Explanatory notes

BIMCO Personal Data Protection Clause

The BIMCO Personal Data Protection Clause has been developed in response to concerns raised by owners, ship and crew managers and operators about the implications of the EU General Data Protection Regulation (GDPR) and similar legislation. It addresses the need for compliance with data protection legislation including obligations for monitoring and auditing compliance.

The clause is based on the obligations and provisions under, and takes account of the principles set out in, GDPR. However, it does not replace parties’ obligations to ensure that they have suitable data protection policies in place. The purpose of the clause is to require parties to confirm their compliance with relevant data protection regulations.

The clause is a free-standing additional clause and parties should consider its use in the context of legislation relevant and applicable to them.

Background

Personal data management is a matter of corporate governance with entities and organisations responsible for the integrity and lawful use of the data they collect. Companies should, therefore, develop procedures to ensure that their arrangements for gathering and maintaining information comply with applicable legislation; that information is collected for legitimate business reasons which might include details of seafarers’ dependents or next of kin; that internal systems are sufficiently robust to secure and preserve stored details; that information is kept only for legitimate business purposes and for as long as it is required (although this might include periods after termination of employment so that records are to hand in the event of future claims for injury or ill-health); that systems are in place to prevent misuse; and that procedural safeguards ensure the integrity of data shared with third parties or transmitted from one jurisdiction to another.

GDPR took effect on 25 May 2018 and updates legislation first introduced in Europe over twenty years ago. The principles are not new and similar provisions apply in other jurisdictions. However, GDPR imposes greater obligations on organisations in respect of the collection, use and retention of personal information, strengthens individuals’ rights to privacy, requires any breach of data security to be reported and sets out the basis for potentially large fines for non-compliance. GDPR has extra-territorial effect and applies to data processed within the EU regardless of whether it is to be used within or beyond Member States. It also applies where information processed outside the EU relates to persons or undertakings within or with a connection to a Member State.

Guidance has been issued by the European Commission covering the transfer of personal data from data controllers in the EU to data controllers and processors outside the EU or European Economic Area (EEA). Model contracts have been developed and details can be downloaded from:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

BIMCO wishes to thank the following members for their work in developing the new provision:

• Capt Ajay Hazari, Anglo Eastern Ship Management (Chairperson)
• Mr Andreas Andreou, Columbia Shipmanagement Ltd
• Mr Luca Cappotto, d’Amico Società di Navigazione SpA
• Mr Mark Brattman, ITIC
• Ms Beatrice Russ, Ince &Co

There are four versions of the clause for use respectively with SHIPMAN, CREWMAN, SUPPLYTIME and GUARDCON. The underlying content is the same for each but with minor differences in wording reflecting the specific agreement and categories of personnel covered.

Clause Content

Definitions:

“Data Subject” covers any identified or identifiable “natural” (i.e. living) person;

“Personal Data” relates to any information about any Data Subject covered by the underlying agreement;

“DPR” refers to data protection regulations and is the catch-all phrase meaning any such applicable legislation. While not strictly necessary in a provision for worldwide use, it is expressly stated that the term includes GDPR;

Sub-clause (a) sets out the parties’ respective duties for compliance with their DPR obligations for the collection and use, safeguarding, transfer and retention of information and protection of Data Subjects’ rights as enumerated at sub-paragraphs (i) to (iv);

Sub-clause (b) requires arrangements to be in place for dealing with, and notifying regulatory authorities about, any breach of data security; and

Sub-clause (c) requires party cooperation in relation to auditing company data protection systems and procedures.