Global Shipping Business Network – Privacy Policy
 

GSBN – Privacy Policy Version 01.07.2021

Our commitment to privacy

Global Shipping Business Network Limited (“GSBN”, “we”, “our” or “us”) recognise our responsibilities to protect the privacy, confidentiality, and security of the personal data we hold. As a Hong Kong company, we comply with the requirements of Hong Kong’s Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”) and as a global network we comply with all international data protection laws applicable to our operations, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) . We are equally committed to ensuring compliance by all our employees and agents with these obligations.

This policy (“Privacy Policy”) explains our collection, holding, and use of recorded information about our customers and various other individuals (“you” or “your”). It also sets out your rights concerning your information and who you can contact for more information or queries. We refer to information that can be used to identify you as your “personal data”. We may also sometimes collectively refer to handling, collecting, protecting, and storing your personal data as “processing” of such personal data.

What is personal data?

Personal data when used in this Privacy Policy is a reference to any information relating to an identified or identifiable natural person.

In general terms, if the information we collect and process personally identifies you, or you are identifiable from this information (either directly or indirectly), then the information will be considered personal data.

When and how do we collect your personal data?

We may collect and process your personal data when you:

  • use our blockchain-enabled data exchange platform for shipping supply chain information and associated website (collectively, the “Platform”), including during the account registration process;

  • use any of our data sharing services;

  • access or use our website(s);

  • access or use any other products or services we provide from time to time; or

  • otherwise interact with us (collectively, the “Services”).

We will also provide a separate Personal Information Collection Statement ("PIC Statement") or privacy collection notice on or before any collection in an appropriate format and manner. The PIC Statement will provide specific information on the relevant personal data collection, including highlighting additional uses of your personal data.

What personal data do we collect from you?

When you use, access or interact with our Services or otherwise engage with us, we may collect:

  • contact data such as your name, phone number, job title and email address;

  • interaction data such as information about which parts of our Platform or website(s) you click on or access using our APIs, or about how you otherwise use the Services;

  • technical data such as your IP address and web browser type when you access our Platform or website;

  • financial data such as bank account or payment card details you provide to us;

  • employment data such as information about your performance as our employee, or documents you provide to us as part of your application for employment; and

  • other data that you provide to us from time to time, such as your signature, your employer, information collected for marketing or promotional purposes (including in connection with a GSBN event) or feedback you provide in relation to our Services.

When we collect personal data from you we will make it clear which data is mandatory for you to provide and which data is voluntary. In the event that you do not provide the mandatory data, we may not be able to provide you with our Services.

What personal data do we collect about you from other people?

We may receive personal data about you from other people when:

 

  • you access, use or interact with our Services, through an intermediary such as your employer and that intermediary provides your personal data to us; or

  • another user of our Platform enters your personal data into our Platform, for example because you are the recipient of their shipment.

Do we collect special category data?

In general, we do not collect special category (or sensitive) data such as information about your race, political and religious beliefs, or health.

 

However, if you are an employee or prospective employee of ours, we may collect special category (or sensitive) data such as your racial or ethnic origin and trade union membership for internal HR purposes.

Whenever we process your special category (or sensitive) data, we will get your explicit consent or make sure we have another lawful basis. Further details on the use, processing and handling of such special category (or sensitive) data will be provided in the PIC Statement / privacy collection notice upon collection.    

Why do we collect your personal data, and how do we use it?

We collect and process your personal data as follows:

  • contact data in order to:

    • set up your account and contact you in relation to our Platform; and

    • contact you in relation to any of our other Services,

including sending you promotional and marketing material in relation to our Services or activities (which may include GSBN events). You can opt out of receiving our marketing communications at any time by following the instructions set out in those marketing communications;

  • interaction data in order to respond to your interactions with the Services (in particular, our Platform and website(s)), and to understand how our users use the Services so that we can improve our Services;

 

  • technical data, such as IP addresses, that are required in order to provide certain Services to you (such as our Platform and access to our website(s));

  • financial data such as bank account or payment card details you provide to us, in order to make payments to or receive payments from you;

  • employment data such as information about your performance as our employee and other data we collect in order to manage your employment, or application for employment; and

  • other data for the purposes that are communicated to you at the time that you provide that other data.

Through the interactive functions of some of our Services, we allow you to directly input changes to your preferences, passwords and personal data on an immediate basis for that Service. You may do this by reviewing and editing your user profile. Where you access the Service through an intermediary (for example, through your employer) you may also request that the intermediary update your user profile.

Where your personal data changes, we ask that you promptly update us of any changes by editing your user profile or requesting that the intermediary (for example, your employer) edit your user profile.

On what legal basis do we use your personal data?

When we process your personal data, we will do so on the following lawful basis:

  • With your consent (including your consent to our processing of your personal data as set out in this Privacy Policy). You can withdraw your consent to our processing of your personal data at any time by contacting us through the details in the section titled “How can you contact us?”

    Where we rely on your consent as the lawful basis for our processing and you withdraw that consent, we will stop processing your personal data (though this will not affect personal data that we processed before you revoked your consent). However, this may mean that we become unable to provide the Services to you (and, if you are accessing our Services on behalf of your employer or another person, we may also become unable to provide our Services to that employer or other person).

  • To fulfil our contractual obligations to you and your related parties (for example, in order to allow access to our Platform as required by our “Platform Access Agreement”).

  • To comply with the law (for example, by analysing your interaction with our Platform as required under sanctions or Anti-Money Laundering laws).

  • For our, or a third party’s, legitimate interests. Our legitimate interests in processing your personal data include:

    • providing the Services to you and to others;

    • promoting and marketing our Services;

    • understanding how our customers interact with the Services (in particular, our Platform and website(s));

 

    • detecting and taking actions to prevent our Platform from being used for fraud or other improper activity;

 

    • testing and developing our Platform;

    • meeting our internal business requirements, for example in relation to internal compliance, record-keeping and business development; and

    • in relation to personal data about our employees or prospective employees, managing your employment or application for employment.

Automated decision-making using your personal data

We may use computers to make automated decisions using your personal data. This is because automated decisions are faster, fairer, and more likely to be accurate than equivalent human decisions. The automated decisions we may make that may affect you relate to:

 

  • assessing customer usage of our Platform, including to ensure that the customer’s usage is in accordance with the terms of our Platform Access Agreement. Where this is not the case, the GSBN may exercise the rights available to it under the Platform Access Agreement;

  • detecting and suspending accounts that misuse our Platform (including accounts that use our Platform to conduct fraudulent or improper activity);

  • otherwise protecting us against criminal or fraudulent activity;

  • categorising and organising data provided or presented to you as part of our Services (including, without limitation, where you use any of our data sharing services).

You have rights under the GDPR in relation to automated decision-making. You can contact us to object to an automated decision we have made and ask that a person reviews it.

With whom do we share your personal data?

We may share your personal data with:

  • other users of our Platform (including companies that use our Platform which, without limitation, may include financial institutions), for example:

    • showing shipment information you have input into the Platform to the shipment’s recipients; or

    • where you access and use one of our data sharing services through the Platform;

  • government authorities, including courts, where we are required to do so by law;

  • our employees, contractors, suppliers, subcontractors and advisers, including IQAX Limited, our Platform operator, for the purposes of providing or making available the Services. This includes, without limitation:

    • third parties who provide information technology services and systems to the GSBN (such as system administrators (which may be a natural person or an AI-enabled function);

    • third parties who provide business administration services to the GSBN; and

    • third parties who maintain and host the Services or parts thereof on behalf of GSBN; and

  • other organisations where we restructure, sell or transfer our business (or part of it). For example, in connection with a takeover or merger.

Where one or more third parties maintain and host the Service or portions thereof, any information you submit, including personal data, will be placed and stored on a computer server maintained by such third party. You acknowledge that your personal data could pass through and may be stored in servers outside the control of the GSBN and may be accessed by the administrator of such site and others that gain access to the GSBN’s or the third party’s server or stored files. When outsourcing certain services to third parties for the operation of GSBN Services, we will ensure that we have in place contractual clauses which ensures protection of personal data which complies with the PDPO and the terms of this Privacy Policy.

If you use the services of a third party to interact with us, please also be aware that your personal data is subject to the privacy policies of these third parties.

How do we maintain security over your personal data?

We use a range of reasonable physical, electronic, and managerial measures to ensure that we keep your personal data secure, accurate, and up to date. These measures include:

  • education and training provided to relevant staff or personnel to ensure they are aware of our security policies when handling personal data;

 

  • administrative and technical access controls to ensure only employees who need to know personal data can access that personal data, and that the list of employees who can access personal data is reviewed frequently;

 

  • technological security measures, including multiple-tier firewalls, encryption, and anti-virus software; and

 

  • physical security measures, such as staff security passes to access our premises and information processing facilities.

Although we use appropriate security measures once we have received your personal data, the transmission of personal data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of personal data transmitted to us or by us, including that your personal data will be protected against loss, misuse, attacks or alteration by third parties.

How long will we keep your personal data?

We will not keep your personal data longer than we need to and will only use your personal data for the purposes set out in this Privacy Policy.

We will always keep your personal data in accordance with applicable legal and regulatory requirements.

In most circumstances this means we will not keep your personal data for more than 3 years after the end of your relationship with us. However, we may retain your personal data for longer periods of time in circumstances where we cannot delete it for legal, regulatory or technical reasons.

One example of where we do or may retain your personal data for longer periods of time:

  • data related to disputes. We may retain personal data for a longer period of time where this is required for the purposes of resolving an ongoing dispute.

Notwithstanding the above, we may also retain your personal data:

  • in order to detect fraud or other improper activity on our Platform;

  • to comply with laws, for example record-keeping obligations; or

  • for our internal record-keeping purposes.

Transferring your personal data across borders

Shipping is an international business, so we often need to transfer personal data between jurisdictions. This section describes how we handle certain international personal data transfers.

Transferring your personal data from the European Economic Area (“EEA”)

We will transfer your personal data outside of the EEA; to:

  • run our global business and provide the Services, including, without limitation, by

    • transferring the personal data we collect, including personal data relating to the Platform, to our centralised systems based in Hong Kong; and

    • transferring your personal data to users of the Platform outside the EEA where you are accessing or using one of our data sharing services available to users of the Platform;

  • provide our Services to users outside the EEA;

  • comply with our legal obligations; and

  • run our Platform, including working with our employees, contractors, suppliers, subcontractors and advisers based outside of the EEA.

When we transfer your personal data outside of the EEA, we will make sure appropriate safeguards are in place, for example by ensuring that our suppliers are located in countries whose data protection laws have been deemed adequate and/or by adopting the European Commission’s standard contractual clauses.

Transferring your personal data from Hong Kong

We will transfer your personal data outside of Hong Kong to:

  • provide our Services to users outside of Hong Kong. This includes, without limitation, transferring your personal data to users of the Platform outside of Hong Kong where you are accessing or using one of our data sharing services available to users of the Platform;

  • comply with our legal obligations; and

  • run our Platform, including working with our employees, contractors, suppliers, subcontractors, and advisors based outside of Hong Kong.

When we collect your personal data we will seek your consent prior to transferring your personal data outside Hong Kong through the PIC Statement. To further protect your personal data, we will also ensure that appropriate contractual safeguards are in place with the relevant third party prior to transfer.

What rights do you have for your personal data if you are in the EEA?

As an EEA data subject you have the right to:

  • be told how your personal data is being collected and used;

  • access your personal data;

  • have your personal data deleted or corrected if it is inaccurate;

  • ask us to delete your personal data if there is no need for us to keep it (subject to local laws and regulations and our data retention requirements and practices which may mean that not all personal data can be completely removed from our systems. Please see the section titled “How long will we keep your personal data?”);

  • object to your personal data being processed and restrict processing;

  • withdraw consent to having your personal data processed;

  • have your personal data provided in a standard format so that it can be transferred elsewhere;

  • not be subject to a decision based solely on automated processing; and

  • lodge a complaint with a data protection authority if you are not happy with how we handle a complaint.

If you want to exercise these rights, you can contact us using the details provided in the section titled “How can you contact us?”

What rights do you have for your personal data if you are in Hong Kong?

As a Hong Kong data subject you have the right to:

  • object to us processing your personal data;

  • request access to your personal data from time to time;

  • request an update of the personal data we hold about you, or correct such personal information that you think is incorrect or incomplete; and

  • withdraw consent to our processing of your personal data (to the extent such processing is based on consent).

If you want to exercise these rights, you can contact us using the details provided in the section titled, “How can you contact us?”

How do we use cookies and similar technology?

Cookies are computer files that get sent to your device by websites. They remain on your device, which sends the cookie back to the website next time you visit. The website can use this cookie to distinguish you from other users of the site and serve you accordingly – for example by remembering that you have already logged in to the website.

We may use cookies and similar technologies to:

  • perform essential functions (such as allowing you to log in to, or out of, our Platform or use our website(s));

  • collect information about how you use our Services;

  • improve your experience using our Services; and

  • deliver relevant online advertising to you and understand and improve the effectiveness of our marketing.

You can use your device’s settings to reject any cookies and similar technologies we may use. However, blocking essential cookies may prevent you from using all or part of our Services (such as the Platform or our website(s)).

What about other sites?

Our Services (such as our Platform and website(s)) may include links to external websites that we do not operate that may collect personal data about you. As we do not operate these external websites, we do not control these websites’ content or privacy practices. If you use any external websites we provide links to, any information you provide is provided directly to that third party and is not governed by this Privacy Policy. You should read their privacy policies before providing personal data to them.

What happens if we change this Privacy Policy?

We will update this Privacy Policy from time to time to reflect changes in our collection and use of personal data. When we change our Privacy Policy, we display a notice the next time you log in to our Platform or access our website(s).

If you do not agree with changes we make to this Privacy Policy, you must stop using our Services.

How can you contact us?

If you have questions about how we handle your personal data, or would like to exercise your rights in relation to your personal data, please contact us in writing as follows:

 

You may also use the above contact details if you wish to make a complaint to us relating to your privacy.

We strive to respond to your questions or complaints within 40 days of receiving the communication. In accordance with the terms of the PDPO, we have the right to charge a reasonable fee for processing a data access request an amount to be determined upon receipt of the request.

 

Who else can you contact?

If you are not satisfied with our responses to your questions, you can also contact the relevant data protection authority. The relevant data protection authority is: