EU General Data Protection Regulation (“GDPR”) in the shipping sector
June 26, 2018 GDPRGENERAL DATA PROTECTION REGULATION
GDPR IN THE SHIPPING SECTOR – European Community Shipowners Association have published a document intended to provide guidance to the shipping sector on the application of the EU General Data Protection Regulation (“GDPR”).
This document was prepared in consultation with our members.
It is intended for general information purposes only and does not constitute legal advice. To receive legal advice, the reader should consult legal counsel. For definitions of the terms used in these guidelines, please see Appendix 2 to the guidelines.
- Application of the GDPR
- Does the GDPR apply when a ship has a non-EEA flag and non-EEA crew members?
The GDPR has a broad reach. It applies to organisations established in the EEA, when they process personal data in the context of the activities of these EEA establishments, regardless of whether the processing takes place in the EEA or not. The GDPR further applies to organisations outside the EEA who process personal data, if they offer goods and services to individuals in the EEA or monitor their behaviour. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EEA.
– The GDPR applies to a ship owner, ship operator or crewing agent who processes personal data and who is established in the EEA, regardless of the flag of the ship and the nationality of the crew.
– The GDPR applies to a cruise operator established outside the EEA, when it offers cruises to passengers residing in the EEA.
– The GDPR applies to an EEA establishment of a ship owner who processes personal data of non-EEA crew members that it receives from a non-EEA crewing agency.
– The GDPR applies to a non-EEA crewing agency that provides services to individuals in the EEA.
- What type of data processing activities are covered by the GDPR?
The GDPR applies to:
(i) any type of operation that is performed on personal data by automated (i.e., computerized) means, and
(ii) non-automated processing of data that (are intended to) form part of a filing system (i.e., keeping hard copy documents in a structured manner so that they are searchable according to specific criteria such as name, ID number, phone number, etc.).
The following are examples of operations that may be performed on personal data and that are covered by the GDPR: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The GDPR applies to any information relating to an identified or identifiable individual, whether or not the information as obtained in a private or professional context.
– A filing cabinet containing HR records arranged in alphabetical order of employee names would be covered by the GDPR. An unstructured box of hard copy files would not be a relevant filing system and would fall outside the scope of the GDPR.
– Activities that are covered by the GDPR include for example storing employment details of crew members, recording crew members on a ship using audio and video equipment to ensure workplace security, managing contact details of a charter’s port agents, transferring (sensitive) personal data outside the EEA.
– Any information relating to individuals of any capacity associated with a shipping company falls within the scope of the GDPR.
- Does the GDPR apply only to sensitive types of information?
No. The GDPR applies to any information that relates to an identified or identifiable individual (e.g., crew members, passengers, staff at customers/partners). This includes, for example, names, email addresses, phone numbers, online identifiers, location data, and information relating to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. In addition, the GDPR imposes specific requirements when sensitive data are processed (i.e., any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such sensitive data are referred to as “special categories of personal data” in the GDPR.
– Categories of data that are covered by the GDPR include e.g., contact details, bank information (including cash flows), medical certificates, passport information, video and audio recording.
– Information regarding a crew member’s health (like the aforementioned medical certificates) or trade union membership is considered sensitive data.
- Who is the data controller? Who is the data processor?
An entity that decides on the ‘why’ and the ‘how’ of data processing is considered a “controller”. If a controller engages a third party (e.g., service provider) to process personal data on the controller’s behalf, that third party will qualify as a processor. There can be several controllers and processors that are involved in the same data processing activity.
– When a ship owner installs video cameras on a ship to ensure workplace safety, the ship owner will be considered a controller for the collection of video recordings.
– The ship owner and charterers are controllers for the disclosure of crew members’ personal data to port authorities, in order to fulfil their respective legal obligations vis-à-vis port authorities. In principle, a ship manager is a controller when it manages such data transmission to the authorities, unless its role is limited to acting solely on behalf and under the instructions of the ship owner or charterer (in which case the ship manager is a processor).
- When an external payroll agency processes salaries of crew members, the agency acts as a processor.
– When a ship owner uses a cloud-based customer relationship management program, the cloud service provider acts as a processor.
- GDPR has many obligations. Does the shipping industry need to comply with all of them?
In principle: yes. The GDPR requirements apply to all organisations that process personal data, across all industries and sectors. However, some of the GDPR requirements apply only to high-risk data processing activities, which may not be relevant for all organisations in the shipping sector. Each organisation needs to assess which of the GDPR requirements apply to its specific activities.
The GDPR requires that a data controller carries out a ‘data protection impacts assessment’ (‘DPIA’) when it engages in data processing activities that will likely result in a high risk to the rights and freedoms of individuals. This requirement may apply e.g., to an organisation that monitors on-board drug and alcohol use. However, it will not apply to an organisation that only carries out standard HR data processing activities, unless these activities involve large scale processing of sensitive data or criminal data (e.g., in the context of seafarers’ screening).
- Does a non-EEA manning agent need to appoint a representative in the EEA? Does it need to be registered with a supervisory authority?
If a non-EEA manning agent provides services to crew members residing in the EEA, or monitors the behaviour of crew members in the EEA, it is subject to the GDPR and needs to appoint a representative in the EEA. The appointment must be in writing, but it does not need to be registered with a supervisory authority. This requirement also applies to manning agents that are established in “adequate” third countries (see section III on international data transfers below).
A manning agent established in New Zealand must appoint a representative in one of the EEA countries where the crew members’ reside whose personal data are processed or whose behaviour are monitored.