Gearbulk complies with privacy and data protection legislation, in particular with the EU General Data Protection Regulation (the “GDPR”), the Norwegian Data Privacy Act and local regulations applicable where Gearbulk is present and/or operates. Gearbulk is further committed to protect your personal information, keep it confidential and reduce the risk of outsiders accessing and using your personal data to as low as reasonably practical. This Policy has been drafted in accordance with the above-mentioned regulation and principles and describes how Gearbulk processes and safeguards the personal data of employees on shore and at sea. This Policy applies to all employees in the Gearbulk group.
What is personal information?
Personal information is any information about an identified or identifiable individual (the “Data Subject”). Personal information does not include anonymous or non-personal information (i.e., information that cannot be associated with or tracked back to a specific individual).
What personal information may Gearbulk collect, process or retain?
The following personal data may be collected, processed or retained at our files:
▪ Name, marital status, gender, personal email addresses, date of birth, social security, personal identification numbers, addresses, telephone numbers, next of kin;
▪ IP address, corporate emails, and other personal access to corporate social media or corporate computers systems;
▪ Emergency contact information;
▪ Professional degrees, job applications and resumes;
▪ Follow up notes in conjunction with references from previous employers;
▪ Interview notes made internally or by third parties;
▪ Photographs and videos;
▪ Biometric data
▪ Document correspondence in conjunction with job offers and acceptance of employment;
▪ Private and confidential agreements signed for relevant positions;
▪ On-the-job appraisals;
▪ Promotions, layoffs, internal transferences and resignations;
▪ Surveys about the working environment;
▪ Mandatory policies’ acknowledgments;
▪ Payroll information;
▪ Wages and benefits, including bonus schemes;
▪ Employee’s health and welfare benefits, as relevant to short or long-term disabilities, sick leave, pension plans, dental or health care, where applicable;
▪ Union membership;
▪ Information about car register plates, in conjunction with office parking; and
▪ Documents requested by flag state.
The processing of personal data will be appropriate, relevant, and limited to the purpose of the processing.
Who in Gearbulk can collect, process, or retain personal information?
The personal information listed above is collected and will be processed/stored by restricted personnel authorised and qualified to handled confidential information.
Information Technology may monitor acceptable use of IP addresses, corporate emails, personal accesses to corporate social media or corporate computer systems, upon reasonable doubt that employee may be engaged in any form of criminal activity or is breaching the employment agreement.
Gearbulk will not disclose your personal information to third parties unless it is required to do so by any national government and/or public authority, in this case limited to minimum extent required.
Gearbulk may engage third parties which will process your personal data on our behalf (e.g., payroll administration services, insurance companies, working hours controls). Gearbulk will, however, only engage third parties that have provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and the protection standards established in this Policy.
Why does Gearbulk collect, process, or retain personal information?
The legal basis for Gearbulk collecting, processing and/or retaining personal data is the company legitimate interest, cf. article 6.1 “f” of the GDPR.
Gearbulk may also collect, process and/or retain personal information to fulfil the employee’s employment contract, prevent crimes and/or to comply with legal regulations applicable where Gearbulk is present and/or operates.
Processing information under the company legitimate interest includes, but is not limited to the following actions:
Administration of payment of salary and other compensation;
▪ Seniority calculation, insurance, dental or health care and other benefits;
▪ Evaluation of training needs;
▪ Incident investigation;
▪ Employee travel arrangements;
▪ Evidences for disciplinary actions, lawsuits or termination, in relation to your employment agreement; and
▪ For emergency purposes, if the company needs to contact your next of kin.
After termination of the employment, only relevant personal data that is required by national authorities will be retained or that may be requested for the legitimate defence of the company;
How personal information is collected?
Gearbulk collects personal data by direct contact with you, online forms, public searches and/or third parties such as manning agencies, customers, suppliers, agents and business partners, to the reasonable expectation that such third parties are not in breach of any data protection regulations worldwide.
What is to “process” personal information?
Processing personal information relates to any manual and/or automated operation and/or series of operations conducted with any personal data, including, without limitation: collecting, registration, organising, structuring, storage, customisation, change, retrieval, consultation, use, transfer, spreading of any personal data, making personal data available, assembled, limited, deleted or destroyed.
Gearbulk considers privacy in all aspects when implementing new personal data processing or IT systems and the strictest privacy settings are default for all systems. Accordingly, appropriate organisational and technical security measures are in place to protect your personal data. For instance, Gearbulk stores personal data on servers with limited access located in secured facilities. The servers are protected by anti-virus software and firewalls. Gearbulk’s security measures are reevaluated on an ongoing basis.
Erasure of personal data
Gearbulk has routines to delete or anonymise your personal data when it is no longer needed for the purposes for which it was collected and subsequently processed, or required to be stored pursuant to any legitimate justification. If you believe there are grounds for erasure of personal data concerning you, please contact your local DPO to request erasure of your personal data.
Rights of the Data Subject
You have the following rights in accordance with the GDPR:
▪ To obtain the confirmation as to whether or not personal data concerning you are processed by Gearbulk, and, where that is the case, access the personal data and obtain information regarding the purpose of the processing, the categories of personal data concerned etc.;
▪ To obtain rectification of inaccurate personal data concerning you;
▪ To withdraw consent for cases where it is required as legal basis for processing of personal data, without disclosing the reason;
▪ To have incomplete personal data concerning you completed;
▪ To receive personal data concerning you;
▪ To transmit personal data concerning you to another controller;
▪ To object or restrict the processing of personal data concerning you, unless the Company is entitled to process your personal data under certain legal basis;
▪ To obtain erasure of personal data concerning you, unless the Company is entitled to store your personal data under certain legal basis.
If Gearbulk is entitled to process and/or store personal data you have objected and/or requested to be erased, under any existing legal basis, it will process and/or store such personal data only to the extent it is required and/or permitted by such legal basis.
Gearbulk will establish detailed routines to describe the step-by-step process required in all the cases detailed above.
Violation and Breaches
Gearbulk is required to report violations to the GDPR and/or applicable local regulations to relevant public authorities.
Nevertheless, if you believe that Gearbulk is processing your personal data in violation of the GDPR and/or applicable local regulations, you have the right to lodge a written complaint to Datatilsynet. The contact information for Datatilsynet is available at www.datatilsynet.no.
Contact Information & General Provisions
Data Protection Officer: Beatriz Barros Villas Boas Passos