Skip to content Skip to footer

Who we are

Our website address is: https://shipip.com.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

Additional information

How we protect your data

What data breach procedures we have in place

What third parties we receive data from

What automated decision making and/or profiling we do with user data

Industry regulatory disclosure requirements

GDPR

AVOIDING THE GDPR ICEBERG – DATA PROTECTION IN THE SHIPPING INDUSTRY, SEPTEMBER 2017

August 6, 2020

With large potential fines (the greater of up to 4% of global turnover or 20 million Euros), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR “goes live” on 25 May 2018.

Organisations in the shipping industry may collect a lot of personal data, from email addresses of business contacts and counterparties to vessel crew and passenger information, as well as information about their own employees. Crew and contractors are vetted and managed. Immigration law obligations in numerous jurisdictions require certain personal information to be shared. Every business transaction involves interaction with individuals working for corporate counterparties. Much of this information is likely to cross national borders and be exposed from time to time to physical and cyber security risk. Once the GDPR applies, and the risk of large fines and reputational damage increases, breach of the data protection rules could potentially sink the business (or at least cause it to take on water).

Does the GDPR apply to my business if it is not based in the EEA?

The GDPR applies to all organisations “established” within the EEA, i.e. any organisation which has a “real and effective activity, even a minimal one, exercised through stable arrangements”. If you have an office or regular operations in the EEA, and process personal data in the context of that office or those operations, then the GDPR is likely to apply to your business. The fact that the processing itself actually takes place outside of the EEA would not be material.

The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.

Particular factors to consider when determining whether the GDPR will apply are:

  • Are any of your vessels flagged within the EEA?
  • Is your website directed towards customers based in the EEA, for example by giving an option to choose a “UK” setting, an EEA currency, or a particular language?.
  • Can your services be bought from within the EEA?
  • Do you have a registered establishment or an office in the EEA?
  • Is your business currently registered with an EEA data protection authority, such as the UK’s Information Commissioner’s Office (the “ICO”)?
  • Do you use servers located in the EEA?
  • Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are “monitoring individuals” for the purposes of the GDPR.

If the answer to any of these questions is yes then it is likely that the GDPR applies to you.

So the GDPR applies to my business – what next?

The GDPR introduces a host of new obligations and requirements with which businesses must comply.

First, some essential terminology: “data controllers” make the decisions on how and why personal data are processed. “Data processors” only process data on the instructions of the data controller. “Processing” means any action involving personal data, including merely storing it. “Personal data” means any information relating to an identified or identifiable natural (living) person (a “data subject”). Under the new definition of personal data, online “identifiers” such as cookies and IP addresses can make an individual “identifiable”. “Sensitive” or “special category” reveal information such as an individual’s health, race or ethnicity, religious beliefs, ethnicity or sexual orientation.

A full list on how to comply with the GDPR requires more space than is available here, but five key action points are as follows:

  1. Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). “Sensitive” personal data are subject to stricter rules and processing usually requires the individual’s consent. Note that “consent” is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
  2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals’ rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of “data portability” where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals’ requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) “without undue delay”. It introduces a new concept of “privacy by design”, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
  3. Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
  4. Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
  5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.

These are just some of the actions that organisations need to take now. For more information on how you can prepare, and what systems you must have in place, see our special GDPR update at https://goo.gl/jNjMym or contact either:

Tags:
0Likes
About Author

You May Also Like

GDPR

Commission approves €600 million Finnish guarantee scheme to support maritime companies affected by the #Coronavirus outbreak

June 3, 2020
GDPR, Regulation

GDPR – Outsourcing your DPO ( Data Protection Officer)

March 15, 2018