DATA PROTECTION

Policy

Seascope Navigation Ltd (SNL) is committed to ensuring that compliance with the General Data Protection Regulation (GDPR) and other relevant data protection legislation is clear, demonstrable and embedded within our data Processing practices. We maintain robust policies, security measures and ongoing training to ensure that all employees, contractors and third parties understand and uphold their responsibilities in protecting personal data. This Data Protection Policy (the Policy) sets out the principles, responsibilities and procedures governing the collection, processing, storage and sharing of personal data within SNL. 

The purpose of this Policy is to: 

  • ensure that personal data is processed lawfully, fairly and transparently; 
  • protect the rights and freedoms of individuals whose data is processed; 
  • establish clear guidelines for handling personal data securely and responsibly; and 
  • demonstrate compliance with data protection laws and best practices. 

This Policy applies to: 

  • all employees, contractors and third-party service providers who process personal data on behalf of SNL; 
  • all personal data processed by SNL in electronic or manual formats; and 
  • all subsidiaries and operational units within SNL across global regions. 

SNL recognises the importance of data protection in today’s digital landscape and is committed to continuous improvement in the safeguarding of personal information. 

Definitions 

For the purposes of this Policy, key terms are defined as follows: 

Personal Data 

Personal Data refers to any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing 

Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Data Controller 

A Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. When SNL acts as the Data Controller, we decide why and how Personal Data should be processed. 

Data Processor 

A Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller. This may include external service providers, cloud storage providers or outsourced IT support handling Personal Data under instruction from SNL. 

Personal Data Breach 

A Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Principles Relating to Processing of Personal Data 

SNL is committed to ensuring that all Personal Data is processed in a lawful, fair and transparent manner. The following principles guide our approach to the collection, use, storage and protection of Personal Data: 

Lawfulness, Fairness and Transparency 

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Purpose Limitation 

Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 

Data Minimisation 

Only Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 

Accuracy 

Personal Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. 

Storage Limitation 

Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed. 

Integrity and Confidentiality 

Personal Data must be processed in a manner that ensures appropriate security of the Personal Data including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability 

SNL shall take responsibility for compliance with these principles and be able to demonstrate our adherence to them through appropriate governance measures, policies and documentation. 

Lawful Basis for Processing 

There are six alternative ways in which the lawfulness of a specific case of Processing of Personal Data may be established under the GDPR. It is SNL’s policy to identify the appropriate basis for Processing and to document it.

Consent 

Unless it is necessary or otherwise permitted for a reason allowable in the GDPR, SNL will always obtain explicit consent from a Data Subject to collect and process their data. In the case of children below the age of 16 (a lower age may be allowable in specific EU member states) parental consent will be obtained. Transparent information about our usage of Personal Data will be provided to Data Subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge. 

Performance of a Contract 

Where the Personal Data collected and processed is required to fulfil a contract with the Data Subject, explicit consent is not required. This will often be the case where the contract cannot be completed without the Personal Data in question e.g. a delivery cannot be made without an address to deliver to. 

Legal Obligation 

If Personal Data is required to be collected and processed to comply with the law, then explicit consent is not required. This may be the case for some Personal Data related to employment and taxation for example and for many areas addressed by the public sector.

Vital Interests of the Data Subject 

If Personal Data is required to protect the vital interests of the Data Subject or of another natural person, then this may be used as the lawful basis of the Processing. SNL will retain reasonable, documented evidence that this is the case whenever this reason is used as the lawful basis of the Processing of Personal Data. As an example, if there was a serious accident in the workplace leaving the victim incapable of consent, Personal Data may be disclosed to the hospital to protect the victim’s vital interests. 

Task Carried Out in the Public Interest 

Where SNL needs to perform a task that we believe is in the public interest or as part of an official duty then the Data Subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.

Legitimate Interests 

If the Processing of specific Personal Data is in the legitimate interests of SNL and is judged not to affect the rights and freedoms of the Data Subject in a significant way, then this may be defined as the lawful reason for the Processing. Again, the reasoning behind this view will be documented. 

Rights of the Individual 

The Data Subject has rights under the GDPR as follows: 

  • Right to be informed: Data Subjects have the right to be provided with clear and transparent information about how their Personal Data is being collected, used and processed. 
  • Right of access: Data Subjects have the right to request confirmation of whether Personal Data concerning them is being processed and, if so, access to that data. 
  • Right to rectification: Data Subjects have the right to request the correction of any inaccurate or incomplete Personal Data. 
  • Right to erasure: Data Subjects have the right to request the deletion of their Personal Data, subject to certain conditions. 
  • Right to restrict Processing: Data Subjects may request the restriction of Processing under certain circumstances, such as when the accuracy of data is contested. 
  • Right to data portability: Data Subjects have the right to receive their Personal Data in a structured, commonly used and machine-readable format and to transmit that data to another Data Controller
  • Right to object: Data Subjects may object to the Processing of their Personal Data on the basis of legitimate interests or for direct marketing purposes
  • Rights in relation to automated decision making and profiling: Data Subjects have the right not to be subject to automated decisions that have significant effects, unless certain conditions are met. 

You must verify the identity of an individual requesting data under of the rights listed above. Do not allow third parties to persuade you into disclosing Personal Data without proper authorisation.

Privacy by Design and Data Protection Impact Assessment 

SNL is required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures, like pseudonymisation, in an effective manner to ensure compliance with data privacy principles. 

You must assess what Privacy by Design measures can be implemented on all programmes, systems and processes that process Personal Data by ensuring that: 

  • data protection is embedded into the design and architecture of SNL’s information systems and business practices; 
  • appropriate safeguards including encryption, access controls and secure communication channels are integrated into SNL’s IT systems and operational workflows from the earliest stages of development. 
  • default settings on systems are configured to provide the highest level of privacy protection without requiring user intervention; and 
  • training and awareness are provided to all employees to ensure that data protection is considered at every level within SNL and throughout the data lifecycle. 

 Data Controllers must also conduct Data Protection Impact Assessments (DPIA) in respect to high-risk Processing. A DPIA must include: 

  • a description of the Processing, its purposes and the Data Controller’s legitimate interests if appropriate; 
  • an assessment of the necessity and proportionality of the Processing in relation to its purpose; 
  • an assessment of the risk to individuals; and 
  • the risk mitigation measures in place and demonstration of compliance. 

Direct Marketing 

SNL is subject to certain rules and privacy laws when marketing to our customers. As part of our business operations, SNL may use your Personal Data to provide you with information about our products, services and/or events that may be of interest to you. SNL relies on your consent as the legal basis for this processing, in accordance with applicable data protection laws.

You have the right to object to or opt out of receiving direct marketing communications from SNL at any time. You can do this by following the unsubscribe link in our emails, adjusting your communication preferences or contacting us at datacontrol@seascope.com.cy

We do not share your Personal Data with third parties for marketing purposes without your explicit consent. 

Third-Party Processors 

Generally, SNL is not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. SNL may only share the Personal Data we hold with another employee, agent or representative of SNL (which includes our subsidiaries and our ultimate holding company) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions. 

You may only share the Personal Data SNL holds with third parties if: 

  • they have a need to know the information for the purposes of providing the contracted services; 
  • sharing the Personal Data complies with the privacy notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained; 
  • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place; 
  • the transfer complies with any applicable cross border transfer restrictions; and 
  • a fully executed written contract that contains GDPR approved third party clauses has been obtained. 

International Transfers of Personal Data 

Personal Data may be transferred to other jurisdictions in which SNL operates. SNL ensures that such transfers comply with applicable laws and are safeguarded by appropriate contractual or legal mechanisms (e.g. Data Transfer Agreements). 

Personal Data Breach Notification 

SNL endeavours to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of Personal Data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents. 

Changes to this Policy 

SNL reserves the right to change this Policy at any time so please check back regularly to obtain the latest copy of this Policy. This Policy was last revised during April 2025 and does not override any applicable national data privacy laws and regulations in countries where SNL operates. No policy can cover all eventualities. 

Questions in relation to this Policy or application of this Policy should be directed to the GDPR Team (datacontrol@seascope.com.cy).