shipping companies under GDPR – The UK Chamber of Shipping, in conjunction with shipping lawyers Hill Dickinson LLP, has released guidance to shipping companies on implementing the general data protection regulation (GDPR).

The arrival of GDPR is part of a raft of cyber related initiatives heading shipping’s way.

The publication summarises the key requirements of the GDPR, which entered into force in May 2018, and the actions companies should take to implement data protection policies.

It focuses specifically on the maritime sector and covers key areas such as crewing issues and seafarer payments, defines GDPR terminology and lists the types and sources of personal data and how these should be processed.

It also describes the role and responsibilities of the data controller and the company data protection officer.

Guidance is also provided on the strict provisions relating to transferring personal data outside of the EU. This is particularly relevant to the offshore industry, where crew are transferred from one site to another and to and from a multitude of jurisdictions where their personal data will follow.

UK Chamber of Shipping chief executive Bob Sanguinetti commented “It is our mission to deliver for our members trusted specialist expertise at all times and The GDPR Guidance to Shipping Companies offers just that. The publication not only details the best practices but also sets out an ‘Action Plan for Companies’, describing suggested stages for a company to implement GDPR and verify compliance.”


SHIP IP LTD is specialized with GDPR ( General Data Protection EU
Regulation) implementation for Maritime Companies ONLY .
We have make the whole process very simple – No need to be something
complicated as Maritime Companies core business is not handling personal
data but transportation .
Our process is very easy – in contact with your key personnel i.e. Human
Resource , Crew and Accounting department – we record forms you have
related with personal data , we are auditing your IT department or in we
ask them some simple questions so we can prepare the procedures required
and we are delivering the GDPR Manual , Gap Analysis and DPIA if required.

GDPR TMSA Cyber Security


Tanker owners should be prepared for new EU and IMO cyber security regulations as they must already comply with maritime security requirements under OCIMF’s TMSA 3, writes Martyn Wingrove

There are increasing amounts of cyber security-related regulations that shipping companies will have to comply with, but tanker owners are already ahead of the game. Ship operators will need to include cyber in ship safety and security management under the ISM Code from 1 January 2021.

Before that, they need to be aware of cyber and data security regulations, including the EU general data protection regulation (GDPR) and the EU directive on the security of networks and information systems (NIS).

Much of the requirements under these forthcoming or new regulations are already within Oil Companies International Marine Forum (OCIMF)’s third edition of the Tanker Management and Self Assessment (TMSA) best practice guidelines. This came into force on 1 January this year, with a new element on maritime security and additional requirements of key performance indicators and risk assessments.

Regulation changes were outlined at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which was held in London on 15 June. The event was held in association with Norton Rose Fulbright, whose head of operations and cyber security Steven Hadwin explained that “data protection and cyber security needs to be taken seriously from a legal point of view.”

Data, such as information on cargo and charterers, could “become a considerable liability”. If data is lost “then GDPR could be in play” said Mr Hadwin. Regulators “could impose a fine of up to 4% of that organisation’s global annual turnover.”

PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year.  “These regulations have teeth” he said because of the potential size of fines and damage to a company’s reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.

Class support

During the summit, class societies provided cyber security guidance as they collectively attempted to define cyber secure ship notations. Lloyd’s Register cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network and the operational technology (OT) and employ staff to “stop people sharing data or compromising procedures”.

Tanker owners “need to identify any compromise before an attacker tries to penetrate”, Ms Cassi explained, noting that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.

ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on operational technology, such as ECDIS and radar, as some remain unchanged since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and that their USB sticks are clean of malware.

ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.

DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video for instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.

These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC-provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.

Cyber regulations and guidance for shipping

EU General Data Protection regulation (GDPR) came into effect from 25 May 2018

IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code

TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018

EU privacy rule (PECR) of individuals traffic and location data

Rightship added cyber security to inspection checklist

BIMCO – guidelines based on International Association of Classification Societies



GDPR IN THE SHIPPING SECTOR – European Community Shipowners Association have published a document intended to provide guidance to the shipping sector on the application of the EU General Data Protection Regulation (“GDPR”).

This document was prepared in consultation with our members.

It is intended for general information purposes only and does not constitute legal advice.  To receive legal advice, the reader should consult legal counsel. For definitions of the terms used in these guidelines, please see Appendix 2 to the guidelines.

  1. Application of the GDPR


  1. Does the GDPR apply when a ship has a non-EEA flag and non-EEA crew members?

The GDPR has a broad reach. It applies to organisations established in the EEA, when they process personal data in the context of the activities of these EEA establishments, regardless of whether the processing takes place in the EEA or not. The GDPR further applies to organisations outside the EEA who process personal data, if they offer goods and services to individuals in the EEA or monitor their behaviour. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EEA.



– The GDPR applies to a ship owner, ship operator or crewing agent who processes personal data and who is established in the EEA, regardless of the flag of the ship and the nationality of the crew.


– The GDPR applies to a cruise operator established outside the EEA, when it offers cruises to passengers residing in the EEA.


– The GDPR applies to an EEA establishment of a ship owner who processes personal data of non-EEA crew members that it receives from a non-EEA crewing agency.


– The GDPR applies to a non-EEA crewing agency that provides services to individuals in the EEA.



  1. What type of data processing activities are covered by the GDPR?

The GDPR applies to:

(i) any type of operation that is performed on personal data by automated (i.e., computerized) means, and

(ii) non-automated processing of data that (are intended to) form part of a filing system (i.e., keeping hard copy documents in a structured manner so that they are searchable according to specific criteria such as name, ID number, phone number, etc.).


The following are examples of operations that may be performed on personal data and that are covered by the GDPR: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


The GDPR applies to any information relating to an identified or identifiable individual, whether or not the information as obtained in a private or professional context.



– A filing cabinet containing HR records arranged in alphabetical order of employee names would be covered by the GDPR. An unstructured box of hard copy files would not be a relevant filing system and would fall outside the scope of the GDPR.


– Activities that are covered by the GDPR include for example storing employment details of crew members, recording crew members on a ship using audio and video equipment to ensure workplace security, managing contact details of a charter’s port agents, transferring (sensitive) personal data outside the EEA.


– Any information relating to individuals of any capacity associated with a shipping company falls within the scope of the GDPR.



  1. Does the GDPR apply only to sensitive types of information?

No. The GDPR applies to any information that relates to an identified or identifiable individual (e.g., crew members, passengers, staff at customers/partners). This includes, for example, names, email addresses, phone numbers, online identifiers, location data, and information relating to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. In addition, the GDPR imposes specific requirements when sensitive data are processed (i.e., any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such sensitive data are referred to as “special categories of personal data” in the GDPR.



– Categories of data that are covered by the GDPR include e.g., contact details, bank information (including cash flows), medical certificates, passport information, video and audio recording.


– Information regarding a crew member’s health (like the aforementioned medical certificates)   or trade union membership is considered sensitive data.


  1. Who is the data controller? Who is the data processor?

An entity that decides on the ‘why’ and the ‘how’ of data processing is considered a “controller”. If a controller engages a third party (e.g., service provider) to process personal data on the controller’s behalf, that third party will qualify as a processor. There can be several controllers and processors that are involved in the same data processing activity.



– When a ship owner installs video cameras on a ship to ensure workplace safety, the ship owner will be considered a controller for the collection of video recordings.


– The ship owner and charterers are controllers for the disclosure of crew members’ personal data to port authorities, in order to fulfil their respective legal obligations vis-à-vis port authorities. In principle, a ship manager is a controller when it manages such data transmission to the authorities, unless its role is limited to acting solely on behalf and under the instructions of the ship owner or charterer (in which case the ship manager is a processor).


­­- When an external payroll agency processes salaries of crew members, the agency acts as a processor.


– When a ship owner uses a cloud-based customer relationship management program, the cloud service provider acts as a processor.




  1. GDPR has many obligations. Does the shipping industry need to comply with all of them?

In principle: yes. The GDPR requirements apply to all organisations that process personal data, across all industries and sectors. However, some of the GDPR requirements apply only to high-risk data processing activities, which may not be relevant for all organisations in the shipping sector. Each organisation needs to assess which of the GDPR requirements apply to its specific activities.



The GDPR requires that a data controller carries out a ‘data protection impacts assessment’ (‘DPIA’) when it engages in data processing activities that will likely result in a high risk to the rights and freedoms of individuals. This requirement may apply e.g., to an organisation that monitors on-board drug and alcohol use. However, it will not apply to an organisation that only carries out standard HR data processing activities, unless these activities involve large scale processing of sensitive data or criminal data (e.g., in the context of seafarers’ screening).



  1. Does a non-EEA manning agent need to appoint a representative in the EEA? Does it need to be registered with a supervisory authority?

If a non-EEA manning agent provides services to crew members residing in the EEA, or monitors the behaviour of crew members in the EEA, it is subject to the GDPR and needs to appoint a representative in the EEA. The appointment must be in writing, but it does not need to be registered with a supervisory authority. This requirement also applies to manning agents that are established in “adequate” third countries (see section III on international data transfers below).



A manning agent established in New Zealand must appoint a representative in one of the EEA countries where the crew members’ reside whose personal data are processed or whose behaviour are monitored.



Maritime GDPR – General Data Protection Regulation Implementation

The EU General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes all EU member states’ current national data protection laws. Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of obligations on organisations to be more accountable for data protection.Maritime GDPR – General Data Protection Regulation Implementation!

Deadline for compliance: 25 May 2018


Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Who is impacted?

The GDPR applies to controllers and processors that are handling the personal data of European individuals. Perhaps one of the most important things to note is that this new regulation applies to ALL organisations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location.

All maritime companies need to be in compliance by the deadline of enforcement / SHIP IP LTD can assist you STEP BY STEP and  prepare an organization to be compliant with the GDPR, update your SMS provide you policies and all tools required !


How we get started ?

Please complete simple form below so we can understand your company’s size and resources required to be reviewed .

Our consulting team will get in contact with you soon to arrange a web conference and discuss next steps.

How much it costs ?

That depends the size of your company / number of people involved and our findings after our initial GAP analysis .

How much time required until implementation ?

Usually between 4-8 weeks – We suggest you that the person really knows your internal workflow and data structure to be in direct contact with our team so we can reduce implementation time to minimum.

Do we need a DPO (Data Protection Officer) ?

YES you need for sure ! at least the first two years so people can be trained and be mature with the new regulation.

SHIP IP LTD offers outsourced DPO service with an agreed annual FEE – So we actually can follow up and ensure implementation after we complete relevant consulting . Our DPO is certified by TUV Austria

What Documentation will be provided ?

40+ policies, procedures, controls, checklists, tools, presentations and other useful documentation , sample list below not limited :

  • Data protection policy
  • Training policy
  • Information security policy
  • Data protection impact assessment procedure
  • Retention of records procedure
  • Subject access request form and procedure
  • Privacy procedure
  • International data transfer procedure
  • Data portability procedure
  • Data protection officer (DPO) job description
  • Complaints procedure
  • Audit checklist for compliance
  • Privacy notice


SHIP IP LTD will help you from initial steps until implementation and auditing to ensure continues auditing !

Get in contact with us TODAY !

Error: Contact form not found.


GDPR and Crew Management

Review your Crew Management Arrangements

In this article, the Club recommends that as part of your preparations for GDPR you complete a review of your crew management arrangements to ensure they will be GDPR compliant. We are grateful to Ian MacLean of Hill Dickinson LLP for his input into this article.

Key Actions to Consider

In relation to crew management, you should consider the following key actions as part of your wider GDPR compliance programme:

  • Data controller or data processor? Review your crew management arrangements and crew information to determine if you are the ‘data controller’ or the ‘data processor’ of crew personal data. You will be a data controller if you decide the purposes and means in which the personal data is processed; you will be a data processer if you are responsible for the processing of personal data on behalf of a data controller. If you are a data processor, the GDPR places specific legal obligations on you to maintain records of personal data and processing activities concerned with it. However, if you are a data controller the GDPR places additional obligations on you to ensure that the data remains properly controlled/secured if you pass it on to third parties.
  • Determine the lawful basis for the processing of personal data relating to crew –whether or not you are a data controller or a data processer you must determine a valid lawful basis for the processing of crew personal data. GDPR provides for the following lawful bases for the processing of personal data:
    • Consent
    • Contractual
    • Legal obligation
    • Vital interests
    • Public task
    • Legitimate interest

Some practical examples of these lawful bases are considered further in this briefing.

  • Consider whether you hold and process any special category data (data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) as you will need to identify:
    • a lawful basis for the processing of this information; and
    • a separate condition or reason for the processing of special category information. These reasons are detailed in Article 9 of the GDPR and include where an individual has given their explicit consent to the processing of this personal data.
  • Complete your ‘record of processing’ – data controllers and data processors are responsible for maintaining a ‘record of processing’ which records their data processing activities. Members should ensure their data processing records detail the data processing activities being undertaken in relation to their crew.
  • Privacy Notices – These explain how you as an organisation collect and process personal data. GDPR sets out the information that you should supply to individuals when collecting and processing personal data. Review your current privacy notices to ensure they meet the GDPR requirements.
  • Contracts – review any third party contracts relating to the processing of personal data and ensure they meet the requirements of GDPR. Members may need to seek specific legal advice in this area in order to ensure data processing arrangements are GDPR compliant.
  • Consider local requirements – if you are located outside of Europe you will need to comply with any applicable local requirements concerning data protection and privacy issues. GDPR will also apply to you if you are offering services to, or are processing personal data relating to, individuals located in the European Union.
  • Unless additional safeguards are in place, the GDPR prohibits the transfer of personal data outside of the European Economic Area to a country that does not, in the view of the European Commission, have adequate data protection (1).

GDPR and Crew Management


Source : The North of England P&I Association Limited

Maritime General Data Protection Regulation (GDPR) – Privacy Policy Generator!

The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.

Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.

A Privacy Policy is where you let your users know:

  • What personal information you collect
  • How and why you collect it
  • How you use it
  • How you secure it
  • Any third parties with access to it
  • If you use cookies
  • How users can control any aspects of this

Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.

Update your Privacy Policy to be GDPR-compliant by cutting out legalese and using clear language that your average user will understand.

Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.

Note that each point doesn’t have to be a separate clause. As long as the information is somewhere in your Policy, it will work.

1. Who your Data Controller is

2. Contact information for the Data Controller

3. Whether you use data to make automated decisions

4. Inform users of the 8 rights they have have under the GDPR

5. Whether providing data is mandatory

6. Whether you transfer data internationally

7. What’s your legal basis for processing data

Source : TermsFeed – Online Privacy Generator




Potentially yes. Application of the GDPR would depend on
factors such as whether the data involved was personal data
within the meaning of the GDPR, related to an EU citizen, and/or
was processed by an organisation established in the EU.

This question presupposes that a ship-owning business will
only process crew’s data, which in fact will never be the case.
Article 3 par. 1 of GDPR provides that the Regulation applies to
the processing of personal data in the context of the activities
of an establishment of a controller or a processor in the Union,
regardless of whether the processing takes place in the Union
or not. This shall be the basic criterion for GDPR application in
respect of any business, including Greek Ship Owners.

Yes, potentially. This would depend on the circumstances.



Days Left :

[wpcdt-countdown id=”8836″]

The General Data Protection Regulation (GDPR) is a comprehensive regulation that unifies data
protection laws across all European Union member states. It defines an extended set of rights for
European Union citizens and residents regarding their personal information. Consequently, it
describes strict requirements for companies and organizations on collecting, storing, processing
and managing personal data.

“The GDPR will change not only the European data protection
laws but nothing less than the world as we know it.” Jan Philipp
Albrecht, MEP, EU rapporteur on GDPR

Where organisations are established within the EU

GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements” (Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales representative depending on the circumstances.

Where organisations are not established within the EU

Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behaviour” (Art 3(2)(b)) as far as their behaviour takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of monitoring .

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

All MARITIME COMPANIES either their headquarters based within the EU or not should comply with the GDPR Regulation by May 28,2018 !


VAT:BG 202572176
Rakovski STR.145
Phone ( +359) 24929284
E-mail: sales(at)