Privacy Policy

Our BCR is sent in for approval by the Norwegian data protection authority (Datatilsynet) and is currently under review. This version of the BCR shall be considered a draft version (subject to changes) until it is approved by the authorities. The BCR were published on the 25th of May 2018 to fulfil our legal obligation (General Data Protection Regulation) on informing individuals subject to our personal data processing activities and is the Wallenius Wilhelmsen group’s internal global privacy policy. Any individuals’ rights and our obligations due to the General Data Protection Regulation is valid regardless of the BCR application process.

All Wallenius Wilhelmsen group companies must comply with the BCR, in addition to other laws or regulations imposed in the country where we are operating. This means that the BCR enables individuals to exercise their data privacy rights regardless of where their personal data is being processed, which in turn makes Wallenius Wilhelmsen group accountable no matter where we choose to handle data.

Every employee in the Wallenius Wilhelmsen group shall have adequate knowledge of data protection legislation. This means that an employee shall be aware of the legislation to different extents, depending on his or her tasks carried out during daily work.

In addition, we have a whistle-blowing system in place to make sure data privacy is respected. A BCR whistle blower may report data privacy matters to a local trusted manager or by contacting the Wallenius Wilhelmsen group appointed Data Protection Officer (the ‘DPO’), who have a legal duty of secrecy. Any whistle-blowing will be followed up and measures to remedy the issue will be taken. An employee will never be punished in any way for contacting a manager or the DPO. We encourage raising questions about data privacy.

The term “processing” means handling of personal data. For example collecting, storing, sending or in other ways using it. The BCR imposes strict rules regarding any processing of personal data. The main rule is that the processing need to have a legitimate purpose, never be excessive and always be necessary. If personal data is collected, the individual will need to be made aware. The Wallenius Wilhelmsen group will only process sensitive personal data if it’s absolutely necessary.

Below we provide a short brief of which group of individuals we regularly process personal data about.

Through our BCR we commit to follow the data protection principles not only in Europe, but also in other countries where we operate. The legal term ‘data subject’ is used throughout the BCR, which means a person which data is processed by the Wallenius Wilhelmsen group. A data subject may exercise his or her personal rights according to the BCR or GDPR depending on where his or her data is processed. You have several rights according to the GDPR, and the BCR (section 7,8) describes this in a more easily understandable language. You have several rights, directly or indirectly, including (but not limited to):

• Remedies for breaches of the data protection principles.
• Remedies for breaches of legal basis for processing.
• Right to access and information regarding what we process about you.
• Right to restriction and objection of further processing.
• Right to rectification and erasure.
• Right not to be subject to decisions based solely on automated processing, including profiling.
• Right to complain through our internal complaints mechanism.

If you want to exercise your personal rights regarding data privacy, please read the relevant BCR sections and ensure that you prove that you are you. If you do not prove your identity, we cannot give any information regarding your personal data.