Data Protection & IT Security Policy
This Data Protection & IT Security Policy (the policy) has been prepared for Uni-Tankers A/S and any of its subsidiaries (Uni-Tankers Group) and is intended to provide instructions to the employees of the Uni-Tankers Group on the processing of personal data and general IT principles.
The processing may for instance be regarding the collection, registration, organization, structuring, storage, adaptation, alteration, transmission, retrieval, erasure or destruction of personal data.
Further, this policy is intended to ensure that the processing of the personal data comply with the data protection obligations set out in the General Data Protection Regulation 2016/679 (GDPR), which applies for companies located in the European Economic Area (EEA).
The processing of personal data at the Uni-Tankers Group must comply with the legislation in force, which apply to the processing and protection of personal data throughout the EEA, including the GDPR and any other local rules introduced by the member states.
2. PURPOSE OF THE POLICY
The policy covers the common occurrences in relation to processing of personal data in the Uni-Tankers Group. The Policy does not constitute an exhaustive list of types of processing of personal data but can be used as a guideline for other processing situations that may be similar.
The privacy of our employees, customers, business partners and suppliers are of crucial importance to the Uni-Tankers A/S. As many employees at the Uni-Tankers Group deal with personal data in their daily work, all employees must have a clear understanding of the lawfulness of processing personal data. Therefore, this policy guides you through the main rules and principles under the GDPR and sets out Uni-Tankers Group's internal guidelines for processing of personal data in order to comply with the GDPR.
You must read and adhere to the guidelines in this policy, which will be updated regularly. Further, you must ensure that all relevant documentation under your responsibility is adhering to the policy.
Personal data - is defined as any information related to an identified physical person.
Data subject – an identified or identifiable person, whose personal data is processed by a controller or processer.
Consent – Statement or action signifying agreement to process their personal data. This must be freely given with a specific purpose.
Sensitive personal data - data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
Non-sensitive personal data – is all personal data not defined as sensitive personal data. This can be contact details (name, address, phone number, email, etc.), employment information, personal information (gender, birthdate, etc.).
Biometric data – personal data related to characteristics of an individual which allows their unique identification, for instance a picture or fingerprint.
Processing – any operation performed with personal data, also automated.
Third party – a natural or legal person, public authority or agency that is not the data subject, controller or processer (nor a direct authority of the controller and processer) who are authorized to process personal data.
Third country – Countries outside EEA.
Safe third country – The European Commission has published a list of safe third countries that have been rated to have sufficient protection level regarding data protection.
Non-safe third country – All countries outside EEA, that are not mentioned on the European Commission’s list of safe third countries.
Data controller – the entity that determines, and therefore responsible for, the purpose and means for processing of personal data.
Data processor – the entity that processes personal data with specific instructions and on behalf of the data controller.
Personal data breach – a breach leading to accidental/unlawful access to misuse of personal data.
4. GENERAL PRINCIPLES
In the Uni-Tankers Group we process personal data regarding employees, customers, vendors and other partners for business, financial and administrative purposes. You may only process personal data for these purposes.
Personal data can be divided into two different categories, and the legal basis for processing personal data depends on its category. Below, the categories of personal data and the legal basis for processing of such personal data are described.
Non-sensitive personal data can be contact details (name, address, phone number, e-mail, etc.), job position, gender, employee number, date of birth, credit card information, employment terms, dismissals, etc. (not exhaustive).
Generally, non-sensitive personal data may often be processed without consent, for example, if the processing is necessary to perform a contract with the person, fulfil a legal obligation or pursue legitimate interests, unless the interests of the data subject are regarded to override these interests. Information that may be shared without consent shall be covered by the paragraphs on legal processing in GDPR.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation (please note that this listing is exhaustive).
Generally, sensitive personal data may only be processed if explicit consent is obtained from the data subject. However, this does not apply if, for instance, the personal data is processed for establishment, exercise or defense of legal claims which would be the case for handling disputes and lawsuits. Further, if the processing is necessary to carry out the obligations and exercise of specific rights of the Uni-Tankers Group or of the data subject in employment, social security or social protection law context.
The Uni-Tankers Group requires that you limit the personal data processing to a "need to have"-level instead of "nice to have".
Employees should not save documents or files containing personal data, confidential or sensitive information on their iPhones, iCloud or drop box and Company takes no responsibility for any such storage.
As an employee, you are responsible for processing of personal data in accordance with this policy.
Principles for the processing of personal data
The processing of personal data in the Uni-Tankers Group must be in accordance to the following principles:
- Only process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
- We may only collect personal data for specified, explicit and legitimate purposes and further processing in a manner that is incompatible with those purposes is not permitted.
- We may only process adequate and relevant personal data which must be limited to what is necessary in relation to the purposes for which they are processed.
- We must make sure that personal data are accurate and kept up to date. Inaccurate personal data must be erased or rectified without undue delay.
- We must delete personal data that is no longer necessary for the purposes for which the personal data are processed. Data may be stored for up to 5 years and personal data and employment information may be stored up to 10 years, if the purpose of storage is still relevant.
- We must ensure that personal data is processed in a manner that ensures appropriate security of such personal data.
We must at all time be able to demonstrate that the basic principles on processing of personal data are met. You can also refer to the ‘GDPR – Ways of working in Uni-Tankers A/S’ which is a guideline for all employees in the implementation of the GDPR.
Principles for the disclosure of personal data
Companies within the Uni-Tankers Group may only disclose personal data to third parties if the general principles relating to processing of personal data are met and the processing has a specific legal basis as described above in section 3 under legal basis.
You have to exercise caution when disclosing personal information to third parties. You must…
… consider the identity of the companies and persons who request the information and, if necessary, examine whether these persons are entitled to receive the requested information.
… suggest that the third party provides you with a written request to verify the identity and the legal basis of receiving the information.
… ensure that disclosure of personal data is in accordance with this policy.
… contact firstname.lastname@example.org, if you need any further assistance or if any questions arise in connection to the requested disclosure.
Principles for the disclosure of personal data to third countries
Companies within the Uni-Tankers Group may only transfer personal data to third countries (non-EEA countries), if certain conditions are complied with. A transfer may, for instance, take place if the EU Commission has decided that the third country in question ensures an adequate level of protection, or has provided appropriate safeguards, such as entering into an agreement comprising the EU Standard Contractual Clauses with the recipient of the personal data or choosing a recipient that adheres to a specific adequacy scheme (such as EU-US Privacy Shield).
You must on a case-by-case basis assess whether personal data is transferred to third countries and if so, you are required to contact email@example.com for further description and instruction.
5. RIGHTS OF THE DATA SUBJECT
When processing personal data relating to a person, the person is entitled to a number of specific rights. We must provide information on action taken on requests to the data subject without undue delay and, in any event, within one month of receipt of the request. However, this period may be extended by two further months where necessary, considering the complexity and the number of the requests.
In outline, the rights of the data subjects are the right to receive information, the right of access, the right to rectification, the right to erasure (the "right to be forgotten"), the right to restriction of processing, the right to data portability, the right to object, and the right not to be subject to a decision based solely on automated processing.
6. SECURITY BREACHES
It is not obvious when we have a security breach since no security breaches are similar.
- an unauthorized person is in an area which is reserved for employees,
- a filing cabinet or matter containing sensitive personal data is not locked or access to such data is not restricted,
- loss of mobile phone, laptop, key card, password to the laptop, USB, etc. or
- a colleague gains access to personal data that is not necessary and relevant for the function.
If you have a suspicion about the abovementioned, please contact your superior, Uni-Tankers IT and firstname.lastname@example.org.
In case of personal data breach which may result in a risk to the rights and freedoms of a person, we must without undue delay inform the relevant authority and, where feasible, not later than 72 hours after becoming aware of it. If we fail to comply with this deadline, the authority must also be informed of the reasons for the delay.
Further, if the personal data breach is likely to result in a high risk to the rights and freedom of a person, we must communicate the personal data breach to the data subjects without undue delay.
7. IT SECURITY PRINCIPLES
Following are the principles for the use of Company owned IT equipment. All employees are required to familiarize with this policy and ensure their understanding and compliance.
Passwords are for individual/rank use only and must not be shared with anyone. User ID is likewise personal and may only be shared with Company employees.
Copying / forwarding
Copying of documents (incl. the Company Management System), programs, software, technical data etc. belonging to Uni-Tankers A/S is prohibited unless specific approval has been given by the Company.
Only removable media, like memory sticks, handed out by the Company may be used on Company computers. The removable media handed out by the Company for the use on Company computers may not be used on external equipment.
Automatically forwarding emails received on Company computers to private emails or other email addresses outside the Company should only be done when special permission has been given due to an extraordinary situation.
Only Company-owned software must be used on Company computers. Installation of programs may only take place after Company approval.
Back-up of all servers are carried out on a daily basis. Saving of data locally should be avoided.
Company owned hardware may never be opened internally, unless special permission is granted followed by clear instructions from the Uni-Tankers’ IT department.
Overwriting authority on vessels
The Master or the Company has the right to interfere with access to the internet on the vessels if it is deemed necessary for improving vessels work related communication.
All company e-mail accounts and all Company owned devices can be monitored by the Company.
It is prohibited to use Company computers for content which may be deemed ethically, morally or politically offensive. This includes web sites of pornographic, racist or similar nature.
It is not allowed to publish video recordings, photographic material or negative statements concerning Uni-Tankers A/S at any social media or public sites. Further, it forbidden to use the email system for advertising or for transmitting ‘spam emails’ which have not been requested by the individual.
It is under no circumstances allowed to connect personal equipment to the Company network without approval by the IT department.
Onboard the vessels private equipment can be connected to the crew network.
Emails poses one of the largest security risks to the Company’s IT system. Attached files are particularly fraught with risk and therefore all emails are scanned for viruses prior to receipt and special format files are blocked. If an employee receives something suspicious by email, the item must be forwarded to the Company’s IT Department before opening. Contact IT department on email@example.com.
Employees must be aware that email system generally have low security priority. Attached files containing highly confidential information should therefore be protected against unintentional opening by means of a password, which can be communicated to the receiver in another way, i.e. during a telephone conversation.
It is not possible to send or receive emails larger than 4 MB to the Company vessels.
If you have any questions to this policy or you need an answer on a specific question or topic related to this, please do not hesitate to contact firstname.lastname@example.org for questions regarding personal data and email@example.com for questions regarding IT.