London.UK. At least seven workers lost their lives while scrapping vessels on the beach of Chattogram in what is the worst quarter in terms of number of accidents in Bangladeshi shipbreaking history, NGO Shipbreaking Platform today reported.

“Few weeks ago, seven separate accidents that killed five workers were reported by the Platform. Since then, two more fatalities occurred. On September 18, Liton Paul, 26 years old, fell from the ORO SINGA (IMO 9171838) during cutting operations at SN Corporation yard. On September 29, a falling iron plate took the life of Taslim, 36 years old, on the MEDAN (IMO 9002207) at a yard owned by Kabir Steel group.

The ORO SINGA was sold by Indonesian company Selebes Sarana for more than $9m in Batam, Indonesia. Before reaching the shores of Sitakunda, the vessel was reflagged to Comoros and renamed SINGAPURA. It was said to have around 400 tonnes of sludge on board that needed to be removed prior recycling. According to shipping databases, the cash buyer involved in the sale was GMS, one of the most well-known dealers of end-of-life ships. GMS, which is behind a significant share of the total tonnage beached in the Indian subcontinent every year, praises itself as a sustainable leader of the sector. Yet, it keeps dealing with the worst shipbreaking destinations on the planet. Twelve accidents, causing nine deaths and twelve injures, have been registered at SN Corporation since 2009. In 2021 alone, two workers died and five suffered severe burns at the yard. GMS has also been linked by media and civil society to several toxic trade scandals, at least three of which are currently being criminally investigated by enforcement authorities in the UK and Iceland”

Source: humanrightsatsea

On August 20, 2021, the National People’s Congress Standing Committee finally passed the Personal Information Protection Law, which aims to establish a personal information protection system with Chinese features and, meanwhile, in line with international standards. It provides a variety of rights for personal information subjects to strengthen their control of personal information, while imposing strict obligations to personal information handlers. The law shall enter into force on November 1, 2021, leaving companies less than three months to prepare for their compliance obligations. Therefore, we would introduce the law in comparison to the EU General Data Protection Regulation to help companies better understand the key points and provide companies with preliminary guidance.

The publication of the EU General Data Protection Regulation (“GDPR”) in April 2016 (effective May 2018) may be regarded as the beginning of a wave of data privacy rules across the globe. Following the trend, China passed its first comprehensive law regulating personal information protection on August 20, 2021, namely the Personal Information Protection Law^[1] (“PIPL”), which will come into effect on November 1, 2021.

As a law dedicated to personal information protection, the PIPL tracks the GDPR in many perspectives. For example, both laws enjoy extraterritorial reach, provide various rights for personal information subjects, impose high administrative fines (PIPL sets a fine up to RMB 50 million or 5% of annual revenue) for infringements, and set joint liability upon the entities who jointly conduct data processing activities. However, the PIPL retains unique Chinese features, reflecting the government’s regulatory approach toward personal information, especially from the perspectives of cross-border personal information transfer and the public interest litigation system. In short, in addition to protecting the rights and interests of personal information subjects, the PIPL also aims to safeguard national security and public interests.

Considering the PIPL would significantly impact the Chinese data protection legal framework, companies need to heed China’s “GDPR.”  To better understand the regulations of the PIPL, we would compare it with the GDPR in the following aspects:

TERRITORIAL SCOPE

According to PIPL Article 3, the law primarily regulates how personal information^[2] is handled within the territory of the People’s Public of China (“PRC”), regardless of whether the entity that conducts handling activities has an establishment within the PRC.

As cross-border data transfers are essential in a globalized world, entities outside of China routinely may come into the possession or control of personal information relating to natural persons in China. The possession or control of this data adds both the risks for personal information infringement and the difficulty of personal information protection. It is thus important to include clauses for extraterritorial reach in the data protection legislation to better protect the interests of individuals, as well as maintain social stability and national security.

Therefore, it is not surprising to see that both the GDPR and the PIPL provide provisions regarding extraterritorial effects. PIPL Art. 3 states that it shall also apply to handling activities outside the territory of the PRC regarding the personal information of natural persons inside the territory of the PRC under certain circumstances. Examples include the provision of products or services from outside of the PRC to natural persons within the PRC. Other instances include where an entity outside of the PRC analyzes or assesses activities of natural persons within the PRC.

These concepts within the PIPL are not unfamiliar. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behavior takes place within the EU. To confirm whether the processing activities are related to the offering of goods or services, the GDPR further clarifies that, factors such as the use of a generally used language or currency in the States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU may be considered, which to some extent helps us better understand the provision in the PIPL.

RIGHTS OF THE PERSONAL INFORMATION SUBJECTS

The PIPL provides abundant rights for personal information subjects, such as the right to know, the right to decide on, and the right to limit or refuse the handling of their personal information by others. Individuals also enjoy the right to access and copy their personal information from personal information handlers,^[3] the right to request correction or completion of their personal information, the right to withdraw consent, and the right to request that personal information handlers explain the handling rules. Under certain circumstances, the PIPL grants individuals the right to delete, such as when the handling purpose has been achieved, is impossible to achieve, or is no longer necessary to achieve.

Although adopting different terms, the data subjects enjoy similar rights under the GDPR, such as the right of access, the right to rectification, the right to be forgotten, the right to object, etc. It is worth noting that the PIPL imposes higher obligations on the personal information handlers regarding the individual’s right to know. For example, when providing personal information to other parties, regarding the scope of notification of the recipients’ information, while the PIPL requires personal information handlers to notify individuals about the name/personal name and contact method of the receiving party, the data controller only needs to notify the data subjects about the categories of recipients under the GDPR.

In addition, the GDPR provides individuals with the right to data portability, which also appears in the PIPL after its third review. PIPL Art. 45 states that where individuals request that their personal information be transferred to a personal information handler they designate, if such request meets conditions set up by State cyberspace administrations, personal information handlers shall provide a channel to transfer it. The GDPR provides more clear regulations regarding this right, stating that the data shall be transferred in a structured, commonly used and machine-readable format, and the data subject shall only exercise the right under certain circumstances, i.e., when the lawful basis for processing the data is consent or for the performance of a contract, and the processing is carried out by automated means. It is recognized that the right to data portability better enables the individual’s control of personal information and to some extent promotes the data flow between different platforms. However, it may generate technical difficulties for small-scale businesses as well as aggravate unfair competition between companies for data assets. Considering PIPL Art. 45 emphasizes that the right to data portability shall be exercised subject to the conditions set by the State cyberspace administrations, we can anticipate that the administrations will release further regulations to better implement the rule.

PERSONAL INFORMATION EXPORT MECHANISMS

The PIPL imposes clear obligations on the provision of personal information to any foreign parties. PIPL Art. 38 provides three mechanisms for exporting personal information out of the PRC, depending on the type of personal information handlers who need to provide personal information outside the PRC for business or other such purposes.

Critical information infrastructure operators^[4] and personal information handlers processing personal information reaching certain volumes shall store personal information collected and produced within the PRC domestically. Where such personal information must be provided across borders, the PIPL requires that such cross-border provision pass a security assessment administered by the State cyberspace administrations. Unfortunately, there is a lack of clear guidance on assessment procedures and standards at the current stage.

As for other personal information handlers, the PIPL provides two additional mechanisms for their cross-border personal information provision needs, namely 1) obtaining personal information protection certification; or 2) concluding a standard contract formulated by the State cyberspace administrations with the foreign receiving party.

The two export mechanisms can also be found in the GDPR. GDPR Art. 46 stipulates that a controller or processor may (in the absence of an adequacy decision) transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. GDPR recognizes, inter alia, both standard contractual clauses and approved certification mechanisms as “appropriate safeguards.”

However, the PIPL also provides exemptions for the above mechanisms that the provision of personal information abroad can be conducted in the ways stipulated in the treaties or international agreements concluded or acceded to by the Chinese government.

Overall, the PIPL imposes more restrictions on the cross-border provision of personal information than the GDPR does. The PIPL provides fewer legal bases for the export of personal information. Additionally, to provide personal information abroad, personal information handlers shall conduct a personal information protection impact assessment in advance, fulfill its notification obligations to the individual, and obtain the individual’s separate consent, as well as adopt necessary measures to ensure that foreign receiving parties’ personal information handling activities reach the standard of protection provided in the PIPL.

LEGAL LIABILITIES

Many companies are quite concerned about the GDPR due to its tough fines, which could be up to €20 million, or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever amount is higher. The PIPL also may fine up to RMB 50 million or 5% of a company’s turnover in the previous year (it is unclear how the 5% will be calculated and whether it refers to turnover in China or worldwide). The authorities may also order the suspension of related business activities, or cessation of business for rectification, cancellation, or corresponding professional licenses or business permits.

The directly responsible person in charge and other directly responsible personnel are fined up to RMB 1 million and may also be prohibited from holding the positions of director, supervisor, high-level manager, or personal information protection officer for a certain period.

In addition to the administrative liabilities mentioned above, the PIPL provides civil and potential criminal liabilities. Civil liabilities include penalties for damages and losses to the individual. Joint personal information handlers would bear joint liability if their personal information handling activities harm individuals’ personal information rights and interests and result in damages. PIPL Art. 70 further establishes a public interest litigation system, stating that the People’s Procuratorates (the Prosecutor General’s Office in common parlance), statutorily designated consumer organizations, and organizations designated by the State cyberspace administrations may file a lawsuit if the rights and interests of many individuals are infringed by the personal information handlers. Criminal liability would be pursued depending on the type of violation.

CHINA-SPECIFIC PROVISIONS

As mentioned above, the PIPL provides some provisions with strong national features, which indicates that the government has considered personal information protection to be an important issue for national security. For example, PIPL Art. 41 prohibits personal information handlers to provide any personal information stored within the PRC to any foreign judicial or law enforcement agencies without approval of the authorities. PIPL Arts. 42-43 further provide regulations for extraterritorial and reciprocal protection systems, specifying that the government may put the foreign entities on a list limiting or prohibiting personal information provision if they engage in any personal information handling activity harming the national security or public interests of the PRC, and adopt retaliatory measures against any country or region adopting discriminatory prohibitions, limitations, or other similar measures against the PRC in the area of personal information protection.

To summarize, the protection of personal information in China is not only a matter of securing the rights and interests of personal information subjects, but also an essential element of national security and public interests.

OBSERVATIONS AND SUGGESTIONS

As analyzed above, although the PIPL draws great inspiration from the GDPR, the PIPL imposes higher compliance obligations on companies from certain perspectives. For example, when transferring personal information abroad, individual’s “separate consent” of cross-border personal data transfer is required under PIPL. Therefore, companies that fall in the regulatory scope of the PIPL shall develop their compliance system accordingly, instead of relying on the GDPR system. It is worth noting that the PIPL would come into effect within less than three months, which would be a great challenge for companies due to its strict penalties and stringent obligations placed.

In this regard, we would suggest companies start considering the questions that may arise from the new law, such as:

• Does the company need to set up a local data center?
• Does the company need to update its data processing agreement with its third-party data processors?
• How shall the company update its internal policies, such as personal information policies for employees or consumers?
• What export mechanism can the company adopt in order to achieve its data transfer needs with foreign affiliates?

Considering the PIPL is overall legislation establishing the data protection framework and provides general principles for personal information handling activities and personal information handlers’ obligations, it somehow lacks detailed explanations. It is anticipated that the authorities would release further regulations and rules to provide companies with more guidance and implement the supervision work step-by-step.

Source: winston

OSMs recruitment services help maritime and offshore businesses who want to recruit the right people with the right expertise by increasing the speed of delivery and secure quality and compliance.

OSM Recruitment team has extensive experience across all types of vessels and offshore units. OSM has the industry’s leading pool of candidates where seafarers and offshore specialists register their CV and profile. Additionally, we have offices around the world on locations relevant to our clients and candidates. As a result, OSM can connect your business with talented seafarers and offshore specialists across the globe, being your recruitment partner in the maritime and offshore industry.

Source: osm.no

From 21 to 25 August 2021, the Multinational Maritime Coordination Centre (MMCC) of ECOWAS Zone F prepared and conducted the Operation Anouanze. The operation, led by Ghana and Cote d’Ivoire, was supported by UNODC through Danish funding and used data provided by Skylight and Trygg Mat Tracking.  Aiming to oversee the compliance with law at sea in the vast area connecting the EEZs of Ghana and Cote d’Ivoire, the operation was carried out thanks to a system of naval air assets pooled by the two countries and coordinated by the MMCC.

At the request of the participants, GoGIN sent a trainer to Abidjan to optimise the use of the YARIS communications and decision-making platform during the operation. The feedback on YARIS following Operation Anouanze highlights the value of the platform, which offers a single, comprehensive information system to use in situations where, in the past, several tools were required to achieve the same results.

Source: gogin

Source: newswire

Maturity and innovation have proved a winning combination as the world’s most technologically inventive ship registry has been elevated to the Paris MoU Grey List from June 2021.

Palau International Ship Registry (PISR) has been recognised for its digitally based services and growth in just three short years. This is a remarkable progression for a new registry and is attributed to the commitment to digital services and the recruitment of experienced and knowledgeable staff across the maritime sector. Now the combination of its own unique technology and human resources has seen it record some of the lowest detention figures for its growing fleet in the past 12 months.

Panos Kirnidis, CEO of PISR, is also celebrating the fifth anniversary of the registry’s European office based in Piraeus in Greece and believes the registry’s inclusion in the 2021 Paris MoU Grey List is a testament to the maturity and determination of its global network.

“This is not a surprise to anyone associated with Palau International Ship Registry. We were determined to lift ourselves into the white list and this will be achieved through our innovative and unique technology combined with the recruitment of experts in every aspect of ship registry services.

“Detentions by Port State Control and the increasing environmental regulations have put ship owners and operators under great stress in the past few years. The global pandemic has added to their worries and yet, we have proved that by investing in online services, finding the right people across our global network and offering our unique Deficiency Prevention System (DPS), we can assist them in avoiding these financially damaging detentions.

“It is this combination that is unique to PISR. It is our own in-house developed software systems that have seen our fleet detentions plummet. It is simple to use, highly effective and available from a desktop PC or even a smartphone. This is the reason PISR has been able to reduce detentions and allow us to claim our place in the Grey List. But we are not stopping our drive and we will see even further improvements in our listing into 2022 and beyond.”

After just five years PISR has been recognised as one of the world’s fastest growing and most inventive ship registries according to Panos Kirnidis.

“When I talk to ship owners, they tell me they want reliable and dependable services. They want information in real time enabling them to make the decisions that keep them sailing without penalties. We developed our Deficiency Prevention System (DPS) to do just that, and it has been an outstanding success. This is a process of maturity for any new ship registry, but we began life by examining the mistakes other established registries had made and then avoided them. Our combination of technology and the human element is the basis for our proactive services. “We recently hosted an online event for our Deputy Registrars and Flag State Inspectors and recognised their contributions to our success. Finding the right people is as painstaking as developing the technology but ship owners tell us it is paying dividends. We have been saying we are trailblazers in an established industry. We have been telling the maritime and shipping world that Palau International Ship Registry is here to stay. Well, we have proved that, and we make no apologies for saying the Grey List is a great reward for our faith and determination to be the best at what we do. As a flag of confidence, PISR will continue to innovate, operate and generate, the right combinations of services, fees, knowledge and customer service that we are known for. This year the Grey List and our targets for the coming years include an even larger fleet and the White List is in our sights.”

Source: palaureg

1. Data Processing and Data Processing Purposes

1.1 The Company “CITY UNITY Maritime Training Center” (hereinafter: «the Company») processes, in the context of your employment, personal data collected by you and/or third parties (such as recruiters, job-posting websites and/or your previous employer), in accordance with Regulation (ΕU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: «GDPR») and Greek legislation. More specifically, the Company processes personal, passport/ID and communication information, banking, social security and tax data, information about your education and previous and current employment, photo, your marital status and family information, travel information, your communications with the Company, information about your next of kin, health data, information about your entry/exit from the Company, e-mails that you send from and receive in your corporate e-mail account, calls you make and receive in your corporate mobile phone and work phone, your corporate mobile phone bill and any other personal data that may be necessary to achieve the below purposes of personal data processing.

1.2 The Company processes your personal data during your employment, while such processing will extend after the completion of such employment, and to the extent required in order for the Company to comply with its legal obligations towards the authorities and/or third parties, to comply to any applicable provisions on the obligatory data retention periods or in order for the Company to support its claims or rights.

1.3 The Company processes your data in order to ensure its proper operation in accordance with its employee-related procedures, to fulfill its staffing needs, to comply with its legal and contractual obligations, to identify its employees and to ensure the safety of its staff and of its premises.

2. Transfer of personal data to third parties

2.1 Your data may be made accessible to the Company’s personnel, as well as to third parties, such as the competent authorities, technical contractors, investigators, accountants, auditors, lawyers and legal counsels, IT companies providing technical or cloud services or i-storage platforms and banks.

2.2 The Company may also transfer some or all your data for the above purposes to persons located in countries that are not members of the European Economic Area (EEA). Where such countries have not been granted with an adequacy decision by the European Commission, any transfer shall take place under the appropriate safeguards in accordance with the GDPR, such as Standard Contractual Clauses approved by the Commission or by the competent national authority.

3. Your rights

In accordance with the GDPR, you have the right to: (a) request access to your data and to information relating to the processing thereof by the Company, (b)  request corrections and/or the completion of your data, (c)  request the Company to delete your data, (d)  request the restriction of the scope of processing, the way that the Company is processing your data, as well as the purposes for which the Company is processing them, (e) receive the personal data you provide to the Company and to transmit them and/or request the Company to transmit them to another data controller, (f) object to the processing of your personal data, (g) file a complaint before the Hellenic Data Protection Authority, and (h) so far as the processing relies upon your consent, to withdraw such consent at any time. To exercise your rights, please contact the Company as illustrated below at 5.

4. Legal basis for the processing of personal data

The Company processes your personal data because the processing is necessary, in order for the Company to:

(a) comply with its legal obligations, including among others obligations in the field of employment or social security law,

(b) fulfill its obligations and/ or satisfy its rights deriving from your employment agreement,

(c) satisfy its legitimate interests, such as its proper operation in accordance with its employee-related procedures, to fulfill its staffing needs, to comply with its legal and contractual obligations, to identify its employees and to ensure the safety of its staff and of its premises and the fitness to work of its employees,

(d) establish, exercise or defend legal claims, and/or

(e) process your personal data pursuant to your consent.

The above processing is required by law or due to a contract executed between you and the Company. Therefore, if you do not provide us with your data, the execution of your employment agreement may not be possible.

Source: maritimecareer

Two years to go. The International Maritime Organization (IMO) encourages ship owners and managers to have incorporated cyber risk management into ship safety by the 1st of January 2021. But what does that mean? And how to address maritime cyber risks?

Digitalization

The maritime sector is on the verge of a digital disruption. Digitalization is increasingly considered one of the key solutions to the many significant challenges the sector is facing, ranging from overcapacity, low margins, regulatory pressure, and lack of efficiency, to new digital demands from customers. Although digital transformation of the maritime sector is still in its infancy, it’s safe to assume that digitalization will have a major impact on operations and existing business models in the years to come.

But fast-moving changes do not come without risk. Industrial automation and control systems that were once isolated and deemed secure, are increasingly being connected to corporate networks and the Internet. Individual devices across enterprise Information Technology (IT) and Operational Technology (OT) networks – from smart digital equipment and tools to navigation, engines and more – will present potential new pathways to cyber attacks and incidents on vessels.

First steps towards regulation

This has driven IMO to issue the Resolution on Cyber Risk Management. The resolution “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems” by 2021.

While that does not sound too obligatory, potential implications of inappropriate cyber risk management are obvious, as it may lead to, for example:

• Increased (unforeseen) expenses;
• Operational loss due to incidents;
• Safety and personnel damage;
• Limited competitive edge.

But potentially, consequences are more widespread. Lack of compliance with these requirements may also lead to increased insurance fees, port access denial and even detention of ships, again meaning huge financial losses for their owners.

It is expected that, though for now just a recommendation, the IMO Guidelines can become the GDPR for the maritime sector: that regulation where noncompliance potentially affects your license to operate – and that regulation that seems difficult to get a grip on.

As cyber security may not be the core business of most maritime organisations, proper guidance on efficiently incorporating cyber risk management is needed. This is where KPMG offers its global expertise on cyber security advisory and digital risk management for the maritime sector.

Addressing cyber risk

KPMG’s solutions aim at letting maritime organisations manage cyber risk in the way that is intended in, for example, the IMO Guidelines on Maritime Cyber Risk Management and the BIMCO Guidelines on Cyber Security Onboard Ships. This includes:

• Identify: To be able to identify and manage risks and turn them into business advantages, you first need to understand your connected landscape and identify the most relevant threats and highest risks for your environment.
• Protect: Once you understand your maritime IT and OT landscape and the impact and risks of the different systems within, you can take appropriate measures to protect it where relevant.

Source: linkedin

Believe it or not, it’s still a little too early to see what impact the new regulation is having, although this is line with our expectations given the data protection regulators around Europe were inundated with reports of data breaches that still related to pre-GDPR enforcement. Only within the last few months, are we now starting to see some examples of organisations that are falling foul of post GDPR requirements, however despite this, what we do know is the shipping sector needs to be continually switched on to the requirements of GDPR given the day-to-day processing activities undertaken by shipping companies.

Processing activities include the processing of crew information, the transfer of personal information between a shipping company and third parties such as a port agents, manning agents or P&I clubs and the international exposure of data transfers resulting from these relationships.

Shipping companies should also remember personal health records are often collated and processed, triggering the GDPR requirements surrounding the processing of special categories of personal data.

The real issue that organisations in all sectors, including shipping, are coming across is the GDPR requirement surrounding ‘accountability’. Post 25 May 2018, it’s important that any organisation is fully compliant or able to provide evidence that they are actively working towards compliance to satisfy the accountability and transparency principles of the GDPR.

So as professional advisors, what are we seeing now, some ten months later?

There are still a significant number of shipping companies continuing to work towards full compliance, but very quickly we’re seeing a shift from ‘getting ready for GDPR’ to focusing on how to satisfy the accountability requirement – that is, how you will ensure your shipping company continues to comply with the regulation in future.

Article 5 of the GDPR focuses on the accountability principle. This is the part of the regulation all shipping companies must be on top of and be able to evidence, at least annually, going forward.

The responsibility of satisfying the accountability principle falls upon the assigned Data Protection Officer or, if one is not deemed necessary, the individual that has been allocated the responsibility of data protection within an organisation.

Shipping companies need to consider whether all policies, procedures and systems introduced or amended are being adhered to and whether they’re working effectively, to ensure you continue to operate within the expectations of the regulation.

This means introducing a GDPR compliance project plan that incorporates appropriate testing and verification techniques, so at the end of the year, management are able to assess what’s working well and what needs further improvement.

We’ve launched our Data Protection Officer support function service and our outsourced Data Compliance Officer function, which includes the management and running of the ongoing GDPR compliance monitoring plan, but moreover enables your shipping company to pass more of the responsibility of data protection to us as an outsourced provider.

Source: hellenicshippingnews

Introduction

The EU General Data Protection regulation (GDPR) was approved by the EU parliament on 14 April 2016 and comes into force on 25 May 2018. This piece of legislation introduces a new data protection framework to be applied to all the EU member states. This new regime – indeed much more severe and cogent than the existing one – aims to provide a greater amount of rights on individuals in relation to their data. As a result, the amount of obligations upon the organizations with regard to storage, collection, and treatment of personal data will definitely increase. One of the key changes is certainly the consequences in case of GDPR breaches. Fines for non-compliance, in fact, may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches.

What is Personal Data?

Pursuant to article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person, so-called data subject. A natural person can be identified by an identifier such as a name, identification number, location data or through factors specific to social identity. Further to this, Special Category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic and medical information. Organizations are subject to additional obligations while processing these special data.

When does an organization “Process” Personal Data?

Processing personal data means to perform an operation related to certain personal data; for example, by using, deleting, amending or disclosing such personal data.

Why the Shipping Industry will be affected by the GDPR?

Shipping companies store and handle a great amount of personal data, for instance passenger information, crew member details, travel documents, training records, bank details and other information gathered in the ordinary course of business. Moreover, shipping companies are likely to share this information with third parties such as port agents and P&I clubs.

Not only shipping companies will be subject to the GDPR. Brokers, surveyors, agents, correspondents, external services providers, very often deal with personal data, sometimes also sensitive ones. For instance, a personal injury claim or a claim involving a minor; in this case, the claimant – i.e. the data subject – will enjoy the right conferred by the GDPR.

To whom the GDPR applies to?

The GDPR applies to people of all nationalities when their personal data is processed by an organization established in EU. Also, the GDPR applies to non-EU organizations when they process personal data of people who are based in EU.

What are the consequences of failing to comply with the GDPR?

Indeed, the GDPR introduces draconian punishments. Fines for non-compliance may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches. For less serious offences, fines can reach up to Euro 10 million or 2% of turnover.

Apart from pecuniary punishments, non-compliance with the GDPR might keep the faulty organization away from important business opportunities in the future. Indeed, without mentioning the reputational consequences of a data breach, the GDPR compliance might become a paramount requirement for the companies in order to take part to the EU public contract tender, or in order to contract with companies siting in EU.

What should an organization do?

In order to comply with the GDPR, an organization should follow these 8 practical and essential steps:

1. Awareness: be aware that the law is changing to the GDPR. All the people of an organization must understand the impact of this new piece of legislation.
2. Information audit: assess what personal data the organization holds, where it comes from and who it is shared with. The audit is usually conducted by a legal team or professional firms with expertise in privacy matters.
3. Draft privacy notice: after the audit is concluded, it is possible to draft a tailor-made privacy policy according to the types of personal data that the organization process. Certain organizations are advised to draft several privacy policies, for example, one which contains specific wording where special category data is collected, another one for commercial use, and another one for HR purposes.
4. DPO: where appropriate, appoint a Data Protection Officer (DPO). An organization is required to appoint a DPO – i.e. someone to take responsibility for data protection compliance – where carries out the regular and systematic monitoring of individuals on a large scale or, carries out the large-scale processing of special categories of data such as health records, or information about criminal conviction. A competent external DPO can bring technical expertise and help to save time.
5. Consent: review how the organization obtains, records and manages consent. Consent must be specific, granular, clear, prominent, properly documented and easily withdrawn.
6. Individuals’ rights: check the procedure and be sure that they cover all the rights that individuals have. According to the GDPR, individuals have the right to: be informed, access, rectification, erasure, object and restrict processing. Therefore, the organization, for instance, should be ready to react if someone asks to have their personal data delated or modified.
7. Data Breaches: make sure that the right procedures are in place to detect, report and investigate a personal data breach, so-called Incident Report Plan. Authorities must be notified of any breach of the regulations within 72 hours of the event.
8. Training: ensure that organization personnel is trained about the GDPR compliance. A GDPR crash course along with periodic training would be appropriate in certain circumstances.

Will the GDPR affect the data that a ship uses and shares?

Yes, in so far as such data is considered Personal Data pursuant to article 4 of the GDPR.

Is a commercial data (B/L, Data of Vessel) subject to GDPR?

No, unless commercial data includes personal data.

Are the GDPR fines excluded from a P&I cover?

No. However, cover for such fine would indeed requires that all the reasonable steps to avoid the breach had been taken.

Source: macchimaggesi