This CrewPass Data Processing Agreement (this DPA) supplements the CrewPass Participation Agreement (the Agreement) and is entered into between CrewPass Limited (CrewPass, CPL, we, us, our) and the Participant identified in the Agreement (you, your, Participant). It applies in respect of any Personal Data processed in connection with your use of CrewPass.
This DPA replaces and supersedes any prior data processing terms between the parties, including any reference to the 2004 Standard Contractual Clauses (Commission Decision C(2004)5721).
For Participants who require a separately signed copy of this DPA for procurement or compliance purposes, please request one from dpa@crewpass.co.uk.
1. Definitions
In this DPA the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the Agreement.
- Affiliate means, in relation to a party, an entity that (directly or indirectly) controls, is controlled by, or is under common control with that party.
- Applicable Data Protection Laws means all laws, regulations and binding regulatory guidance applicable to the processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, the EU GDPR (where applicable), and the Privacy and Electronic Communications Regulations 2003 (PECR), each as amended from time to time.
- Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Processed and Special Categories of Personal Data have the meanings given in Applicable Data Protection Laws.
- Data Subject Request means a request from a Data Subject to exercise rights under Applicable Data Protection Laws.
- EU SCCs means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- Personal Data Breach has the meaning given in Article 4(12) of the UK GDPR.
- Restricted Transfer means a transfer of Personal Data from a jurisdiction in which such transfer is restricted under Applicable Data Protection Laws to a jurisdiction outside that jurisdiction.
- Sub-processor means any third party engaged by CrewPass to Process Personal Data on its behalf in connection with the Services.
- Supervisory Authority means the Information Commissioner's Office (ICO) and any other competent data-protection authority.
- UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the ICO under section 119A of the Data Protection Act 2018, version B1.0 (or such later version as is in force).
- UK IDTA means the International Data Transfer Agreement issued by the ICO under section 119A of the Data Protection Act 2018, version A1.0 (or such later version as is in force).
2. Roles of the parties
2.1 Each party acknowledges that, in respect of Personal Data processed in connection with the Services, the parties act as independent Controllers. Each party shall comply with its own obligations under Applicable Data Protection Laws in respect of Personal Data it Processes.
2.2 This DPA does not constitute a Controller-to-Processor relationship. Where, in connection with a specific service, CrewPass acts as a Processor on behalf of the Participant, a separate processor agreement will be put in place.
3. Compliance
3.1 Each party shall:
(a) only Process Personal Data lawfully, fairly and in a transparent manner and in compliance with Applicable Data Protection Laws;
(b) maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data;
(c) ensure that personnel authorised to Process Personal Data are subject to appropriate confidentiality obligations and are appropriately trained;
(d) maintain records of its Processing activities in accordance with Applicable Data Protection Laws;
(e) provide appropriate fair-processing notices to Data Subjects whose Personal Data it discloses to the other party;
(f) obtain any consents or other lawful bases required to enable the other party to Process the Personal Data for the Permitted Purposes (defined in Annex 1); and
(g) not Process Personal Data for purposes incompatible with the Permitted Purposes.
4. Disclosure of Personal Data
4.1 Each party shall:
(a) only disclose Personal Data for the Permitted Purposes set out in Annex 1;
(b) ensure that it has informed Data Subjects that their Personal Data will be disclosed to the recipient and that the recipient will Process it as an independent Controller; and
(c) be responsible for the security of any Personal Data while in transmission between the parties.
5. Data Subject Requests
5.1 Each party shall handle Data Subject Requests relating to Personal Data it Processes as Controller.
5.2 If a party receives a Data Subject Request that concerns the other party's Processing, it shall promptly inform the Data Subject of the relevant contact point and, where appropriate, refer the request to the other party.
5.3 The parties shall reasonably co-operate with each other to enable each party to comply with its Data Subject Request obligations.
6. Personal Data Breaches
6.1 Each party shall notify the other without undue delay, and in any event within forty-eight (48) hours, of becoming aware of a reasonably suspected or actual Personal Data Breach involving Personal Data that has been disclosed by the other party under this DPA. The notification shall include, to the extent known:
(a) the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) the name and contact details of the Data Protection Officer or other contact;
(c) the likely consequences of the Personal Data Breach; and
(d) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
6.2 Where it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue further delay.
6.3 The parties shall co-operate, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to Data Subjects required following a Personal Data Breach.
7. International transfers
7.1 Where a transfer of Personal Data between the parties is a Restricted Transfer, the parties shall implement appropriate safeguards in accordance with Applicable Data Protection Laws, including one or more of the following:
(a) transfer to a country covered by a current adequacy decision under UK or EU law;
(b) the UK IDTA, or the UK Addendum in conjunction with the EU SCCs, for transfers from the United Kingdom;
(c) the EU SCCs (Module One: controller-to-controller, or such other Module as is applicable to the relevant transfer), for transfers from the European Economic Area; or
(d) any other appropriate safeguard recognised under Applicable Data Protection Laws.
7.2 The 2004 Standard Contractual Clauses (Commission Decision C(2004)5721) are not used. Any reference to those clauses in earlier versions of this DPA is superseded by this DPA.
7.3 Each party shall conduct an appropriate transfer risk assessment (or transfer impact assessment) before making a Restricted Transfer, where required by Applicable Data Protection Laws.
8. Sub-processors
8.1 Where CrewPass acts as a Controller, it may engage Sub-processors to support its delivery of the Services. The categories of Sub-processors used are described in the CrewPass Privacy Policy. A current list of named Sub-processors is available on request from dpa@crewpass.co.uk.
8.2 CrewPass shall impose data-protection obligations on its Sub-processors that are no less protective than those set out in this DPA, to the extent applicable to the relevant Processing.
8.3 CrewPass shall notify Participants of any intended addition or replacement of Sub-processors that materially affects the Processing of Personal Data shared under this DPA at least thirty (30) days before the change takes effect. The Participant may object on reasonable data-protection grounds within fifteen (15) days of notification; if the objection cannot be resolved between the parties within a reasonable period, the Participant may terminate the Agreement in accordance with Section 6.1 of the Agreement.
9. Audit
9.1 Each party shall maintain documentation sufficient to evidence its compliance with this DPA.
9.2 Each party shall, on reasonable notice and no more than once in any twelve-month period (except where a Personal Data Breach or regulatory action requires more), allow the other party (or its authorised representatives) to audit its compliance with this DPA. The auditing party shall bear its own costs and shall conduct the audit in a manner that minimises disruption.
9.3 In place of an on-site audit, the audited party may discharge its audit obligations by providing copies of recent SOC 2, ISO 27001, ISO 27701 or equivalent third-party reports or attestations, or by completing a documented security questionnaire.
10. Liability
10.1 Each party shall be liable to the other for damages it causes by any breach of this DPA. Liability between the parties is limited to actual damage suffered and is subject to the liability limitations in the Agreement. Liability for breaches of the rights of Data Subjects under Applicable Data Protection Laws is determined by Applicable Data Protection Laws.
11. Term and termination
11.1 This DPA takes effect on the same date as the Agreement and continues until the Agreement is terminated or expires, after which time the parties' obligations regarding Personal Data already disclosed shall continue to apply for as long as such Personal Data is Processed.
11.2 Return or deletion of Personal Data. On termination or expiry of the Agreement, and on the written request of the disclosing party, the receiving party shall, within ninety (90) days, return or securely delete all Personal Data disclosed under this DPA, save to the extent the receiving party is required by law or regulatory obligation to retain that Personal Data (in which case the receiving party shall continue to protect it in accordance with this DPA for as long as it is retained). On reasonable request, the receiving party shall certify in writing that deletion has been carried out.
12. Notices
Notices under this DPA must be in writing and sent by email to dpa@crewpass.co.uk (for CrewPass) or to the email address provided by the Participant during registration (for the Participant).
13. Governing law and jurisdiction
This DPA, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims), is governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
ANNEX 1 — DESCRIPTION OF PROCESSING
Data subjects. Crew members; representatives, employees and authorised users of Participants; and other individuals whose Personal Data is provided to CrewPass in connection with the Services.
Permitted Purposes. Personal Data may be disclosed between the parties for the following purposes:
- to verify the identity of crew members;
- to carry out background, criminal records, sanctions and adverse media checks for employment-eligibility purposes;
- to share crew member profile information (including biographies, qualifications, certificates, medical or vaccination records where uploaded by the data subject, visa status, employment history and references) with authorised Participants for crew placement and management purposes;
- to facilitate the contractual relationship between crew members and Participants;
- to administer compliance and certificate-expiry management; and
- to provide customer support and operate the Services.
Categories of Personal Data. Identity Data, Contact Data, Financial Data, Transaction Data, Profile Data, Compliance Data, Identity Verification Data, Background Check Data, Criminal Convictions Data, Device Data, Usage Data, Marketing and Communications Data and, where applicable, Special Categories of Personal Data (such as health or biometric data).
Special Categories of Personal Data. Passport and identity document data, biometric verification data, criminal records and health data (where uploaded by the data subject in connection with compliance documents).
Recipients. The other party; CrewPass's Sub-processors and authorised partners; Participants authorised by the relevant data subject to access their profile.
Retention. Personal Data is retained for the duration necessary to fulfil the Permitted Purposes and for any period required by law, as further described in the CrewPass Privacy Policy.
ANNEX 2 — DATA PROCESSING PRINCIPLES
The parties shall comply with the principles set out in Article 5(1) of the UK GDPR (and Article 5(1) of the EU GDPR where applicable):
Lawfulness, fairness and transparency. Personal Data shall be Processed lawfully, fairly and in a transparent manner.
Purpose limitation. Personal Data may be Processed only for the Permitted Purposes and shall not be further Processed in a manner incompatible with those purposes.
Data minimisation. Personal Data shall be adequate, relevant and limited to what is necessary in relation to the Permitted Purposes.
Accuracy. Personal Data shall be accurate and, where necessary, kept up to date. Inaccurate Personal Data shall be erased or rectified without undue delay.
Storage limitation. Personal Data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the Permitted Purposes.
Integrity and confidentiality. Personal Data shall be Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
Accountability. Each party is responsible for, and must be able to demonstrate, compliance with the foregoing principles.
Rights of Data Subjects
Each party shall give effect to the rights of Data Subjects under Applicable Data Protection Laws, including the rights of access, rectification, erasure, restriction, objection, data portability and the right not to be subject to a decision based solely on automated processing where that decision produces legal or similarly significant effects, in each case subject to applicable exceptions.
Special Categories of Personal Data
Where the parties Process Special Categories of Personal Data, they shall apply additional measures appropriate to the sensitivity of that data, including (as appropriate) access controls, encryption and pseudonymisation.
Direct marketing
Where Personal Data is Processed for direct marketing, the parties shall provide effective and timely mechanisms for Data Subjects to object or opt out.
Automated decision-making
CrewPass may use automated processing and AI-assisted tooling to support certain Services (including document parsing, identity verification, risk scoring and workflow routing). These tools support, and do not replace, human review. Where such Processing amounts to a significant decision about a Data Subject that is based solely on automated processing, within the meaning of Articles 22A to 22D of the UK GDPR (as inserted by the Data (Use and Access) Act 2025), the Data Subject is afforded the safeguards required by those Articles, including the rights to be informed of the decision, to make representations, to obtain human intervention and to contest the decision. The mechanisms by which these rights are exercised are described in the CrewPass Privacy Policy.