Privacy Notice

1.  Portico and its associated companies – Portico Shipping Limited, Portico Logistics Limited and Portico Port Services Limited, known as Portico, are committed to respecting privacy and protecting any personal information that is collected or processed in accordance with the requirements of the EU General Data Protection Regulation (the “GDPR”) and/or any other applicable Data Protection laws or regulations (as may be amended from time to time) which safeguards personal data.

2. This Privacy Notice and Policy is issued by Portico. All references to “we”, “our”, “Portico” or “us” in this Notice and Policy are references to Portico and its associated companies, which are incorporated in England with the following company numbers:

• Portico Shipping Limited 02012886
• Portico Logistics Limited 16090209
• Portico Port Services Limited 16126259

References to “Customer” are references to any organisation or entity to whom Portico supply services and/or provide any information in connection with the provision of such services.  References to “you” or “your” are references to any individual to whom services are supplied or who is otherwise engaged or employed by Portico or one of our Customers.

3.  This Privacy Notice provides information about how Portico collects and processes your personal information. It also sets out our Policy for the protection of any personal data which may be collected by Portico during your interactions with us for the provision of services, when you visit our marine container Terminal (which includes the land, premises and berth space used by Portico within the port of Portsmouth) or when you use our Website.  “Personal data” is any information relating to a living individual, by means of which information that individual can be identified directly or indirectly. “Processing” means any operation or set of operations which is performed on personal data, and includes compiling, keeping, using, sharing or otherwise making available to others, altering and erasing personal data.

Responsibility for data protection compliance

4. Portico determines the purposes and means of any processing of personal data that it undertakes. It is therefore a “controller” of personal data for the purposes of the GDPR and is registered as such with the Information Commissioner’s Office (ICO) with registration number Z8711731.

5. Any questions in relation to this Policy or regarding Portico’s processing of personal data (as well as any requests relating to the exercise of rights referred to in paragraphs 16 and 17) should, in the first instance, be addressed to Melanie Bunting, HR Business Partner, Portico House, 2 Prospect Road, Portsmouth, PO1 4QY.  If you have reason to believe that the company may be in breach of the General Data Protection Regulations in their processing of your personal data, please report this to Melanie Bunting, HR Business Partner as soon as possible. The company is responsible for reporting any breach of GDPR to the ICO.

6. Portico expressly reserves the right to make changes to this Policy from time to time. Where it is possible to do so, advance notice of any significant changes made to this Policy will be given.

The lawful basis for processing data

7.  The processing of personal data is lawful only if the controller can rely on one of the lawful bases for processing under the GDPR, which are listed as (a) to (f) in paragraph 1 of Article 6 of the GDPR, and in which you are described as the “data subject”.

8.  For such processing of personal data as Portico engages in, it may rely on bases (a), (b), (c), and (f) of paragraph 1 of Article 6 of the GDPR as follows:

1. Consent – (in any cases in which you have consented to processing) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
2. Contract – (in cases where we have a contract with you or such a contract is being negotiated) “processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.”  Where you are the Customer, there will be a contract or prospective contract between you and Portico, pursuant to which Portico will supply services to you.

(c) Legal Obligation – (where processing by Portico is required in order to comply with its non-contractual legal obligations, in particular statutory and common law obligations) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

(f) Legitimate Interests – “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Legitimate interests can include commercial interests and non-electronic marketing activities.  Portico has considered its present use of personal data and concluded that the processing presents no risk to the interests or fundamental rights and freedoms of any persons such as would prevent such processing.  In determining whether legitimate interests are involved in the processing, Portico conducts a purpose test (identifying the legitimate interest), a necessity test (showing that processing is necessary to achieve the purpose), and a balancing test (that the processing is proportionate and has a minimal privacy impact on any individual’s interests, rights and freedoms).

Information held by Portico and how it is used

9. Portico processes various types of personal data including the following:

• Personal identifiers/details such as name, address, employer, job title, contact details (e.g. e-mail and phone numbers), which we use to fulfil any request you make and to allow you to participate in any interactive features of our service;
• Financial information and account details such as national insurance number, bank account number or other financial account number and account details;
• Credit checking information such as details of your credit history, credit reference information and credit scores;
• Professional information (such as educational background, previous positions professional qualifications and experience, employment details/references, work permits or visas, where relevant);
• Marketing and business development data relating to people who have expressed interest in the services provided by Portico and any survey or consultation responses or other information which you may voluntarily provide to Portico;
• Information collected by our security personnel about your visit and collected from our information technology systems, such as access control systems, door entry and reception logs, CCTV and surveillance system recordings.

10. When you provide us with personal data relating to third parties such as your employees or your visitors, you warrant and confirm that you have the consent of the third party to share such information with us.

11. Portico does not engage in the large-scale processing of personal data, processing activity considered to be high risk by the ICO, systematic monitoring of the public, automated decision making, or personal data profiling.  It is Portico’s policy not to process or have any involvement in the processing of data relating to children, or the processing of special categories of personal data namely:

• data revealing or concerning a person’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sex life or sexual orientation, or;
• genetic or biometric data that uniquely identifies a person.

12. Portico does not process any personal data that it holds other than for the purposes listed below, together with the lawful bases for processing (a), (b), (c), and (f) of the GDPR (as referred to in paragraph 8 above) that may apply:

• to provide the services that Customers have instructed us to provide [bases (b) and (f)];
• to help us manage and improve our services to Customers [bases (a), (b) and (f)];
• to prevent and detect fraud, financial and other crime and money laundering [bases (c) and (f)];
• to ensure the security of our Terminal, land, premises and berth space within the Port, protect the health and safety of individuals when visiting the aforementioned areas and to control the issue of dock passes or such other formalities as may be required in connection with any vessels arriving at the Port [bases (a), (c), and (f)];
• to ensure that we comply with all legal and regulatory compliance obligations [bases (c) and (f)];
• to enable Portico to pursue its legitimate interests including marketing activities [bases (a) and (f)]; and
• to enable our Customers to pursue their legitimate interests [bases (b) and (f)].

13. It will sometimes be necessary for Portico to pass on information to third parties. For example, Portico may share your personal data with:

• Government Agencies, legal advisers, auditors, accountants, insurers and insurance brokers or other professional advisors;
• third party service providers, contractors or any other organisations which Portico may need to liaise in connection with any operations or services provided at the Port.

Portico’s use of certain cloud computing facilities involves the storage and processing of some personal data outside Portico’s own computer systems.  It is also possible that external companies may occasionally conduct audits or quality checks on the services that Portico provides.  All such third parties are required to maintain confidentiality in relation to your personal data and comply fully with the GDPR.

14. It is also occasionally necessary for Portico to share personal data outside of the European Economic Area (“EEA”).  For example (and without limitation):

• with our service providers or any other agencies or organisations located outside of the EEA;
• if any Customer or you are based outside the EEA;

Before any personal data is transferred outside of the EEA, Portico adopts certain procedures and safeguards with a view to ensuring that any such information is fully protected in accordance with any applicable data protection law.  Further details on the safeguards implemented by Portico can be provided, upon request, from Melanie Bunting (at the address set out in paragraph 5 above).

Compliance with data protection principles

15.  All processing of your personal data is undertaken in accordance with six data protection principles (specified in Article 5 of the GDPR).  The data protection principles are as follows:

• 15.1 Lawfulness, fairness and transparency - Personal data shall be processed lawfully, fairly and in a transparent manner.
• 15.2  Purpose limitation - Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Portico collects and processes personal data only when this is necessary for any of the purposes indicated in paragraphs 12-14 above.
• 15.3 Data minimisation - Personal data shall be adequate, relevant and limited to the minimum of data necessary to the purposes for which they are processed.
• 15.4 Accuracy - Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• 15.5 Storage limitation - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  Without prejudice to the rights of individuals in respect of personal data held about them and to any legal requirements for the retention of data, Portico will ordinarily keep personal data in a form that permits individual identification, for so long as it may be necessary to process the data for the purposes indicated and will thereafter entirely erase the data
• 15.6 Integrity and Confidentiality - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  Portico recognises the importance of securing the data it holds and has put in place appropriate security measures to prevent your personal data being accidentally lost, or used, altered or disclosed to third parties in an unauthorised way.  The measures include the protection of mobile devices against theft and preventing third parties from gaining access to data on stolen devices.  Portico limits access to your personal data to those employees, agents, contractors and other third parties who have a need to know.  They are subject to a duty of confidentiality and will only process your personal data in accordance with paragraphs 13-14 above and on Portico’s express instructions.  All employees who may process personal data undertake appropriate data protection training.  Portico has also adopted procedures to deal with any suspected data security breach and shall notify you and any applicable regulator of a suspected breach where it is legally required to do so.

Right of Access

16. You have the right to ask us whether or not personal data concerning you is being processed and, where that is the case, to be given access to the personal data in machine readable form (together with the information set out in GDPR Article 15 paragraph 1).

Other rights

17.  You have additional rights, which include:

• The right to rectification of any inaccurate personal data (Articles 16 and 19 of GDPR),
• The right under Articles 17 and 19 of GDPR to erasure of personal data in various circumstances (i.e. the right to be forgotten),
• The right to restrict processing in various circumstances (Articles 18 and 19 of GDPR),
• The right to data portability i.e. to have data transferred to another organisation (Article 20 of GDPR), and;
• The right to object to processing of personal data in certain circumstances including (amongst other things) direct marketing and profiling (Articles 21 and 22 of GDPR).
• The right to withdraw consent – if you do give consent to any processing of personal data, you can change your mind and withdraw it at a later date.
• The right to report concerns to the ICO, whose website is https://ico.org.uk

Document Owner
Melanie Bunting
Human Resources

Date of Implementation
August 2019

Reviewed by & Date
Vanessa Sherry
March 2025

Review Due

When circumstances require it, such as change to legislation, standard requirements and/or changes to company processes.