TO THE MEMBERS
IMPLEMENTATION OF GDPR PRINCIPLES IN CLAIMS HANDLING
As advised in the Club’s circular 3/18 dated February 2018, the General Data Protection Regulation (“GDPR”) provides for significant penalties in the event of a data breach. The purpose of this circular is to provide Members, correspondents and others with further guidance on how to try and reduce the risk of a breach and advise you of some changes we will be making in the way that we handle personal data.
People claims such as those involving crew or passenger illness and injury present the greatest challenge to the Club in ensuring the adequate protection of personal data.
Data minimisation and privacy by design
As mentioned in our previous circular, the Club is a controller for the purposes of the GDPR, and thus responsible for demonstrating compliance with the Regulation. As a result and in line with the key GDPR principles of data minimisation and privacy by design, the Club wishes to:
E-mail circulation lists continue to expand which means it can be difficult to spot when someone who should not be included has inserted themselves into an email chain. In addition, attempted fraud by e-mail is increasing, with communications received from impersonators of those involved in the industry.These imposters are usually seeking financial gain but responding to such a message could lead to a data breach by the Club as well.
In handling personal illness or injury files it is often necessary to exchange sensitive personal data with Members, correspondents and service providers around the world on an urgent basis. Implementing GDPR principles is particularly important.
We would like to offer readers some “best practice” guidance in the form of 10 tips for the treatment of personal data:
Since the Club recognises that Members, brokers and external service providers such as Club correspondents, surveyors, and experts will generally be data controllers, as will be the Club, implementing the above security measures minimises the risks arising from handling personal data to which both the Club and Members are exposed, and we ask that you consider implementing these and other measures appropriate to your organisation.
Extra-territorial reach of the GDPR as it applies to crew engaged within and outside the EU/EEA
As referred to in our previous circular, the Regulation applies to shipowners and/or their managers who have establishments within the EU/EEA where they are processing personal data on EU/EEA individuals who are within the EU/EEA. For example,where a shipowner has its management within Greece and provides Greek senior officers to its ships, the personal data of those individuals will fall squarely within the scope of the Regulation.
Where the Regulation can have extra-territorial reach is if there is transfer of personal data to or from the EU/EEA, such as in the following cases:
The recruitment of crewmembers where
For many of our Members, local manning agents are used for the recruitment of crewmembers outside of the EU/EEA, for example, from the Philippines, India and the Ukraine.However, as the crew are engaged by an owner/manager with an establishment in the EU/EEA, the processing of their personal data will also fall within the scope of the Regulation, despite the crewmembers themselves not being EU/EEA nationals.
In addition,where a shipowner/manager is located outside the EU/EEA but engages crewmembers from EU/EEA countries, as they will be processing personal data on EU/EEA individuals, that processing will also fall within the scope of the Regulation.
Shipowners’ privacy responsibilities
In respect of crew illness and injury claims, the clubs will often be the shipowners’ employers’ liability insurers, and in such cases it will be necessary for the shipowner/manager to provide the crewmembers with notice that their personal data may be shared with its insurers and other third parties.
We expect that for the majority of our Members, their crew contracts and collective bargaining agreements (CBAs) will either not contain data protection clauses/notices or, they will need updating.We would therefore ask Members to ensure that they provide their crewmembers with the necessary notice.
In addition to any wider privacy notice (also known as an information notice or fair processing notice) you may have developed,we suggest that Members consider including in the notice the following provisions dealing with injury and illness claims:
This is not an exhaustive list to ensure compliance with GDPR, but should allow Members to provide claims information to the Club. In addition, local and specific legal advice should also be obtained.
For other steps which the Club recommends Members should take, please refer to the “Further impact on Members” section in our previous circular.
All clubs in the International Group have issued similar circulars.
For more information Please contact Paul Knight
Email: firstname.lastname@example.org Tel. +44 20 7204 2229