Privacy Policy

1. Introduction

This document outlines how ESCA handles data collected from the Public and the ESCA Members.

2. ESCA Data Protection Policy

ESCA has put in place the following data protection policy:

  • Your data is used only for the intended use.
  • Your data is never bartered or sold.
  • Data is given to law enforcement only when legal process is followed.
  • Your data is never given to advertisers or marketing companies.
  • Your data may be kept indefinitely.

3. Sensitive Data (Special Category Data)

ESCA processes no sensitive or ‘special category data,’ and so according to the GDPR regulations, no Data Protection Impact Assessment is required. ESCA does however consider and apply appropriate precautions to protect the confidentiality of personal data.

4. Structure of ESCA and flow of data across organisations contracted to ESCA

ESCA has no employees.

ESCA contracts CJS Subsea Services to oversee all Director and Secretariat services, Peter Barham Environment Ltd for Liaison Advisor Activities and Port Hill Marine Ltd for Fishing Advisor activities. Yates & Co. Accountants provides ESCA with independent accounting services. No personal data that is not related or required by law to be put into the public domain is sent to Yates & Co.

Creative Republic provides ESCA with IT and Web design services.

Personnel working on ESCA activities in CJS Subsea Services and Creative Republic have all successfully passed GDPR training, with refresher training provided as and when required, but at least every 3 years.

Information about ESCA members is held on the ESCA website via a password-protected access process.

The ESCA Secretariat representative assumes the role of Data Controller and Data Processor, supported by Creative Republic. Should escalations or alternates be required, this should be to the ESCA Chairman in the first instance, and to the Vice-Chairman if the Chairman should not be available.

5. Documentation of Personal Data

ESCA has prepared the workflow as attached at Appendix 1 – ‘ESCA Personal Data Workflow and Information’ to describe its key data workflow.

6. Procedure for the handling of Personal Data

Personal Data should be handled by contractors of ESCA in accordance with GDPR regulations and to at least the same standard in which they hold their own personal information. This is intended to include, where possible, two-step authentication for e-mail systems in which ESCA’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.

7. Access Requests

Members and their associated employees registered on the ESCA website can access most of their personal information themselves via the secure area of the ESCA website and make changes to it at any time. Access requests for any other data are to be sent by e-mail to secretary@escaeu.org and the ESCA Secretariat aims to respond to reasonable and lawful requests within timescales stipulated in GDPR regulations. Information is passed back to enquirers as may be appropriate in a data-portable way either by direct e-mail or by documents produced in standard MS Office applications such as MS Word, Excel, PowerPoint or in Adobe pdf format and attached to such e-mails, as appropriate

8. Identification of Information Assets

This is managed by the ESCA Secretariat.

9. Privacy Notice

Privacy Notice page

10. Consent

Consent is required by the user on all data collections pages of the website. A ‘check box’ must be clicked granting consent before moving to the data collection page. The Privacy Notice and Privacy Policy and Procedure pages are linked at the bottom of each page on the website and on each of the ‘check box’ consent areas.

11. Withdrawal of Consent

After logging in, ESCA members can update their own personal information from the member area of the website. Should they wish to withdraw consent for ESCA to hold other information (other than that lawfully required for the ESCA to function, such as company billing information), requests can be sent to secretary@escaeu.org and the ESCA Secretariat shall act on such requests in a timely fashion in accordance with GDPR regulations.

12. Accuracy

ESCA endeavours to ensure the accuracy of Personal Data held through interaction with Members in the January of each year. However, some identifying information may be held for long periods by ESCA because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for research purposes and is a fundamental part of the service ESCA supplies to its Members.

13. Training

Although ESCA does not have staff, GDPR training is provided to the contracted ESCA Secretariat representative and ESCA’s IT support contractor, as considered appropriate.

14. Disposal

ESCA disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.

15. Retention Policy

ESCA retains the information of active Members, which can be for a long time, as considered appropriate.

ESCA holds mailing list information pertaining to ESCA Member main reps. and alternates and other individuals that may have requested to be included on the list from the same Member company. Mailing lists for website access only, Call for Papers and Plenary Event contacts are also kept. This information is reviewed on a triennial basis.

ESCA holds a repository of archive and research information related to its purpose. As for any library, its intention is to retain that information in perpetuity.

16. Policy Review

To ensure continued compliance, the ico.gov.uk website will be visited on a regular basis and any required regulatory action taken accordingly.

17. Risk

As ESCA does not process sensitive, ‘special category’ data, the risk of breach is deemed to be very limited, however this does not relieve ESCA of adhering to its GDPR obligations. Should the risk profile change in the future, ESCA shall consider what changes to its policy is required.

18. Threats

The following potential threats have been identified by ESCA, though such threats remain under review:

  • Hacking attempts on the website. Any such attempts shall be logged and notified to the Secretariat by Creative Republic, as and when they occur and any required action taken accordingly.
  • Breaches and loss of personal data from the website. Any such instances shall be logged by the Data Controller and individuals affected notified by the ESCA Secretariat representative.
  • Loss of personal data from email. Any such instances shall be logged by the Data Controller and individuals affected notified by the ESCA Secretariat representative.
  • Loss of personal data from the ESCA billing system. Any such instances shall be logged by the Data Controller and individuals affected notified by the ESCA Secretariat representative.

After any breach, the ESCA Secretariat, in consultation with the ESCA Chairman, shall consider and document how similar events may be mitigated in future. Should spend be required, this will be raised to the ESCA Executive Committee (EC) for approval.

19. Security Policies and Procedures

ESCA shall ensure the following policies and procedures are adhered to:

  • Processing of all personal data behind password protection and firewall protection.
  • GDPR compliant hosting of personal data it processes.
  • Logging and communicating threats to the ESCA website.

20. Minimisation of Data Collected

ESCA shall henceforth seek to minimise the data it collects. It shall not collect Personal Information related to requests for ESCA Guidelines or Documents, as appropriate.

Consideration of minimising data collected for any new Personal Data processes shall be considered by the Data Controller.

21. Data Protection Compliance

The ESCA Secretariat representative shall be the Data Controller and Data Processor.

ESCA is not deemed to require the appointment of a Data Protection Officer, noting the ESCA Secretariat shall address any such issues or respond to any that may be notified, as appropriate.

22. Security Policy

The following security policies shall wherever possible apply in relation to Personal Data, and compliance shall be checked in the January of each year.

  • Secure backups of Personal Data
  • Physical locking away of personal data on paper, in the rare event that such paper data is required
  • Password protection prior to accessing personal data online
  • GDPR-compliant hosting methodologies
  • Firewall-protected networks
  • Not accessing personal data via unprotected wifi networks (e.g. while travelling)

This security policy shall be reviewed triennially, with the first review in 2021.

Appendix 1 – ESCA Personal Data Workflow and Information

ESCA is a membership-based organization in the Subsea Cable Industry. An outline of the data ESCA keeps is detailed below:

Membership process: A potential ESCA member organization downloads and completes a Membership Application form from the escaeu.org website and submits it to the ESCA Secretariat via e-mail for EC approval of such application.

The data that is collected from the ESCA membership application form is as follows:

  • Name of company/member organization.
  • Type of membership required, Full or Associate.
  • For ‘Full’ membership applications, the name of the asset that company/organization owns or operates.
  • Name of prime and alternate contact, tel. number, e-mail address and company/organization postal address.

Once the application has been approved by the EC, and fees paid accordingly, the Primary or Alternate contact will be issued with access details for the ESCA website and included on the ESCA Member e-mail distribution list/database. Such contacts can also request other individuals within their company to be added as a ESCA website user and/or be included on the ESCA mailing list, hence such contact information will also be stored in the contact database.

The Member contact/user page on the ESCA website contains:

  • Name
  • Access group, i.e. read-only, read-write
  • EC Member/Chairman/Vice-Chairman?
  • Working group they belong to, if applicable
  • Phone number
  • Cell number
  • Fax number, if applicable
  • E-mail address
  • Member Company website
  • Member Company address
  • Access login and password to the ESCA Members’ website.

All Member contacts have a login and password to be able to access the Member side of the ESCA website, which, amongst other things, contains ESCA Guidelines, Policies, Reports and other documents/educational information. Contacts cannot access or view other Contact records. Contacts can access their own information records to change, add or delete the data contained in the record or to change their password. Contacts can request a copy of their contact information at any time.

No financial data is stored on the website.

A back-up of data kept on the ESCA website is backed-up regularly by Creative Republic, with such back-up stored securely.

Procedures for Breach of data: If a breach of the data is reported or detected Creative Republic shall immediately contact the ESCA Secretariat and investigate the full details of the breach to determine the magnitude. Since ESCA does not hold any Sensitive “special categories” of data it would be up to the Secretariat, in consultation with the Chairman, as to whether the relevant authorities should be informed. The ESCA Secretariat would continue to work with Creative Republic on assessing the present or potential future damage of such breach and make recommendations to the Chairman on how best to handle the situation depending on the details of the breach.

© Copyright 2018 European Subsea Cables Association
No reproduction in any form without written consent from European Subsea Cables Association
Privacy Notice / Privacy Policy / Disclaimer