only process your personal data
    in accordance with paragraphs 13-14 above and on Portico’s express instructions.
    All employees who may process personal data undertake appropriate data protection
    training. Portico has also adopted procedures to deal with any suspected data
    security breach and shall notify you and any applicable regulator of a suspected
    breach where it is legally required to do so.
Right of Access

16. You have the right to ask us whether or not personal data concerning you is being
processed and, where that is the case, to be given access to the personal data in machine
readable form (together with the information set out in GDPR Article 15 paragraph 1).

Other rights
17. You have additional rights, which include:

  • The right to rectification of any inaccurate personal data (Articles 16 and 19 of GDPR),
  • The right under Articles 17 and 19 of GDPR to erasure of personal data in various
    circumstances (i.e. the right to be forgotten),
  • The right to restrict processing in various circumstances (Articles 18 and 19 of
    GDPR),
  • The right to data portability i.e. to have data transferred to another organisation
    (Article 20 of GDPR), and
  • The right to object to processing of personal data in certain circumstances including
    (amongst other things) direct marketing and profiling (Articles 21 and 22 of GDPR).
  • The right to withdraw consent – if you do give consent to any processing of personal
    data, you can change your mind and withdraw it at a later date.
  • The right to report concerns to the ICO, whose website is https://ico.org.uk
  • Dated 01.04.19