The General Data Protection Regulation entered into force on the 25th of May and was designed to harmonize data privacy laws across Europe by introducing a new standard of data protection. It is important to remember that this legal instrument has an extraterritorial effect and as such also concerns foreign companies which operate within the EU or process data of European Citizens. Beyond doubt, companies operating in the maritime industry will be affected by the GDPR as they process large volumes of personal data such as data regarding employees, business contacts, passengers, vessel crew, contractors and much more. Stricter rules and higher fees increase the risk of non-compliance, however, the most direct impact of the GDPR raises three main issues.

First and foremost, the GDPR provides a number of new rights to the European Citizens. The most fundamental one is the legal basis for data processing which is, in fact, the consent of the person whose data is to be processed. As provided in the art. 4(11), the consent per se has to be given freely, unambiguously by statement or clear affirmative action. Consent from Clients can be accepted in several ways, e.g. by written, electronic or oral consent. Importantly, the Companies have to ensure that it is as easy to withdraw the given consent as it was given in the first place. Additionally, to considering the issues relating to obtaining or withdrawing consent  to the processing of personal data one should also take into account the further individual rights granted by the GDPR:

• right to access data (art. 15)
• right to rectify data (art. 16)
• right to delete data – “right to be forgotten” (art. 17)
• right to limit processing (art. 18)
• right to transfer data (art. 20)
• right to object (art. 21)

Moreover, the GDPR sets out seven key principles that should lie at the heart of data processing:

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality (security)
• accountability

At the moment, every company operating in the shipping industry worldwide has to comply with the GDPR’s provisions when EU Citizen’s privacy rights are in question. This will have a major impact on those companies both time-wise and money-wise.

   1. Bureaucracy and costs

The companies that wish to be compatible with the new law will be subjected to an enormous amount of formal requirements and paperwork. All relevant activities should be implemented by means of appropriate internal procedures and duly documented. For this purpose, it is recommended to prepare appropriate documentation indicating the measures taken to properly implement and apply the GDPR (such documentation may include, among others, appropriate security certificates and certifying the competence of persons having the access to personal data, guidelines for employees, reports and analyzes risk, certification of the measures used to secure ICT systems, etc.).

The art. 30(1) of the GDPR, obliges each data administrator to keep a register of personal data processing activities. Mainly, this obligation binds only those companies which have more than 250 employees. However, it may still apply to smaller companies when data processing may cause a risk of violation, is not occasional and includes specific categories of information (e.g. race, affirmation to trade unions).

When the main activity of the administrator or processor consists of processing operations which, by their nature, scope or objectives, require regular and systematic monitoring of data subjects on a large scale then the GDPR provides for the obligatory appointment of Data Protection Officer. The administrator is required by the GDPR to carry out an analysis whether it is obliged to appoint a DPO. However, even if such an obligation does not directly result from the GDPR, according to the position of the Working Group (the opinion-forming body and co-creating the content of the GDPR), appointing an inspector is strongly recommended.

The appointment of such a person gives additional security guarantees – it confirms that the relevant body has acted with due diligence as regards the protection of personal data. The art. 37(5) provides that DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices as well as the ability to fulfil the objectives of the Regulation. In other words, the GDPR requires concerned companies to create a new position and employ an expert in the field.

As you can well imagine, these necessary changes will be time-consuming and will incur unavoidable costs. According to some estimations, the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with the GDPR.1

 2. More costs

The risk of non-compliance entails potentially very high costs as the regulators will have the power to fine businesses who breach GDPR requirements up to 4% of their worldwide turnover.

In the event of violation of rights of individuals, the administrator is exposed to civil and administrative legal liability. In the scope of the first type of liability, the GDPR provides persons whose rights have been violated with the possibility, inter alia, to apply to the court demanding that the administrator refrains from violating or ordering specific behaviour or for awarding damages.

In addition, a data administrator is also exposed to administrative sanctions, taking the form of fines, i.e.

• a fine of up to 10 million euro, and in the case of a company or group of companies with a total worldwide turnover exceeding 500 million euro – up to 2% of total global turnover from the previous year;
• a fine of up to 20 million euro, and in the case of an enterprise or group of companies with a total worldwide turnover exceeding 500 million euro – up to 4% of total global turnover from the previous year.

  3. Member States are not prepared

Back in 1995 the EU already have legislated on the protection of personal data. As such, the GDPR is a legal instrument which finds its origins in the previous century. Even though, a little number of Member States were actually prepared for the GDPR. Only France, Germany, Austria, Slovakia and Sweden have implemented appropriate national legislation in order to adjust their legal systems to the GDPR.
However, it does not mean that the other countries have resigned from introducing national modifications. Majority of Member State already have a draft legislation which will have to be passed in a due time. Hence it should be emphasized that it is not recommended for the entrepreneurs to refrain from adapting to the GDPR and its policy until the adoption of the new law on the protection of personal data in their Member States. The GDPR adopts a form of a regulation – hierarchically the most important legal act of the European Union – which means that the provisions of the GDPR are directly binding and applicable and as such have a direct effect. In other words, as from May 25, 2018, the GDPR applies in full, and entities that perform the relevant activities, including the collection and processing of personal data, are forced to strictly comply with these provisions.

Overall, high-stakes call companies to make sure to be GDPR compliant and there is a high probability that most of them still aren’t.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is set to come into force in May 2018. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The GDPR replaces the EU Data Protection Directive and applies to all member countries without the need for national legislation. After four years of discussion and amendments, the regulation officially takes effect on May 25, 2018 and places the EU at the forefront of data protection standards.

Ince & CO explains, “Shipping companies collect a great deal of personal data, including passenger information, crew and employee details, customer lists and details of business contacts. The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Implementing effective data protection controls into daily operating procedures is a huge challenge. However, when the EU General Data Protection Regulation and the UK’s Data Protection Act 2018 come into force on 25 May 2018, businesses ignore them at their peril, as non-compliance can result in large fines and reputational damage. There are also commercial benefits to effective compliance: companies that protect the privacy of their passengers, employees and business associates and conduct properly targeted marketing campaigns will be more likely to attract and retain business and staff.”

Lester Aldridge underlines the steps companies need to take to prepare for the GDPR, stating, “under the GDPR, there is a full list of action points for businesses to take to ensure data protection compliance. The following 5 key steps are perhaps the most important ones that should help company’s process data correctly:

1. Appoint a data protection officer to ensure compliance.
2. Implement a system internally to ensure the relevant supervisor is informed of a personal data breach within 72 hours of first becoming aware of the breach.
3. Adopt an updated data protection and privacy policy by analysing your system and practice to ensure that data is processed in accordance with the permitted legal grounds
4. Run audits and risk assessments on collected personal data and keep the individuals informed about processing their personal data.
5. Provide training to your employees and ensure that they are abreast with the correct processes and ensure that data controllers have contracts with all of their data processors.”

With large potential fines (the greater of up to 4% of global turnover or 20 million Euros), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR “goes live” on 25 May 2018.

HFW states, “The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.

Particular factors to consider when determining whether the GDPR will apply are:

• Are any of your vessels flagged within the EEA?
• Is your website directed towards customers based in the EEA, for example by giving an option to choose a “UK” setting, an EEA currency, or a particular language?.
• Can your services be bought from within the EEA?
• Do you have a registered establishment or an office in the EEA?
• Is your business currently registered with an EEA data protection authority, such as the UK’s Information Commissioner’s Office (the “ICO”)?
• Do you use servers located in the EEA?
• Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are “monitoring individuals” for the purposes of the GDPR.

If the answer to any of these questions is yes then it is likely that the GDPR applies to you.

The GDPR introduces a host of new obligations and requirements with which businesses must comply. Five key action points are as follows:

1. Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). “Sensitive” personal data are subject to stricter rules and processing usually requires the individual’s consent. Note that “consent” is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals’ rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of “data portability” where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals’ requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) “without undue delay”. It introduces a new concept of “privacy by design”, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
3. Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
4. Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.”

The UK P&I Club suggests an action plan in accordance with the GDPR stating, “In order to comply to the full scope of the GDPR, it is recommended that organisations seek legal counsel.

At a minimum, here are a few high-level action items:

• Get consent: A data controller must be able prove that consent was given by the data subject.
• Conduct a Data Protection Impact Assessment: It’s important to assess privacy risks of processing personal data of individuals.
• Where appropriate, appoint a data protection officer: This person is responsible for overseeing compliance and data protection strategies.
• Be prepared to report data breaches: Under the GDPR organisations must report a breach within 72 hours.
• Maintain records of processing: Article 30 states that controllers “shall maintain a record of processing activities under its responsibility.”

The GDPR will change the way the shipping industry handles data forever. It is something that must be taken very seriously as any violation will result in severe repercussions. Organisations that fail to comply will face significant fines—as high as four percent of the organisation’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled their personal data.

Source: seanews

Why is GDPR particularly relevant to shipping?
Although GDPR will probably affect every organisation that
processes personal data, the shipping industry will be particularly
affected due to the following reasons:
• Even small shipping companies process personal data of their
crew on a daily basis. Most shipping companies keep records of
their crew members between embarkations and for some time
after the last debarkation.
• Personal data processed by shipping companies includes
personal identification documents, bank details, travel
documents, training records but also data considered to be
‘sensitive’ such as medical records.
• Shipping companies receive personal data from many sources such
as the individuals themselves, manning agents, port agents and
other third parties, in the normal course of business.
• They send personal data to many recipients such as port agents,
travel agents and P&I clubs.
• They regularly make data transfers to a large number of
jurisdictions, with particular interest in those made to countries
outside the EU, and in specific, those where certain conditions
must be met in order for the transfer to be allowable.
What should shipping companies do?
1. AWARENESS
It is crucial that shipping companies kick-start their GDPR project
with raising awareness among top management on what GDPR
requires and what the key risks for their particular organisation
are. Engaging the right people at top management level is
necessary to ensure that the organisation commits the necessary
time and resources and develops a culture that respects privacy.
2. TEAM
With the full support of management, organisations need to
assemble a multi-discipline team to run the project ensuring
risk, legal and IT are included. The appointment of a Data
Protection Officer may be required, under certain
circumstances, in which case the organisations need to
consider who that person might be. Trusted external advisors
can bring technical expertise, perspective and help save time.
3. IDENTIFICATION OF DATA PROCESSING ACTIVITIES
It is then time to identify and record the data processing activities,
ensuring that for each activity, the entire data lifecycle is captured
(from collection all the way to destruction). Data processors and
joint-controllers should also be identified at this stage.
4. GAP ANALYSIS AND COMPLIANCE PLAN
Whilst capturing the flows, organisations should look for the
weaknesses in the data flows, evaluate the resulting risk and
respond to that risk with a specific practical plan of action, so that
the risk can be mitigated to an acceptable low level. To identify
weaknesses they will also need to consider their policies and
procedures, their current compliance framework (for example ISM,
MLC etc) as well as tools and enablers, including legal documents
(forms, terms and conditions, etc) and of course the IT environment.
5. IMPLEMENTATION OF CHANGES IN POLICIES,
PROCEDURES, NOTICES, LEGAL, IT
Once the specific action plan is complete, organisations can then
proceed to the implementation phase. This would normally include
making changes in privacy policies, contracts with manning agents,
P&I clubs, information notices to port agents, staff and crew as
well as drafting appropriate consent forms. Implementation could
also include changes in manual procedures, IT security (firewalls,
encryption etc) and business continuity & disaster recovery plan.
External advisors can again help carry out various aspects of the
implementation but also assist in managing the effort.
03/2018
The European General Data Protection Regulation (GDPR) comes into full effect on 25 May 2018.
Designed to increase protection of individuals’ rights and freedoms, GDPR has strengthened
privacy rules, thus increasing the companies’ privacy obligations. Stakes are high as administrative
fines can reach Euro 20 million or 4% of an organisation’s global turnover (whichever is greater),
but the true cost in the case of a severe data breach is obviously the loss of reputation and
potential claims.
Shipping PRECISE. PROVEN. PERFORMANCE.
6. DATA BREACH READINESS
It is crucial that organisations design an Incident Report Plan to
include detailed actions that will need to take place so that, if
required, notifications can be made timely to the Supervisory
Authority (within 72 hours from detection of the data breach)
and to the data subject. The Plan should include a clear
pre-determined set of consecutive actions and a clear allocation
of responsibility for those actions as well as notification
templates, investigation requirements, reporting, media and
communications management etc. Shipping companies should
also maintain an incidents log, containing details of privacy
incidents identified and how they were followed up,
irrespective of whether they were reportable to the Authority
and/or the data subjects or not.
7. PRIVACY IMPACT ASSESSMENT
GDPR requires that companies consider the impact to data
privacy, when making important business decisions so that the
notions of privacy ‘by design’ and ‘by default’ are embedded in
new projects at the design phase. Decisions such as the
selection of a new manning agent based outside the EU, would
require a detailed assessment of the data privacy conditions
relevant to data transfers from and to the agent, in order for
the relevant considerations and potential risks to be surfaced
and mitigated appropriately at inception of the agreement. A
well thought-through privacy impact assessment can help
determine those terms and conditions that will eventually allow
the parties to transfer data securely and reliably, having
resolved accountability issues right from the start of their
contract. A well thought-through privacy impact assessment
can also expose a potentially high risk business partner.
8. TRAINING
Once the GDPR compliance plan has been fully implemented, it
is highly advisable to roll out GDPR training to all staff and
crew, highlighting any changes that were implemented
because of GDPR and the reasons thereto. Personal data such
as original travel documents as well as other records are being
held aboard the vessels so it is important that training, to the
appropriate extent is also provided to the officers on board.
9. ONGOING MONITORING
Like all companies subject to GDPR, shipping companies need to
demonstrate that they monitor their compliance on a continuous
basis, by updating their policies and procedures when needed,
training their staff and crew as well as updating their formal
documents and agreements, when these are relevant to personal
data. In addition, shipping companies should design (and
incorporate in their ongoing compliance monitoring framework)
tests of operational effectiveness for controls mitigating significant
risks associated with GDPR and data privacy in general and follow
up on the weaknesses identified.
10. FOSTERING A GOVERNANCE-DRIVEN CULTURE
No matter how many safeguards are put in place in an
organisation’s internal control environment, effective risk
mitigation will always eventually come down to how well people
understand, appreciate and implement those safeguards.
Establishing and maintaining a governance-driven culture that will
empower people to actively protect their organization creates a
much more effective shield against privacy threats, compared to a
compliance-driven approach that can prove bureaucratic.
How can shipping companies better manage GDPR
compliance cost?
Compliance costs in shipping have increased exponentially in the
past few years. GDPR does not need to be another heavy
compliance burden: By embedding the principles of privacy to the
current structures, policies and procedures that were created to
respond to various other requirements coming from regulations,
authorities or other counterparties, shipping companies can
implement GDPR – as well as other privacy projects – in a truly
risk-focused, effective and efficient way.

EGERSUND, Norway and LONDON, Aug. 27, 2020 /PRNewswire/ — NAVTOR, the leading provider in navigational software for the maritime industry, today announced that it has received a majority growth investment from Accel-KKR, a leading global software-focused investment firm headquartered in Silicon Valley.

The investment also marks Accel-KKR’s 42nd completed investment in the EMEA region since 2013 when it established a European headquarters, making Accel-KKR one of the most active software private equity firms in Europe and specifically, Scandinavia. It also marks Accel-KKR’s 15th completed investment globally since the second half of March 2020.

NAVTOR is the world’s leader in cloud-based e-navigation solutions including Electronic Navigational Charts (ENCs), digital maritime publications, route optimization and fleet management across an integrated platform – effectively providing all critical voyage information at the fingertips of navigators and solving the complex challenges of passage planning. The global maritime e-navigational industry is on a multi-year technological expansion in large part due to new regulations, an increased focus on safety and ESG goals and advances in technology.

“The entire NAVTOR team is very excited to work with Accel-KKR in our continued momentum as a leader in the e-navigational space,” said Tor Svanes, CEO and Founder of NAVTOR. “Through a relentless focus on serving the needs of commercial seafaring fleet managers and navigators, we have built a superior technological offering with an industry-leading reputation for customer service and support. We look forward to writing NAVTOR’s next chapter together with the AKKR team.”

Børge Hetland, Chief Commercial Officer and Co-Founder of NAVTOR added, “With Accel-KKR’s backing, we see tremendous opportunities to take NAVTOR to the forefront of our industry, and to further serve our customers with a total ship operations platform – from navigation excellence to fleet optimization and crew performance.  Specifically, we are very excited to be working with Accel-KKR given their breadth of software-specific and M&A capabilities to accelerate NAVTOR ‘s top-line growth.”

“The sheer size of the global maritime industry and the continuing digitization of fleets bode well for the future of NAVTOR,” said Maurice Hernandez, Head of the European office at Accel-KKR. “Pairing NAVTOR’s mission-critical software and the deep domain expertise of its management team with AKKR’s know-how in accelerating growth in software companies will lead to exciting outcomes for the marketplace and customers. We look forward to working closely with the NAVTOR team in the coming months and years.”

Accel-KKR partnered with Crescent Capital Group LP via its European Specialty Lending strategy on financing for this investment.

ABG Sundal Collier served as M&A and debt advisor to Accel-KKR.  Brodies LLP, Kirkland & Ellis and Selmer served as legal advisors to Accel-KKR. Pareto Securities and Advokatfirmaet Schjødt AS served as M&A and legal advisors, respectively, to the sellers.

About NAVTOR:

NAVTOR has established itself is a world leader in e-navigation since launching in 2011, providing innovative e-navigation solutions, and as a total supplier of navigational products and services for the maritime sector. The company strives to make life easier for navigators, and safer, clearer and more efficient for shipowners, ship managers and operators.

In 2012 the firm released the world’s first type approved Pay As You Sail ENC service, and followed in 2014 with the launch of NavStation, the world’s first digital chart table. The company has grown quickly and established a network of subsidiaries and distributors worldwide, spanning Norway, Singapore, Japan, Sweden, Russia, the United States, and the United Kingdom. For more information, visit www.navtor.com.

About Accel-KKR:
Accel-KKR is a technology-focused investment firm with over $9 billion in capital commitments. The firm focuses on software and IT-enabled businesses, well-positioned for topline and bottom-line growth. At the core of Accel-KKR’s investment strategy is a commitment to developing strong partnerships with the management teams of its portfolio companies and a focus on building value alongside management by leveraging the significant resources available through the Accel-KKR network. Accel-KKR focuses on middle-market companies and provides a broad range of capital solutions including buyout capital, minority-growth investments, and credit alternatives. Accel-KKR also invests across a wide range of transaction types including private company recapitalizations, divisional carve-outs and going-private transactions. Accel-KKR is headquartered in Menlo Park with additional offices in Atlanta and London. Visit www.accel-kkr.com for additional information.

Source: prnewswire

The Commission has adopted a proposal for the fishing opportunities for 2021 in the Mediterranean and the Black Seas. With the proposed fishing quota for certain fish stock, the Commission is thus delivering on the political commitments made in the ‘MedFish4ever’ and the Sofia Declarations to promote sustainable management of fish stocks in the Mediterranean and the Black Seas.

The proposal implements the multiannual management plan for demersal stocks in the Western Mediterranean, by continuing the political commitment to further reduce the fishing effort in the area of up to 40% in five years (2020-2024). It also includes notably measures for eel, red coral, dolphinfish, small pelagic species and demersal stocks in the Adriatic, deep water red shrimps stocks in the Ionian Sea, Levant Sea and the Strait of Sicily, in line with the decisions of the General Fisheries Commission for the Mediterranean (GFCM).

In the Black Sea, catch limits and quotas are proposed for turbot and sprat. For turbot, the proposal will transpose the EU quota decided in the context of the revision of the GFCM turbot multiannual management plan. For sprat, the Commission proposes to maintain the same catch limit as in 2020. The member states are expected to decide on the proposal at the November Agriculture and Fisheries Council and the quota are to be applied as of 1 January 2021.

More information is available here. 

A recent article published by NATO on July 29, 2020 highlights the growing focus of attention within NATO on maritime remote systems.

Michael Brasseur is a naval warfare expert at the US Mission to NATO. This former captain of two warships who has sailed and served all over the world, now works at NATO Headquarters in Brussels, Belgium. Together with experts from other NATO Allies, he is working to help enhance the Alliance’s technological edge on critical maritime capabilities. 

“It’s my job to leverage NATO’s vast innovation ecosystem to ensure Allied sailors have the very best technology to accomplish their mission of keeping the seas free,” says Michael.

Michael and his counterparts in NATO member countries are looking for cutting-edge capabilities that can give Allied sailors a tactical advantage at sea.  They have recently focused on the rapid advancements underway in maritime unmanned systems. “We are only just beginning to realise the game-changing capabilities these systems offer and I am focused on accelerating their development and integration into Allied navies,” explains Michael.

In October 2018, Michael helped launch a Maritime Unmanned Systems (MUS) initiative. Today, 14 Allies1 are working together to develop and procure maritime technology that will increase operational effectiveness, limit risk to human life and reduce operational costs, and Michael is at the heart of this initiative. Several other Allies have recognised the value of this fast-paced initiative and have expressed intent to join.

Ensuring free access to the seas

Maritime unmanned systems are drones above, on and below the water.  Allied navies use them on many different occasions to enhance the capabilities of manned platforms. Working alongside traditional naval assets, these unmanned systems can also improve situational awareness, which is critical in ensuring free access to the seas.

“Seventy per cent of the planet is covered by water,” explains Michael. “Maritime unmanned systems are important because these systems, if harnessed correctly, can greatly improve our ability to understand the maritime environment, and thus ensure the seas remain open for commerce.”

At sea, mines, terrorist activities, smuggling and piracy are threats to NATO Allies’ ability to operate freely in maritime commons. The use of unmanned systems will enable Allies to be more effective in crucial capability areas, such as finding and tracking suspicious submarines or detecting mines.

“MUS, when teamed with manned systems, offer a means to detect, localise and neutralise a mine, without putting the operator in danger,” comments Michael. 

Cherishing work and life

Michael loves his job for many reasons. “First, the opportunity to work with friends and Allies every day is a true joy,” says Michael.  “On this project, I have developed strong professional and personal relationships that I will cherish for my entire life.  I also really enjoy discovering new technologies and I get a lot of energy when I engage with academia and industry.” 

Michael, a father of four, with two teenage sons who love physics, computers and artificial intelligence, think their dad is pretty cool working on all this high-tech. “My boys also think NATO is very cool!”

Many of Michael’s colleagues don’t know that he is also a survivor. “In 2016, following my tour as captain of USS Forth Worth, I was diagnosed with stage 2, classical Hodgkin’s lymphoma.  It has certainly given me a completely different outlook on life.  I cherish every single second, like these wonderful experiences at NATO, living in Brussels and working with friends and Allies across Europe.” 

Testing drones in real-life scenarios

Each year in Portugal, Michael participates in testing Allied innovative maritime unmanned systems in scenarios such as search and rescue operations, harbour protection, and anti-submarine and naval mine warfare during exercise Recognized Environmental Picture, Maritime Unmanned Systems (REP (MUS)).

“REP (MUS) is the largest maritime unmanned systems exercise of its kind in Europe and achieved last year many critical firsts for NATO in terms of interoperability,” explains Michael.

Over 800 personnel from the Portuguese Navy, as well as from Belgium, Italy, Poland, Turkey, the United Kingdom, the United States, and the NATO Centre for Maritime Research and Experimentation contributed to the exercise.

Michael feels that we are at a key inflection point in history.  “The pace of innovation has become exponential and our institutions need to move faster. We have made significant progress, but we have much more work to do, to improve, accelerate and scale this important initiative.”

Source: sldinfo

Information on the processing of personal data under the Operational Programme Infrastructure and Environment 2014-2020 (OP I&E 2014-2020)

Several entities serving as controllers within the meaning of the GDPR [Regulation (EU) 2016/679 of the European Parliament and of the Council of by 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) dated 27 April 2016 (OJ EU L No. 119, p. 1)] participate in the processing of personal data within the OP I&E 2014-2020. These entities make decisions related to the personal data being processed, i.e. what personal data are processed, for what purpose and in what way. Each controller is individually responsible for the protection of personal data and for informing the public about the way in which it processes such data.

Due to the fact that it is the Minister of Development Funds and Regional Policy – as the Managing Authority of the OP I&E 2014-2020 – who determines: what personal data, how and for what purpose will be processed in connection with the implementation of the Programme, the Minister acts as the controller of personal data processed in connection with the implementation of the OP I&E 2014-2020.

The Minister is the controller of both the data the Minister obtained independently as well as of the personal data obtained by other entities involved in the implementation of the Programme (i.e. by other controllers, who in this case also perform the function of processors [Processors are institutions (Intermediate Bodies and Implementing Authorities), beneficiaries and other entities involved in the implementation of the OP I&E 2014-2020, to which the Minister (or another authorised entity) entrusted the processing of personal data within the OP I&E 2014-2020]).

The Minister of Development Funds and Regional Policy is also the controller of personal data that the Minister processes as a beneficiary of projects co-financed from the funds of OP I&E 2014-2020.

The Minister of Development Funds and Regional Policy is also the controller of data collected in the Central IT System managed by the Minister, which supports the implementation of OP I&E 2014-2020.

I. Purpose of personal data processing

The Minister of Development Funds and Regional Policy processes personal data in order to implement the tasks assigned to the Managing Authority to the extent that it is necessary such an objective. Similarly, processors process personal data in order to implement the tasks assigned to them within the scope of OP I&E 2014-2020’s implementation to the extent it is necessary to achieve this objective.

The Minister and processors process such data, in particular, for the following purposes:

1. to grant support to the beneficiaries applying for co-financing and implementing projects;
2. to confirm the eligibility of expenditure;
3. to request payments from the European Commission;
4. to report irregularities;
5. to evaluate;
6. to monitor;
7. to control;
8. to audit;
9. to run reporting activities;
10. to run information-promotion activities.

II. Legal grounds for data processing

Processing of personal data in connection with the implementation of OP I&E 2014-2020 is carried out in accordance with the GDPR.

1. The legal basis for data processing is primarily the need to fulfil the obligations incumbent on the Minister of Development Funds and Regional Policy – as the Managing Authority of the Programme – pursuant to the provisions of Union law and national laws (Article 6(1)(c) of the GDPR). These obligations arise from the following legal provisions:

1. Regulation of the European Parliament and of the Council No. 1303/2013 of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries fund, and repealing Council Regulation (EC) No 1083/2006;
2. Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund;
3. Commission Implementing Regulation (EU) No 1011/2014 of 22 September 2014 laying down detailed rules for implementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council as regards the models for submission of certain information to the Commission and the detailed rules concerning the exchanges of information between beneficiaries and managing authorities, certifying authorities, audit authorities and intermediate bodies;
4. Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012;
5. Act of 11 July 2014 on the rules of implementing cohesion policy programmes financed under the 2014-2020 financial perspective;
6. Act of 14 June 1960 – Polish Code of Administrative Procedure;
7. Act of 27 August 2009 on Public Finance;
8. Act of 29 January 2004 – Public Procurement Law.

2. Processing is also lawful if one of the following applies:

1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR) – this ground applies, inter alia,  to personal data of persons running a business as a sole trader, with whom the Minister concluded contracts in order to implement OP I&E 2014-2020;
2. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested   in the Minister (Article 6(1)(e) of the GDPR) – this ground applies, inter alia, to competitions and promotional campaigns organised by the Minister concerning the Programme.

III. Categories of personal data processed

The Minister of Development Funds and Regional Policy, in order to implement OP I&E 2014-2020, processes personal data, of, among others:

1. employees representing or performing tasks for entities involved in the service and implementation of the programme and projects, i.e. Intermediate Bodies and Implementing Authorities;
2. contact persons, persons authorised to make binding decisions and other persons performing tasks for applicants, beneficiaries and partners;
3. participants in trainings, competitions, conferences, monitoring committees, working groups, steering groups and information or promotional meetings organised under the Programme;
4. candidates for experts and experts involved in the process of selecting projects to be co-financed or performing tasks related to the implementation of rights and duties of competent institutions, resulting from the concluded grant agreements;
5. persons whose data will be processed in connection with the examination of eligibility of funds in the project, including in particular: project personnel, participants of tender commissions, bidders and contractors of public procurements, persons providing services under civil law contracts.

The types of personal data processed by the Minister include:

1. identification data, in particular: name, surname, series and number of identity card, date and place of birth, place of residence, place of employment / form of conducting business activity, official position, PESEL (Personal Identification Number) / NIP (Tax Identification Number) / REGON (Statistical ID), user identifier / user login;
2. data concerning the employment relationship, in particular: remuneration received and working time, occupation or education, length of service;
3. contact details, which include in particular: e-mail address, telephone number, fax number, correspondence address;
4. financial data, in particular: bank account number, amount of remuneration;
5. other data, for example: information about the real property (plot number, land and mortgage register number, gas connection number).

Data are obtained directly from data subjects or institutions and entities involved in the implementation of operational programmes, in particular applicants, beneficiaries and partners.

Where data are collected directly from data subjects, the provision of data is voluntary. However, the refusal to provide the data is tantamount to the lack of possibility to take appropriate actions, e.g. applying for funds under OP I&E 2014-2020.

IV. Data retention period

Personal data will be stored for the period specified in Article 140(1) of Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17 December 2013 and at the same time for a period not shorter than 10 years from the date of awarding the last aid under OP I&E 2014-2020 – also taking into account the provisions of the Act of 14 July 1983 on National Archival Resources and Archives.

In some cases, e.g. when the EU authorities control the Minister, this period may be extended.

V. Data recipients

The recipients of personal data may be:

• the entities to which the OP I&E 2014-2020 entrusted the performance of tasks related to the implementation of the Programme, including in particular entities acting as Intermediate Bodies and Implementing Authorities, as well as experts, entities conducting audits, controls, trainings and evaluations;
• institutions, bodies and agencies of the European Union (EU), as well as other entities to which the EU has entrusted the performance of tasks related to the implementation of OP I&E 2014-2020;
• entities providing the Minister with services related to the operation and development of IT systems and ensuring communication, in particular IT solutions providers and telecommunication operators.

VI. Rights of data subjects

Persons whose data are processed in connection with the implementation of OP I&E 2014-2020 have the following rights:

1. to access their personal data and to receive a copy of the data (Article 15 of the GDPR) and the right to rectify the data (Article 16 of the GDPR) – Upon exercising this right, the data subject may ask the Minister, among others, whether the Minister processes his or her personal data, what personal data are processed by the Minister, and where the Minister has obtained them from, what is the purpose of the processing and its legal ground, and for how long the data will be processed. If the processed data prove to be outdated, the data subject may apply to the Minister with a request to update them,
2. the right to have their data erased (Article 17 of the GDPR) – if the circumstances referred to in Article 17(3) of the GDPR did not occur,
3. the right to demand that the controller restrict the processing of the data subject’s data (Article 18 of the GDPR) – Restriction of personal data processing causes that the Minister may only store personal data. The Minister may not transfer such data to other entities, modify or delete them. Restricting the processing of personal data is temporary and lasts until the Minister performs the assessment whether the personal data are accurate, processed in accordance with the law and necessary to achieve the purpose of processing.
4. the right to lodge a complaint with the President of the Personal Data Protection Office (Article 77 of the GDPR),
5. the right to data portability, includingthe right to receive their personal data in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (Article 21 of the GDPR), where the processing both is based on a contract (is necessary to sign or to carry out a contract to which the data subject is party, according to Article 6(1)(b) of the GDPR) and is carried out by automated means (an outline is enough to save the data on the storage device),
6. the right to object to processing of personal data (Article 21 of the GDPR) – if the ground for the processing is the performance of public tasks of the controller (Article 6(1)(e) of the GDPR).

Filing an objection causes that the Minister will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The data are not subject to the process of automated individual decision-making, including profiling.