• Home
  • The Firm
  • The Team
  • Practice Areas
    • Corporate and Commercial
    • Dispute Resolution and Litigation
    • Information Technology and E-Commerce
    • Private Client
    • Real Estate and Estate Planning
    • Shipping and Maritime Law
  • Publications
    • Corporate and Commercial
    • Dispute Resolution and Litigation
    • Information Technology and E-Commerce
    • Real Estate and Estate Planning
    • Private Client
    • Shipping and Maritime Law
    • Careers
    • News
  • Contact
  • EN
  • RU

THE GDPR ICEBERG – DATA PROTECTION IN THE SHIPPING INDUSTRY

  • by Author
  • Mar 23
  • Comments (0)

The General Data Protection Regulation EU 2016/679 (GDPR) came into force on the 25th of May 2018, to protect the personal data of European Union individuals. The GDPR applies across a wide range of sectors. In the shipping industry, the processing and transfer of personal data is daily.

The GDPR does not apply only to EU organizations and companies. For instance, where organizations and businesses provide commodities or services to EU individuals, or monitor the behavior of individuals within the EU, while being located outside of the EU as for example in the United Arab Emirates or China, the GDPR does apply to them as well. As a result, the scope of applicability of the GDPR is global and therefore, the shipping industry is particularly affected by its global reach.

Shipping organizations and companies both store and process personal data, such as, crew and passenger data, identification documents, bank account details, travel documents and sensitive personal data, such as, medical records or information regarding injuries. Some of the above will likely be shared with third parties, manning agents, port authorities and agents, P&I clubs, inspectors, travel agents and will eventually cross borders. Therefore, GDPR compliance in the shipping industry is complex, essential and desirable.

Many provisions protecting personal data were already in force through national and international laws yet, the aim of the GDPR is to push for the implementation of stricter security measures in the handling and processing of the personal data of individuals (i.e. the data subjects) whilst also imposing hefty fines to those who fail to do so. According to Article 83 of the GDPR, organizations that are not in compliance with the regulation, face fines, calculated on their global annual turnover, of up to 4% or €20 million, whichever is greater. For less important violations, the national supervisory authority can still fine organizations up to either 2% or €10 million.

Thus, the necessity to take proactive measures to implement effective data protection control systems is crucial in order to eliminate the risks of breaching any of the data protection obligations. Otherwise, shipping organizations will have to face huge fines and private or even class actions from data subjects than can lead to reputational damage and potentially even sink the business.

Shipping companies and organizations should take the following 5 steps to compliance:

  1. Conduct a data audit to determine what personal data you are storing and processing, for what purposes and for how long. A data audit enables organizations to consider how they meet key GDPR requirements and in each case of processing whether they are the data controllers or data processors or both. A data audit shows the flow of personal data within and outside of an organization or business. For shipping organizations, a data flow is essential because it will eventually show to which other agents and organizations globally the personal data are shared. If you know the flow of personal data you can have control over its use, process and transfer according to the requirements of the GDPR.
  2. Draft or amend policies and procedures and provide training for your employees. You need a data protection policy and training for both management, HR departments, accounting departments and employees, to follow the data policy day in, day out.
  3. Notify data subjects about the processing of their personal data and obtain consent if needed. If you use, store and process sensitive personal data, such as medical details, you need to obtain the subjects’ consent. Data subjects must know their data rights and have access to their data.
  4. Draft or amend contracts with data processors or service providers. In day-to-day shipping, companies associate with several third parties. For instance, where the manning agency processes personal data and the shipping company is the data controller, a data processing agreement is needed.
  5. Appoint a data protection officer. The role of a data protection officer is to inform the organization about its compliance with the GDPR and ensure that the data policy of the organization is in place. They are the first point of contact with the Supervisory Authorities and data subjects.

Shipping organizations regularly make personal data transfers to foreign jurisdictions. A matter of concern is when these transfers are made to countries outside the EU. This kind of transfers must come from or go to a third country that ensures an adequate level of protection. There is a list of third countries that comply with the requested level of protection and includes among others, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. For countries, such as the Philippines, additional safety measures must be met to ensure that the rights of data subjects are protected. Such safety measures can be provided by a legally binding agreement between public authorities or by binding corporate rules or by the incorporation of standard data protection clauses in the form of template transfer clauses adopted by the Commission or adopted by a supervisory authority and then approved by the Commission.

Over the last few decades, the shipping industry has transformed substantially. Safety and environmental regulations were indeed both needed and desirable, but they came with a financial cost. The implementation of the GDPR does not need to be costly and burdensome. Organizations with global data protection policies and agreements in place will eventually stand out from their competitors.

Author 

  • Share:
Previous Article: Statement by the President of the Republic, Mr. Nicos Anastasiades, following the extraordinary meeting of the Council of Ministers
Next Article COVID-19 AND TERMINATION OF EMPLOYMENT

Categories

  • Careers
  • Corporate and Commercial
  • Dispute Resolution
  • IT and E-Commerce
  • Migration and Immigration
  • News
  • Private Client
  • Real Estate and Estate Planning
  • Shipping
  • Uncategorized

Recent Posts

  • Public access to beneficial ownership information: Αn infringement of the right to respect private life and the protection of personal data enshrined in Articles 7 and 8 of the EU Charter, held the CJEU.
  • The Shipping Limited Liability Company (S.L.L.C.) Law of 2022
  • Purchase and Transfer of Immovable Property in Cyprus
  • Αγορά και Μεταβίβαση Ακίνητης Ιδιοκτησίας στην Κύπρο
  • Proportionality and the Covid pandemic – Communauté genevoise d’action syndicale (CGAS) v. Switzerland

© Copyright 2023 | Mouktaroudes Law | All right reserved.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.
Accept Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT