Privacy Policy
PERSONAL DATA PROTECTION POLICY
GENERAL INFORMATION
Title |
Personal Data Protection Policy |
Summary |
This Policy sets out the framework for the Company’s compliance with the applicable data protection law. |
Classification |
Confidential |
Distribution |
To all the staff of the Company |
DOCUMENT HISTORY
ISSUE |
DATE |
AMENDMENTS DESCRIPTION |
1.0 |
01.07.2019 |
First Issue |
TABLE OF CONTENTS
- SUBJECT 4
- SCOPE 5
- FORCE 5
- SUPERVISION 6
- PRINCIPLES 7
- LAWFULNESS OF THE PROCESSING 8
- CONSENT OF THE DATA SUBJECT 10
- TRANSPARENCY OF PROCESSING 11
- RIGHTS OF DATA SUBJECT 13
- AUTOMATED DECISION MAKING 13
- PROTECTION BY DESIGN AND BY DEFAULT 15
- MANAGEMENT OF THE PROCESSORS 15
- DATA SECURITY 17
- MANAGEMENT OF DATA BREACHES 19
- DATA PROTECTION IMPACT ASSESSMENTS 19
- DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS 19
- TRAINING AND AWARENESS 20
1. SUBJECT
The Company « Neptune Lines Shipping and Managing Enterprises SA» (the Company) is a vehicle logistics provider, offering transportation and shipping solutions to manufacturers and shippers of cars and high & heavy cargoes.
The collection and the processing of personal data forms an ancillary part of the Company’s business activity.
In the course of its business, the Company collects and processes in its capacity as data controller personal data for the following categories of data subjects:
- personnel, including seafarers, crew, administrative personnel, candidates and former employees;
- Business partners and potential business partners;
- Clients and potential clients;
- Suppliers and potential suppliers;
- Website users.
2. PURPOSE
The Company undertakes to carry out its business activity with due respect for the fundamental rights and freedoms of data subjects as well as in compliance with applicable legislation on the protection of personal data.
This Policy for Personal Data Protection (“Policy”) sets out the Company’s general guidelines and strategy for the protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC” (“GDPR”) as well as data protection laws.
The Purpose of the Policy is to specify the rules according to which the Company through its personnel collects and processes personal data, takes organizational and technical measures to achieve data security and confidentiality, meets its accountability obligations and determines its relations with third parties.
Compliance with this Policy is considered as an appropriate organizational measure, pursuant to Article 32 of GDPR, which aims to protect security and confidentiality of the personal data the Company collects and processes.
3. SCOPE
The rules of this Policy apply to the processing, wholly or partly, by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, regardless of whether this system is computerized or not.
The Policy does not apply in relation to:
- data processing which fall outside the scope of the GDPR (legal persons’ data);
- personal data processing by natural person in the course of purely personal or household activity, not associated with labour or the Company’s activities;
- processing of anonymized data, i.e. information which is not related to an identified or identifiable natural person, as well as processing of personal data which have been anonymized in such way that the identity of the data subject can no longer be revealed;
- in processing of deceased persons data.
4. FORCE
This Policy, together with the various corporate procedures which form part of it, is applicable on a mandatory basis in relation to any personal data processing activity performed by the Company’s personnel. The understanding and implementation of the Policy is a contractual obligation of the Company’s employees, forming an integral part of the employment relation.
The Policy governs the access and use of any kind of databases, information systems, technical processes and procedures, insofar as they concern the collection, processing, storage, transmission and deletion of personal data managed by the Company in the course of its business activity.
The implementation of the Policy may be extended by agreement to third parties – business partners, suppliers etc.- who process personal data on behalf of the Company, either as controllers or as processors.
This Policy, as well as any amendments thereto, is drafted by the Data Protection Committee and is effective from the moment it comes to the attention of the persons subject to it.
The Data Protection Committee may amend this Policy at its discretion, whenever it deems it necessary, within the limits of the law.
In case that any of the terms of the Policy is considered invalid, illegal or abusive for any reason, the other terms will remain valid and in force, to the extent that they do not contradict to the Company’s will, as expressed through the Policy.
In case of conflict between the rules of the Policy and the rules of other binding legal provisions, the rules prevail on the basis of the following hierarchy:
- Provisions of law.
- Regulatory acts by competent supervisory authorities.
- Individual administrative acts by competent supervisory authorities which bind the Company.
- Codes of Conduct.
- Contracts with persons bound by this Policy.
- This Data Protection Policy.
- Work regulation, other company policies and procedures.
5. SUPERVISION
The Company’s Management takes decisions concerning the strategy and the data protection framework of the Company.
The HR Department and the Data Protection Coordinators ensure that employees and third parties, who are contractually bound to comply with the Policy, become aware of it and also comply with it.
The Data Protection Committee is responsible for monitoring compliance of the Company with the applicable data protection law and this Policy and conducting periodic controls to monitor the implementation of the Policy.
In case of persistent cases of non-compliance, the Data Protection Committee and the Legal Department ensure that the relevant reasons for non-compliance are identified and determine the appropriate remedial action plan.
6. PRINCIPLES
When collecting and processing personal data, the Company respects and follows the following fundamental principles:
Processes the personal data lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”).
Collects the personal data for specified, explicit and legitimate purposes and no further processes them in a manner that is incompatible with those purposes; further processing for statistical purposes is not considered incompatible with the initial purposes. (“purpose limitation”).
Ensures that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. (“data minimization”).
Ensures that the personal data are accurate and, where necessary, kept up to date; (“accuracy”).
Ensures that the personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; Stores personal data for longer periods insofar as the personal data will be processed solely for statistical purposes and provided that appropriate technical and organizational measures are in place to safeguard the rights and freedoms of the data subject(“Storage limitation”); specific data retention periods are determined in the Company’s Data Retention Policy which forms an integral part of this Policy and is available any time […].
Ensures that the personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures. (“integrity and confidentiality”).
In addition, the Company develops its procedures and technical and organizational systems in such a way that it can demonstrate at any time both to the Data Protection Authority (“DPA”) and to the courts that it fully complies with the obligations arising from the applicable data protection legislation. (“accountability”).
7. LAWFULNESS OF THE PROCESSING
The Company ensures that any processing activity of personal data fulfils at least one of the following conditions:
- The processing is based on the data subject’s consent;
- The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation of the Company;
- The processing is necessary in order to protect vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest;
- The processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The Company ensures that any processing activity of special data categories fulfils at least one of the following conditions:
- The processing is based on the explicit consent of the data subject;
- The processing is necessary for purposes of carrying out the obligations and exercising specific rights of the Company or of the e data subject in the field of employment and social security and social protection law;
- The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- The processing relates to personal data which are manifestly made public by the data subject;
- The processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, , provided that these data are processed by or under the responsibility of a health professional subject to the obligation of professional secrecy;
When processing personal data on the basis of overriding legitimate interests, the Company keeps a record of the relevant data processing activities and the respective legitimate interests. To assess whether the legitimate interests prevail over the fundamental rights and freedoms of the data subjects, the Company makes a case-by-case assessment on the basis of, inter alia, the following criteria : (a)the relationship of the data subjects with the Company, as it is in the case that the data subject is a Company’s employee, and (b) the reasonable expectations of data subjects at the time and in the context of the collection of personal data, i.e. whether the data subject can reasonably expect the relevant processing. Such cases include the processing of personal data for purposes of conducting due diligence or ensuring security of vessels and personnel.
The Company processes personal data only for specified, explicit, legitimate and defined at the time of the collection purposes. In addition, the Company does not process personal data for further purposes, unless it has received prior informed consent of the data subject. Provided that the use for further purposes is allowed by the current legislation without consent, the Company first informs the data subject about such further processing as well as his/ her rights, including the right to object, and ensures that further processing is carried out under appropriate safeguards for the protection of personal data.
8. CONSENT OF THE DATA SUBJECT
Where processing is based on consent of the data subject, the Company shall be able to demonstrate that the data subject has indeed consented to the processing of his or her personal data. In this context, the Company keeps a record of the consent statements received.
The consent of the data subject, which is received by the Company, must have the following characteristics:
- Previous: To be obtained before each processing activity.
- Informed: When obtaining consent, to provide lawfully information to the data subject, including information about the data subject’s right to withdraw the consent at any time and the consequences of any withdrawal.
- Easily Comprehensible: The request for consent as well as the relevant information to be made in a comprehensible and easily accessible form using clear and simple language.
- Explicit: The consent to be given by a statement which includes clear positive action (silence, pre-ticked boxes or inactivity of the subject will not be considered as lawful consent).
- Specific: Where processing of personal data is carried out for more processing activities/ purposes, consent to be requested and given for each of these actions separately.
- Clearly Distinguishable: To be submitted in such a way that is clearly distinct from other matters.
- Free: The consent to be the result of true or free choice of the data subject, namely to make it possible for the data subject to refuse or withdraw his consent without being harmed. When there is a clear imbalance of power between the data subject and the Company, as in the case of the Company’s employees, consent should be considered as free only exceptionally, when failure to obtain consent or its revocation does not have any implications to the data subject. Consent given in the context of performance of a contract, must not be a condition for the acceptance of terms or conditions for the performance of the contract or the provision of services related to it.
- Recorded: To be provided either by written declaration (by electronic or digital means, provided that identification is possible) or by any oral recorded statement.
- Freely Withdrawable: The data subject is free to withdraw consent anytime, in the same easy, simple and effective way as the way in which the consent was given. Regarding the consequences of the withdrawal for data processing which is strictly necessary for the performance of a contact, the data subject must be informed that consent withdrawal gives the Company the right to terminate the contract. If the withdrawal of consent takes place pre-contractually, the Company has the right to refuse to conclude a contract.
Effectiveness of consent withdrawal: The Company shall implement appropriate measures to ensure that, in case of consent withdrawal, personal data processing ceases in real time and related systems immediately respond to it.
9. TRANSPARENCY OF PROCESSING
The Company ensures that the processing of personal data is carried out in a transparent manner towards the data subject and the data subject is provided with information about data processing in an easily accessible, concise and comprehensible manner, using a clear and simple language.
When the personal data are collected directly by the data subject, the Company provides to the subject, prior to data collection, the following categories of information:
- The identity and the contact info of the Data Controller;
- The purposes of processing and the legal basis for processing;
- The legitimate interests which are pursued, if processing is based upon this legal basis;
- Any recipients or categories of recipients of personal data;
- Any transfers to third country or international organization;
- The data retention period or, when this is not possible, the criteria determining that period;
- The rights of the data subject and the way these can be exercised;
- When the processing is based on consent, the right to withdraw consent any time, and the consequences of such a withdrawal;
- The right to file a complaint with the Hellenic Data Protection Authority;
- Whether the provision of personal data is a legal or a contractual obligation or requirement for the future conclusion of a contract and whether the data subject is obliged to provide personal data and what consequences the non-provision of such data would have;
- The existence of automated decision making, including profiling and, at least at those cases, significant information on the logic followed and the significance and predicted consequences of such processing to data subject.
When the personal data is not collected directly by the data subject, the Company provides to the subject, except for the information of the previous paragraph, information about the source of the personal data and whether the data originated from publicly accessible sources, as well as the categories of personal data that have been collected. This information is provided (a) within reasonable time and at least within month from their collection, taking into account the conditions under which personal data are processed, (b) right after the first communication with the data subject, if personal data are about to be used for communicating with the data subject or (c) right after personal data are disclosed for the first time, if they are disclosed to third party recipients.
In case that the data is collected directly by the subject, the Company does not bear any obligation to inform the data subject, if the data subject already has the relevant information. In case that the data has not been collected by the subject, the Company is exempt from the obligation in the following cases: (a) if the data subject already has the relevant information; (b) if the provision of such information proves impossible or requires disproportionate effort; (c) the acquisition or the disclosure of personal data is expressly provided for by applicable law and appropriate measures are taken to protect the legitimate interests of the data subject; or (d) if personal data must be kept confidential by virtue of an obligation to observe professional secrecy or other confidentiality.
10. RIGHTS OF DATA SUBJECT
Without prejudice to the applicable law, the Company provides the following rights to all data subjects, for whom it retains data:
- To request access to their personal data, as well as the related to the processing information held by the Company, as well as to receive a copy thereof (right to access).
- To request rectification or/ and correction of inaccurate or incomplete personal data, held by the Company, upon presentation of the necessary evidence, (right to rectification).
- To request erasure of their personal data held by the Company (right to be forgotten).
- To request restriction of processing of their personal data held by the Company, in cases expressly prescribed by the law (right to restriction of processing)
- To request portability of their personal data to another controller in a structured, commonly used and machine-readable format. (right to data portability).
- To object to the processing of their personal data, in the cases explicitly defined by the law (right to object).
- To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (right to object to automated decision-making).
- To lodge a complain with the Data Protection Authority, if they believe that their rights have been infringed by the Company’s actions and/or omissions (right to complain to the Authority)
The above requests are addressed by post or e-mail to the contact details which are mentioned in the company’s Privacy Notices and in its business website.
The process for handling data subject’s requests and the parties involves is described in detail in the Policy named “Data Subjects Rights Procedure”, forms a part of this Policy.
11. AUTOMATED DECISION MAKING
The Company does not in principle receive in general decisions based solely on automated processing of personal data, including profiling, unless necessary for the performance of its contractual obligations towards third parties, the improvement of the provided products and services and the better organization of its business.
In that cases, the Company takes the following measures for the protection of the data subjects’ rights and freedoms:
- It chooses appropriate automation solutions, to give, as a rule, the right results in relation to the evaluated attribute.
- It applies appropriate technical and organizational measures to correct inaccuracies and minimize the risk of errors.
- It avoids discrimination against data subjects.
- It ensures safe storage and access to personal data in a manner commensurate with the risk to the data subjects’ interests and the rights
- It ensures that the decisions taken are not based on special categories of data, unless explicit consent is given.
In addition, when solely automated decision making, including profiling, occurs, and this decision produces legal results for the data subject or significantly effects him/her, the Company ensures that automated decision makingis necessary for entering into, or performance of, a contract with data subject; or is authorised by law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or is based on the data subject's explicit consent and provides to the data subjects the following rights:
- Right to ensure human intervention.
- Right to challenge the automated decision taken.
- Right to express their opinion.
- Right to access to its data
- It provides general information on the rationale, significance and predicted consequences of automated processing in the context of the principle of transparency, and the possibility of human intervention at final decision ensuring, if the data subjects exercises its right to object.
12. PROTECTION BY DESIGN AND BY DEFAULT
The Data Protection Coordinators ensure that the protection of personal data is incorporated into any business activity associated with personal data, both at the time of determination the processing means and throughout the processing.
Taking into account the state of the art, the cost of implementation, the nature, the scope, the context and the purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of individuals posed by the processing, the Management together with the Data Protection Committee implement appropriate personal data protection measures and use privacy enhancing technologies.
To ensure data protection by default and by design, the Management together with the Data Protection Committee try to incorporate to each means of processing or procedure for processing features which award protection by design and by default. In case the new means or procedures pose high risks to the rights and freedoms of the data subjects, the Company performs an impact assessment on data protection, determines the means to mitigate the identified risks and implements the relevant decisions regarding the design of the new means or procedures according to par. 16.
13. MANAGEMENT OF THE PROCESSORS
When the processing is carried out by a third party on behalf of the Company, the Company uses only the processors who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of applicable law and this Policy and ensures the protection of the data subjects’ rights.
The Legal Department takes care that any business agreement of the Company with third Company processing data on its behalf is prepared in writing, including in an electronic form and includes as a minimum the following terms:
- The determination of the subject – matter and the duration of the processing, the nature and the purpose of the processing, the type of personal data, the categories of data subjects and the obligations and the rights of the controller.
- The obligation to process personal data only on documented instructions from the Company, including with regard to the transfer of personal data to a third country or international organization.
- The commitment to confidentiality of the staff and the business partners of the processor.
- Appropriate organizational and technical data security and confidentiality measures.
- The assistance in responding to requests for exercising data subjects’ rights.
- The assistance in the preparation of impact assessments.
- The assistance in ensuring compliance of the Company with the data breach obligations.
- The obligation to inform the Company if its instructions infringe data protection provisions.
- The obligation, upon Company’s request, to delete or return all personal data after the end of the provision of services relating to processing and to delete any existing copies.
- Providing the Company with any necessary information to demonstrate compliance of the processor with his/her contractual obligations.
- Performing and facilitating audits, including inspections carried out by the Company or by another auditor mandated by it.
- The obligation of not engaging another processor without the Company’s prior general or specific written authorization.
- The commitment of imposing the same data protection obligations as set out between the controller and the processor on that other processor.
The Data Protection Coordinators perform periodic assessments of the processors with whom the Company has entered into a contract to ensure that they comply with all the relevant contractual obligations concerning the personal data securityand protection and they comply with the applicable law. The Information Security Officer and the Data Protection Committee review the outcome of these assessments.
14. DATA SECURITY
Throughout the life cycle of data, i.e. from their collection up to their destruction, the Company applies the following personal data security principles:
- Confidentiality: Data is not disclosed to unauthorized persons.
- Integrity: Data is accurate, complete and genuine- not incorrect, corrupted or not up-to-date.
- Availability: Data is available to users whenever required.
Subject to the Company’s security measures are, on the one hand, all personal data processed and, on the other hand, the entire Company’s equipment and IT systems and electronic communications. The purpose of these measures is to prevent and avoid risks to fundamental rights and freedoms of data subjects arising from the processing, especially the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed. The scope of this article covers all personnel of the Company and may be extended by agreement to third parties, such as processors.
The IT Department and the Data Protection Committee review the security measures which are applied. The Company appoints a dedicated Information Security Officer (ISO), who has the duty to access the level of security and propose to the Management new security measures. Moreover, the DSO prepares the Company’s Security Plan, in which (i) he/she registers the technological infrastructure and data processing systems, organizational and technical security measures as well as physical security measures implemented by the Company; (ii) determines their implementation plan and (iii) describes the procedures for its overview and amendment.
Company periodically reviews the authorizations and access rights of its employees during all stages of their career development (recruitment, transfers, change of duties, retirement etc.). Lastly, it takes specific measures to commit the personnel who processes personal data to data confidentiality. Upon employee’s departure, the Company cancels all his/ her access accounts, authorizations and passwords, e-mail accounts, without assigning them to another employee (non-reuse and return of any equipment provided to the employee and belonging to the Company, including computers, keys, electronic input/output cards etc).
The Company takes organizational measures for personal data security in the following sectors:
- Appointment of Information Security Officer.
- Appropriate management of information goods.
- Appropriate management of processors.
- Complying with data retention time and storage means.
- Keeping a process of managing personal data breaches.
- Employees training.
- Testing, assessment, regular evaluation of the effectiveness of the measures.
The Company takes technical measures for personal data security in the following sectors:
- Pseydonymization and encryption.
- Ensuring secrecy, integrity, availability and reliability.
- Restoring availability and access in the event of an incident.
- Access control, identity and access management, authentication and provision of the right of access to personal data to authorized users based on their roles and responsibilities.
- Backups.
- Configuration of computers.
- User actions logs and security incidents.
- Communications security.
- Removable storage media.
- Software security.
- Managing changes.
The Company takes physical security measures of personal data in the following sectors:
- Physical access control.
- Minimization of hard-copy data files.
- Environmental Security.
- Document report.
- Protection of portable storage media.
- Transferring folders.
- Alternative facilities.
In order to review the correct application of data security and assessment of the effectiveness of security measures the DSO conducts periodic internal checks, at least once a year.
15. MANAGEMENT OF DATA BREACHES
Every employee or business partner of the Company has the obligation to report directly Information Security Officer every security incident that comes to his/her attention.
The process for handling Data Breaches is analyzed in detail in the Policy with title “Data Breach Management Procedure”, which forms part of this Policy.
16. DATA PROTECTION IMPACT ASSESSMENTS
The Company prepares a data protection impact assessment (DPIA), if it considers that the envisaged processing activity is likely to result in a high risk to the rights and freedoms of data subjects.
The Company keeps a register of the DPIAs executed by the Company, which includes all the relevant documentation.
The corporate process for conducting DPIAs in described in detail in the Policy titled “Data Privacy Impact Assessment Procedure” which forms part of this Policy.
17. DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
In the course of its business, the Company transfers data to third countries outside the EEA under the supervision of the Data Protection Committee and the Management.
In this context, the Company transfers personal data to third countries in the following cases:
If the European Commission has decided by virtue of an adequacy decision that an adequate level of protection has been ensured by the third country or the international organization, or
- If the third-party data recipient (i) provides appropriate guarantees according to Article 46 of the GDPR, included standard model clauses and (ii) if there are effective legal remedies for the data subjects, or
- If any of the conditions of the Article 49 of the GDPR are met.
18. TRAINING AND AWARENESS
The Data Protection Committee regularly carries out training sessions for its staff and partners, the work of which involves data processing in order for them to better understand and respect the general principles of this Policy during the Company’s daily operations.
The Company promotes a corporate culture for data protection with at least the following elements:
- Raising awareness and responsibility of the need to respect the fundamental rights and freedoms of the data subjects.
- Understanding the Company’s privacy policy framework.
- Active participation in ensuring compliance of the Company with the rules of this Policy.
- Permanent awareness to detect risks to the rights of data subjects and to prevent and handle data breaches.