The European Data Protection Board adopts new Guidelines on Consent

May 15, 2020 GDPR

On the 4th of May 2020, the European Data Protection Board (EDPB) issued fresh guidelines on ‘consent’ titled Guidelines 05/2020 on consent under Regulation 2016/679 (Guidelines). These new Guidelines have replaced the original guidelines which were previously adopted by what was formerly known as the Article 29 Working Party and which were last revised on the 10th of April 2018.

Under the General Data Protection Regulation 2016/679 (GDPR) there are 6 legal bases for processing personal data, these being: consent, contract, legal obligation, vital interests of the data subject or of another natural person, public interest and legitimate interest.

Consent, which according to Article 4(11) of the GDPR must be freely given, specific, informed and unambiguous for it to be legally valid, has been at the forefront of several controversies. The Guidelines address two issues relating to consent; firstly, the EDPB goes on to clarify the concept of ‘freely given consent’ by assessing the notion of conditionality in relation to third parties and in relation to the validity of consent provided by the data subject when interacting with so-called ’cookie walls’.

Secondly, the EDPB goes on to clarify the issue of ‘unambiguous consent’, as provided for in recital 32 of the GDPR, especially when it comes to ‘scrolling and swiping’.

Freely Given Consent

  • In relation to Third Parties

These Guidelines expand on the notion of ‘conditionality’, which is one feature that may affect the validity of a data subject’s consent from being freely granted. The GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.

Therefore, as a basic rule, a data subject should not be placed in a situation whereby the rendering of a contract or service is made conditional to the ’consent’ of that data subject. In this regard, the EDPB goes on to clarify that ‘consent’ cannot be considered as freely given if a service provider ties the rendering of a service on the condition that the data subject consents to the processing of their personal data, one might say by force. In such an instance the judgment of the data subject is conditioned and therefore there does not exist the so called ‘freedom of choice’ and independence that is required by the spirit of the GDPR.

  • Cookie Walls

Another interesting clarification made by the EDPB was in relation to what is referred to as a ‘cookie walls’. By virtue of these newly revised Guidelines, the EDPB confirmed that the use of cookie walls is unlawful in terms of the GDPR and is therefore strictly prohibited.

What are cookies?

A cookie is a text file that is automatically stored in someone’s device and may or may not be deleted upon the closure of a session. A cookie can have different purposes, for instance, a cookie may be necessary to run a website, or it can be necessary to identify what a user is doing. Cookies are also used for instance to remember your password. Cookies may either be first party cookies of third-party cookies, the former are stored on one’s device directly by the website you are visiting while the latter are stored by a third party like an advertiser or an analytic system.

What is a cookie wall?

A cookie wall is a way for service providers (whatever their nature of business) to deny users access to their websites if they don’t consent to cookies present on that same service provider’s website being used. Therefore, a cookie wall usually works as a self-made border against users who do not consent to cookies, barring them from the service.

Is it legal? If not, why so?

The status of legality of cookie walls was never certain, however the Guidelines have clarified that cookie walls are in no way or form permissible since they do not afford the data subject the ability to make a free and independent choice when giving consent for the processing of their own personal data.

What is a good alternative to a cookie wall?

Technically speaking there is no good alternative to a cookie wall because as effectively the data subject’s consent is being conditioned. However, a suitable alternative would be for a service provider to:

  • still set up a cookie banner or request without prohibiting access to the main content of the website and
  • provide information in relation to which cookies are being recorded and for what purpose the data will be processed. This is in fact a legal requirement whenever cookies involving personal data are involved.

Unambiguous Consent

The second issue that the Guidelines sought to clarify was in relation to the importance of clarity when giving consent for the processing of personal data, more specifically in relation to the act of ‘scrolling’ and ‘swiping’ as a means of valid consent. Under the GDPR, Recital 32 sets out that consent must be a ‘clear affirmative act’ which ensures an unambiguous, clear and affirmative indication of the data subject’s agreement to the processing of personal data.

The new revised Guidelines have clarified that the specific actions of ‘scrolling’ or ‘swiping’ through a webpage or any similar activity for that matter, will not under any circumstance satisfy the requirement of a clear and affirmative action as depicted under the GDPR.

The EDPB went on to also reaffirm its position that the withdrawal of one’s consent shall be as easy as to give consent.

News item written by Senior Associate Dr. Terence Cassar and Associates Dr. Bernice Saliba and Dr. Sean Xerri de Caro.

Source:
https://www.gtgadvocates.com/the-european-data-protection-board-adopts-new-guidelines-on-consent/

Greece, Cyprus, Egypt, France, UAE denounce Turkish activities in EastMed

May 15, 2020 GENERAL

The foreign ministers of Greece, Cyprus, Egypt, France and the United Arab Emirates denounced the “ongoing Turkish illegal activities” in Cyprus’ exclusive economic zone (EEZ) and its territorial waters, during a teleconference on Monday to discuss the latest developments in the Eastern Mediterranean, as well as a number of regional crises that threaten peace and stability in this region.

In their joint declaration issued after the teleconference, the ministers said these activities represent “a clear violation of international law” as reflected in the United Nations Convention on the Law of the Sea.

Turkey is currently in its sixth attempt in less than a year to conduct drilling operations in Cyprus’ maritime zones.

The five ministers also condemned the escalation of Turkey’s violations of the Greek national airspace, including over flights of inhabited areas and territorial waters.

The ministers also discussed and condemned “the instrumentalization” of migrants by Turkey in an attempt to illegally cross Greek land borders as well as “its continued support for illegal crossings” of Greek sea boundaries.

Concerning Libya, they reiterated that the two memorandums of understanding signed in November 2019 between Ankara and UN-recognized National Accord Government Fayez Al Sarraj are respectively in contravention of international law and the UN arms embargo in Libya.

Source:
https://www.ekathimerini.com/252566/article/ekathimerini/news/greece-cyprus-egypt-france-uae-denounce-turkish-activities-in-eastmed

Hungarian government overwrites the GDPR in its COVID-19 state-of-emergency decree

May 15, 2020 GDPR

In Decree No. 179/2020 issued on 4 May, the Hungarian government has restricted the protection and rights of data subjects concerning anti-pandemic measures as stipulated by the EU’s General Data Protection Regulation (GDPR) and the Hungarian Act on Freedom of information and data protection (Info Act).

Furthermore, the decree restricts the right for claiming public information granted by the Hungarian Info Act related to COVID-19 measures.

The Hungarian government issued a state of emergency on 11 March for a 15-day period, which was extended for an indefinite period on 31 March. During the current state of emergency, the government has the authority to govern through the issuance of government decrees.

No law enforcement and data protection rights during the state of emergency

The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.

The 30-day GDPR deadline for answering COVID-19 – related data subject requests will start only on the first day after the termination of the state of emergency. This means that if a data subject submits a request for access to, erasure, rectification, and restriction of the processing of his personal data related to COVID-19, or lodges an objection against the processing of his personal data related to COVID-19, the data controller (i.e. hospitals, government bodies, emergency management offices) is not required to take any steps to erase, rectify the data or restrict the processing until the end of the COVID-19 state of emergency that is now in place for an indefinite period of time.

Furthermore, the new legislation does not define the exact categories of personal data and the type of data controllers that fall under the new law. As a result, any data controller taking part in the fight against COVID-19 or processing COVID-19 – related personal data can interpret the new legal provisions widely and broaden its restrictions as it applies to personal data as much as possible.

In addition, the decree contains other clauses restricting the rights of data subjects: data controllers falling under the new law now do not need to provide data subjects with personalised information as listed in articles 13 and 14 of the GDPR, such as the type of data processed, the purpose and legal basis of the data processing, and name of the data controller, notification of data transfers to third parties and to third countries, the guaranties of these data transfers, their retention periods, and all information about data protection rights and remedies for data subjects.

Instead, the data controller is required only to issue a privacy notice that contains the purpose and legal basis of the data processing and to publish this notice electronically so that it is available to the data subject. Consequently, a data subject’s access rights are restricted since he cannot request personalised information on the processing of his personal data related to the COVID-19 situation during the state of emergency.

Furthermore, the decree restricts the rights of data subjects to lodge complaints with the data protection authority (DPA) and the right to an effective judicial remedy against the DPA and the data controller or processor by stipulating that the court and DPA are only entitled to start proceedings on the first day after the termination of the COVID-19 state of emergency even for complaints submitted now. It must be emphasised that it is currently not known how long the government will maintain the state of emergency.

Restrictions and delays regarding public-information requests

Until the termination of the COVID-19 state of emergency, requests for public information based on the Info Act must take into account the following differences:

  • Request for public information cannot be submitted personally or orally to any organisation with public-service functions.
  • The organisation with a public-service function must comply with an eligible request for public information within 45 days instead of 15 days, a deadline that can be prolonged for one time only by 45 days.

All provisions of the new government decree apply not only for future requests and procedures, but for requests and procedures that are currently on-going.

For more information on this decree and the provisions of the Hungarian state of emergency, contact your regular CMS advisor or local CMS experts:

Source:
https://www.cms-lawnow.com/ealerts/2020/05/hungarian-government-overwrites-the-gdpr-in-its-covid-19-state-of-emergency-decree

Why it might be time to restart the maritime economy

May 12, 2020 GENERALMaritime Safety News

Only a few months ago, we were reflecting on the many ways in which the blue economy could contribute to the European Green Deal.

For example, we were envisaging that, for decarbonisation and clean energy, we would produce a long-term strategy on the sustainable management of maritime resources and space.

For sustainable food systems, we were planning new strategic guidelines for sustainable aquaculture, a strategy on algae and new marketing standards for fish. We were articulating precise ideas on what to do on circularity, pollution and research.

We were, of course, ready to reshape the next financial exercise accordingly and let our blue economy take a sprint towards a more sustainable future. All of this still holds true, but now of course we have to deal with a fresh layer of complexity.

In the early stages of the COVID-19 crisis, we managed to put forward immediate measures for the fisheries and aquaculture sectors – something I’m rather proud of; that is now in the hands of national governments.

However, most of the other blue economy sectors – transport, ports, tourism to name but a few – are being hit hard by the mandatory lockdown.

To reopen, they will instantly have to adapt to new regulations imposing physical distancing, protection devices and more. All of that while trying to recover from huge financial losses.

I feel they too will need our help. As I write, my services are collecting intelligence on the true impact of the crisis, sector by sector, so that we can devise appropriate measures.

But could the ‘new normal’ not be more than just face masks and distance? Rather than resurrecting an old, malfunctioning economic model, could we not give birth to a new, more sustainable way?

We need to transition to a low-carbon maritime economy by 2050 in any case. We are talking biofuel and liquefied natural gas for shipping, electrification and new manufacturing capacities for port infrastructure, extremely high-tech offshore renewable energies, mixes of ecosystem-based, hybrid, and traditional engineering solutions for coastal protection… I could go on.

As you might recall, in the past the Commission has had the foresight of advocating an integrated maritime policy-– in 2007 and 2012 – and promoting a sustainable Blue Economy – in 2012 and 2017.

At this crucial juncture, it may be time for another leap: to that of a sustainable blue recovery. A sustainable blue recovery would be based on the responsible use of natural resources, on circular economy concepts and on social inclusion.

It would reconcile economic recovery with social and environmental recovery. Above all, it would secure jobs.

If it’s true that the blue economy’s context today is permeated by dynamic, innovative industries which, in both traditional and emerging sectors, offer high revenues and high-quality jobs to a variety of professionals, then we can safely say that a sustainable blue economy would be even more of a driver for jobs and social inclusion in coastal areas.

From sustainable fisheries down to wind energy, we have some excellent examples of areas where investing in sustainability has paid dividends. We need to extend the concept and ensure that we only finance sustainable undertakings.

“The more I think about it, the more convinced I am that a blue economy, based on a truly sustainable recovery, would bring profits and jobs”

Such a major shift will need to be coordinated at EU level; economic activities happen across borders and sustainability challenges are common to all. Offshore renewable energy, for example, could be a key source of power for the continent, but its upscaling requires considerable strategic planning and renewed management of the marine space.

Or think of innovation – many SMEs and start-ups develop innovative technologies and services, but need our financial assistance to achieve market entry. And most importantly, for tourism to follow a real path to sustainability we will need European interventions of unprecedented size and scale.

The more I think about it, the more convinced I am that a blue economy, based on a truly sustainable recovery, would bring profits and jobs.

It may even attract new sectors with high economic potential (making the blue economy resilient to climate change may, for example, well become a sector in its own right, and generate new economic opportunities and jobs).

Such an economy would also confirm the EU’s role as a setter of standards and a leader in sustainable oceans policy. Plus, it would contribute significantly to the European Green Deal’s objectives.

The mandate assigned to Environment, Oceans and Fisheries Commissioner Virginijus Sinkevicius explicitly requests a new blue economy approach, so I have asked my services to work on a Commission initiative that sets the basis for it with these key elements, and along the lines expressed in the recent SEARICA declaration.

It is a personal view, but I cannot help but wonder: this crisis has forced us to reboot. Shouldn’t we think long and hard how we want to restart?

About the author

Bernhard Friess is acting head of the European Commission’s DG for Maritime Affairs and Fisheries (MARE)

Publication explains policies required by shipping companies under GDPR

September 12, 2018 GDPRGENERAL DATA PROTECTION REGULATION

shipping companies under GDPR – The UK Chamber of Shipping, in conjunction with shipping lawyers Hill Dickinson LLP, has released guidance to shipping companies on implementing the general data protection regulation (GDPR).

The arrival of GDPR is part of a raft of cyber related initiatives heading shipping’s way.

The publication summarises the key requirements of the GDPR, which entered into force in May 2018, and the actions companies should take to implement data protection policies.

It focuses specifically on the maritime sector and covers key areas such as crewing issues and seafarer payments, defines GDPR terminology and lists the types and sources of personal data and how these should be processed.

It also describes the role and responsibilities of the data controller and the company data protection officer.

Guidance is also provided on the strict provisions relating to transferring personal data outside of the EU. This is particularly relevant to the offshore industry, where crew are transferred from one site to another and to and from a multitude of jurisdictions where their personal data will follow.

UK Chamber of Shipping chief executive Bob Sanguinetti commented “It is our mission to deliver for our members trusted specialist expertise at all times and The GDPR Guidance to Shipping Companies offers just that. The publication not only details the best practices but also sets out an ‘Action Plan for Companies’, describing suggested stages for a company to implement GDPR and verify compliance.”

 

SHIP IP LTD is specialized with GDPR ( General Data Protection EU
Regulation) implementation for Maritime Companies ONLY .
We have make the whole process very simple – No need to be something
complicated as Maritime Companies core business is not handling personal
data but transportation .
Our process is very easy – in contact with your key personnel i.e. Human
Resource , Crew and Accounting department – we record forms you have
related with personal data , we are auditing your IT department or in we
ask them some simple questions so we can prepare the procedures required
and we are delivering the GDPR Manual , Gap Analysis and DPIA if required.

Cyber security regulations will have teeth maritime GDPR TMSA Cyber Security

August 28, 2018 CONSULTANCYGDPRGENERAL DATA PROTECTION REGULATIONRegulationTMSA 3

GDPR TMSA Cyber Security

 

Tanker owners should be prepared for new EU and IMO cyber security regulations as they must already comply with maritime security requirements under OCIMF’s TMSA 3, writes Martyn Wingrove

There are increasing amounts of cyber security-related regulations that shipping companies will have to comply with, but tanker owners are already ahead of the game. Ship operators will need to include cyber in ship safety and security management under the ISM Code from 1 January 2021.

Before that, they need to be aware of cyber and data security regulations, including the EU general data protection regulation (GDPR) and the EU directive on the security of networks and information systems (NIS).

Much of the requirements under these forthcoming or new regulations are already within Oil Companies International Marine Forum (OCIMF)’s third edition of the Tanker Management and Self Assessment (TMSA) best practice guidelines. This came into force on 1 January this year, with a new element on maritime security and additional requirements of key performance indicators and risk assessments.

Regulation changes were outlined at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which was held in London on 15 June. The event was held in association with Norton Rose Fulbright, whose head of operations and cyber security Steven Hadwin explained that “data protection and cyber security needs to be taken seriously from a legal point of view.”

Data, such as information on cargo and charterers, could “become a considerable liability”. If data is lost “then GDPR could be in play” said Mr Hadwin. Regulators “could impose a fine of up to 4% of that organisation’s global annual turnover.”

PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year.  “These regulations have teeth” he said because of the potential size of fines and damage to a company’s reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.

Class support

During the summit, class societies provided cyber security guidance as they collectively attempted to define cyber secure ship notations. Lloyd’s Register cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network and the operational technology (OT) and employ staff to “stop people sharing data or compromising procedures”.

Tanker owners “need to identify any compromise before an attacker tries to penetrate”, Ms Cassi explained, noting that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.

ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on operational technology, such as ECDIS and radar, as some remain unchanged since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and that their USB sticks are clean of malware.

ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.

DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video for instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.

These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC-provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.

Cyber regulations and guidance for shipping

EU General Data Protection regulation (GDPR) came into effect from 25 May 2018

IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code

TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018

EU privacy rule (PECR) of individuals traffic and location data

Rightship added cyber security to inspection checklist

BIMCO – guidelines based on International Association of Classification Societies

 

CLICK – SOURCE READ FULL ARTICLE

EU General Data Protection Regulation (“GDPR”) in the shipping sector

June 26, 2018 GDPRGENERAL DATA PROTECTION REGULATION

GDPR IN THE SHIPPING SECTOR – European Community Shipowners Association have published a document intended to provide guidance to the shipping sector on the application of the EU General Data Protection Regulation (“GDPR”).

This document was prepared in consultation with our members.

It is intended for general information purposes only and does not constitute legal advice.  To receive legal advice, the reader should consult legal counsel. For definitions of the terms used in these guidelines, please see Appendix 2 to the guidelines.

  1. Application of the GDPR

 

  1. Does the GDPR apply when a ship has a non-EEA flag and non-EEA crew members?

The GDPR has a broad reach. It applies to organisations established in the EEA, when they process personal data in the context of the activities of these EEA establishments, regardless of whether the processing takes place in the EEA or not. The GDPR further applies to organisations outside the EEA who process personal data, if they offer goods and services to individuals in the EEA or monitor their behaviour. This particularly affects organisations with internet-based business models, offering goods or services to consumers in the EEA.

 

Examples

– The GDPR applies to a ship owner, ship operator or crewing agent who processes personal data and who is established in the EEA, regardless of the flag of the ship and the nationality of the crew.

 

– The GDPR applies to a cruise operator established outside the EEA, when it offers cruises to passengers residing in the EEA.

 

– The GDPR applies to an EEA establishment of a ship owner who processes personal data of non-EEA crew members that it receives from a non-EEA crewing agency.

 

– The GDPR applies to a non-EEA crewing agency that provides services to individuals in the EEA.

 

 

  1. What type of data processing activities are covered by the GDPR?

The GDPR applies to:

(i) any type of operation that is performed on personal data by automated (i.e., computerized) means, and

(ii) non-automated processing of data that (are intended to) form part of a filing system (i.e., keeping hard copy documents in a structured manner so that they are searchable according to specific criteria such as name, ID number, phone number, etc.).

 

The following are examples of operations that may be performed on personal data and that are covered by the GDPR: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

The GDPR applies to any information relating to an identified or identifiable individual, whether or not the information as obtained in a private or professional context.

 

Examples

– A filing cabinet containing HR records arranged in alphabetical order of employee names would be covered by the GDPR. An unstructured box of hard copy files would not be a relevant filing system and would fall outside the scope of the GDPR.

 

– Activities that are covered by the GDPR include for example storing employment details of crew members, recording crew members on a ship using audio and video equipment to ensure workplace security, managing contact details of a charter’s port agents, transferring (sensitive) personal data outside the EEA.

 

– Any information relating to individuals of any capacity associated with a shipping company falls within the scope of the GDPR.

 

 

  1. Does the GDPR apply only to sensitive types of information?

No. The GDPR applies to any information that relates to an identified or identifiable individual (e.g., crew members, passengers, staff at customers/partners). This includes, for example, names, email addresses, phone numbers, online identifiers, location data, and information relating to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. In addition, the GDPR imposes specific requirements when sensitive data are processed (i.e., any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such sensitive data are referred to as “special categories of personal data” in the GDPR.

 

Examples

– Categories of data that are covered by the GDPR include e.g., contact details, bank information (including cash flows), medical certificates, passport information, video and audio recording.

 

– Information regarding a crew member’s health (like the aforementioned medical certificates)   or trade union membership is considered sensitive data.

 

  1. Who is the data controller? Who is the data processor?

An entity that decides on the ‘why’ and the ‘how’ of data processing is considered a “controller”. If a controller engages a third party (e.g., service provider) to process personal data on the controller’s behalf, that third party will qualify as a processor. There can be several controllers and processors that are involved in the same data processing activity.

 

Examples

– When a ship owner installs video cameras on a ship to ensure workplace safety, the ship owner will be considered a controller for the collection of video recordings.

 

– The ship owner and charterers are controllers for the disclosure of crew members’ personal data to port authorities, in order to fulfil their respective legal obligations vis-à-vis port authorities. In principle, a ship manager is a controller when it manages such data transmission to the authorities, unless its role is limited to acting solely on behalf and under the instructions of the ship owner or charterer (in which case the ship manager is a processor).

 

­­- When an external payroll agency processes salaries of crew members, the agency acts as a processor.

 

– When a ship owner uses a cloud-based customer relationship management program, the cloud service provider acts as a processor.

 

 

 

  1. GDPR has many obligations. Does the shipping industry need to comply with all of them?

In principle: yes. The GDPR requirements apply to all organisations that process personal data, across all industries and sectors. However, some of the GDPR requirements apply only to high-risk data processing activities, which may not be relevant for all organisations in the shipping sector. Each organisation needs to assess which of the GDPR requirements apply to its specific activities.

 

Example

The GDPR requires that a data controller carries out a ‘data protection impacts assessment’ (‘DPIA’) when it engages in data processing activities that will likely result in a high risk to the rights and freedoms of individuals. This requirement may apply e.g., to an organisation that monitors on-board drug and alcohol use. However, it will not apply to an organisation that only carries out standard HR data processing activities, unless these activities involve large scale processing of sensitive data or criminal data (e.g., in the context of seafarers’ screening).

 

 

  1. Does a non-EEA manning agent need to appoint a representative in the EEA? Does it need to be registered with a supervisory authority?

If a non-EEA manning agent provides services to crew members residing in the EEA, or monitors the behaviour of crew members in the EEA, it is subject to the GDPR and needs to appoint a representative in the EEA. The appointment must be in writing, but it does not need to be registered with a supervisory authority. This requirement also applies to manning agents that are established in “adequate” third countries (see section III on international data transfers below).

 

Example

A manning agent established in New Zealand must appoint a representative in one of the EEA countries where the crew members’ reside whose personal data are processed or whose behaviour are monitored.

 

Icon

GDPR IN THE SHIPPING SECTOR - ECSA DOCUMENT

1 file(s) 70.87 KB
Download

 

GDPR and Crew Management

April 3, 2018 GDPRGENERAL DATA PROTECTION REGULATIONRegulation

GDPR and Crew Management

Review your Crew Management Arrangements

In this article, the Club recommends that as part of your preparations for GDPR you complete a review of your crew management arrangements to ensure they will be GDPR compliant. We are grateful to Ian MacLean of Hill Dickinson LLP for his input into this article.

Key Actions to Consider

In relation to crew management, you should consider the following key actions as part of your wider GDPR compliance programme:

  • Data controller or data processor? Review your crew management arrangements and crew information to determine if you are the ‘data controller’ or the ‘data processor’ of crew personal data. You will be a data controller if you decide the purposes and means in which the personal data is processed; you will be a data processer if you are responsible for the processing of personal data on behalf of a data controller. If you are a data processor, the GDPR places specific legal obligations on you to maintain records of personal data and processing activities concerned with it. However, if you are a data controller the GDPR places additional obligations on you to ensure that the data remains properly controlled/secured if you pass it on to third parties.
  • Determine the lawful basis for the processing of personal data relating to crew –whether or not you are a data controller or a data processer you must determine a valid lawful basis for the processing of crew personal data. GDPR provides for the following lawful bases for the processing of personal data:
    • Consent
    • Contractual
    • Legal obligation
    • Vital interests
    • Public task
    • Legitimate interest

Some practical examples of these lawful bases are considered further in this briefing.

  • Consider whether you hold and process any special category data (data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) as you will need to identify:
    • a lawful basis for the processing of this information; and
    • a separate condition or reason for the processing of special category information. These reasons are detailed in Article 9 of the GDPR and include where an individual has given their explicit consent to the processing of this personal data.
  • Complete your ‘record of processing’ – data controllers and data processors are responsible for maintaining a ‘record of processing’ which records their data processing activities. Members should ensure their data processing records detail the data processing activities being undertaken in relation to their crew.
  • Privacy Notices – These explain how you as an organisation collect and process personal data. GDPR sets out the information that you should supply to individuals when collecting and processing personal data. Review your current privacy notices to ensure they meet the GDPR requirements.
  • Contracts – review any third party contracts relating to the processing of personal data and ensure they meet the requirements of GDPR. Members may need to seek specific legal advice in this area in order to ensure data processing arrangements are GDPR compliant.
  • Consider local requirements – if you are located outside of Europe you will need to comply with any applicable local requirements concerning data protection and privacy issues. GDPR will also apply to you if you are offering services to, or are processing personal data relating to, individuals located in the European Union.
  • Unless additional safeguards are in place, the GDPR prohibits the transfer of personal data outside of the European Economic Area to a country that does not, in the view of the European Commission, have adequate data protection (1).

GDPR and Crew Management

READ FULL ARTICLE :

Source : The North of England P&I Association Limited

Maritime General Data Protection Regulation (GDPR) – Privacy Policy Generator

March 26, 2018 CYBER SECURITYGDPRGENERAL DATA PROTECTION REGULATION

Maritime General Data Protection Regulation (GDPR) – Privacy Policy Generator!

The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.

Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.

A Privacy Policy is where you let your users know:

  • What personal information you collect
  • How and why you collect it
  • How you use it
  • How you secure it
  • Any third parties with access to it
  • If you use cookies
  • How users can control any aspects of this

Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.

Update your Privacy Policy to be GDPR-compliant by cutting out legalese and using clear language that your average user will understand.

Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.

Note that each point doesn’t have to be a separate clause. As long as the information is somewhere in your Policy, it will work.

1. Who your Data Controller is

2. Contact information for the Data Controller

3. Whether you use data to make automated decisions

4. Inform users of the 8 rights they have have under the GDPR

5. Whether providing data is mandatory

6. Whether you transfer data internationally

7. What’s your legal basis for processing data

Source : TermsFeed – Online Privacy Generator

 

Newer Posts

Older Posts

News

Quick Menu

Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED