General Privacy Notice (“Notice”)
Updated: 30/September/2021
Introduction
Columbia Shipmanagement Limited and its affiliates (referred to as “we”, “our”, “us”,
or “CSM”) recognise and respect the rights and privacy of individuals. This includes
our applicants, current and former employees, suppliers, passengers on board the
vessels we manage, and our customers.
This Notice explains what we do with your personal data, whether we are considering
your application for employment, continuing our relationship with you, providing you
with a service, receiving a service from you, or if you are visiting our premises or our
website.
It describes how we collect, handle, and process your personal data, and how, in doing
so, we comply with our legal obligations. We consider privacy to be important and are
committed to protecting and safeguarding your personal data privacy rights. The use
of the word “processing” in this Notice is intended to include such actions as
collecting, handling, using, storing and protecting your personal data.
This Notice applies to the personal data of Data Subjects such as yourself,
our Employees (on board and ashore), Customers, Visitors, Suppliers of goods and
services, Website Users, and others whom we may contact in order to collect more
information about our Employees or those whom they have indicated as
an Emergency contact.
If you are an Employee or Seafarer, you should also refer to the Company Data
Protection Policy, with which we have already provided you.
Legal framework
This Notice is written to comply with the applicable data protection legislation which
includes, but is not limited to, the European Union General Data Protection
Regulation (GDPR).
The company responsible for your personal Data (Data Controller)
Name: CSM
Phone: +357 25843100
Email: mailto://shipmanagement@csmcy.com
Address: Columbia House, 21 Spyrou Kyprianou Avenue, 4042 Limassol, Cyprus
Data Protection Officer
Name: Mr Andreas Andreou
Phone: +357 25843100
Email: CSMDPO@csmcy.com
Address: Columbia House, 21 Spyrou Kyprianou Avenue, 4042 Limassol, Cyprus
How do we use personal data?
We may process personal data as part of our shipmanagement services. Such
processing may include, but is not limited to, employment contracts, anti-money-
laundering, risk management, claims handling, document processing, marketing,
procurement, and newbuilding supervision.
What personal data do we collect?
Employees
(on board and ashore):
In order to consider you for employment, or employ you, we need to process certain
information about you. We only ask for or collect details that help us provide what is
required as part of your application process or employment. For example, we need
information such as your name, age, contact details, education details, employment
history, emergency contacts, next of kin, immigration status, passport size photos,
passport copies, overalls size, bank account details, utility bills and other relevant
information required for the purposes of your employment or that you may choose to
share with us. Where appropriate, and in accordance with local laws and
requirements, we may also collect information of a more sensitive nature, such as
diversity information, information related to your health, union membership, or details
of any criminal convictions.
We use processors who are third parties who provide elements of services for us. We
have contracts in place with our processors. This means they cannot do anything with
your personal data unless we have instructed them to do it. They will not share your
personal data with any organisation apart from us. They shall keep it securely, for the
period we instruct.
For certain seafarers, for handling job applications, we shall use a third-party provider
tool. This tool will be utilised by us to improve recruitment experience, efficiency and
productivity.
Where such processing occurs, relevant privacy information shall be provided at the
point of collection of personal data.
To enable shore employees to conduct our business, they have been provided with
access to one another’s contact information including name, position, telephone
number, work address, work e-mail address, and photograph (should you choose to
provide one).
Employees should be aware that photographs and videos are taken on our premises
and during events we organise; selections of such material may be used for company
marketing purposes (for example on our website or in promotional leaflets or posters)
and their image or parts of their image may appear in the material or the background
of said material.
Training and maintaining proficient and qualified employees is of great importance to
us and as such, various training regimes and campaigns are in place both on-board and
ashore. To this end we use several training systems provided and maintained by thirdparty providers. These may also include automated survey service suppliers, for
feedback purposes not only to improve training but other aspects of employment such
as our management system or work practices.
Insurance plays an important role in our operations and is prominent in relation to the
vessels we manage and the Office. We undertake claims handling for a large number
of vessels which includes individual seafarer illness and injury, protection and
indemnity claims involving cargo, shippers, and receivers, and hull and machinery
claims involving the structure of the vessel. Similarly, we undertake claims handling
for Employees who are insured under the Company policies. In all these claims, and
particularly with medical claims, we process personal data which may be provided to
the relevant insurer. We operate an open reporting policy. In the interests of
maintaining confidentiality and impartiality the open reporting platform and service is
provided by a third-party provider.
Customers
To enable us to communicate with you and to ensure that we meet certain legal
requirements such as KYC (know your customer) and AML (anti-money-laundering),
we need to have certain details of yours or details of individual contacts at your
organisation (such as their names, telephone numbers and e-mail addresses).
We ensure that our marketing communications to you are relevant and timely.
Website Users
We collect a limited amount of personal data in order to improve your experience
when using our website.
This includes information such as the frequency with which you access our website,
and the times that our website is most popular.
Suppliers of goods and service
We collect a small amount of information from our Suppliers to ensure that operations
work properly. We need contact details of relevant individuals at your organisation so
that we can communicate with you. We also need other information such as your bank
details so that we can pay for the services you provide (if this is part of the contractual
arrangements).
Emergency contacts
As part of due diligence and in order to protect the vital interests of our Data Subjects,
we will under certain circumstances collect emergency contact details.
Visitors
When visiting our premises, we collect the necessary personal data required for
security and notification purposes. For security purposes, we also operate a Closed
Circuit Television system (CCTV). The CCTV cameras only operate in common areas
of our premises and are positioned so as not to intrude on privacy. The footage is kept
for no longer than a month and access is strictly regulated.
Processing related to CSM Events
Please be aware that photographs will be taken during CSM events which might be
used for CSM social media channels and Website/Publications. If you do not wish to
be photographed please contact us.
Processing relating to endemic infectious diseases
We must protect our seafarers on the ships we manage and our employees on our
premises ashore from endemic infectious diseases. In the event of an outbreak, we
shall take steps to control entry to our offices and ships under our management. Such
steps will be in line with local authority requirements and guidelines.
Where it is necessary and proportionate to do so, before you enter our premises or
board any ship, we shall ask you certain screening questions on your recent exposure
to any such disease. We shall also check your temperature. We shall use this personal
data concerning health to decide whether to allow you to enter our premises or board
any ship.
You can refuse to answer such questions or have your temperature taken. In such
cases, we can refuse entry to you on our premises or board any ship.
We have a legal obligation to protect our seafarers and employees from such health
risks. It is also in the interest of other people who are at risk of becoming infected.
The legal bases we use for lawful processing
In order to conduct business and fulfil our legal, regulatory, and contractual
obligations, we need to perform legitimate and fundamental processing activities.
These are:
1. Establishing contracts
2. Maintaining contracts
3. Provision of all contracted services
4. Invoicing: remittance, payments, and collections
5. Non-promotional communications
6. Marketing and other promotional communications
7. Risk management contract review
8. Response to Subject Requests
9. Performance measurement
10. IT and telecommunication support services
11. Business Continuity and Contingency Planning
12. Legal and regulatory obligations
13. Responding to enquiries, requests, and complaints
14. Employment processing
15. Workforce planning
16. Training and certifications
17. Emergency communications
18. Interacting with other organisations, industry groups, and professional associations
19. Internal ethics reporting, security, and investigations
Who will access or receive the personal data?
We need to share the personal information we process with individuals themselves
and also with other organisations. The list below contains a description of the types of
organisations with which we may need to share some of the personal information we
process.
1. Agents and brokers
2. Business associates, other professional bodies, and advisers
3. Central and local government
4. Claimants, beneficiaries, assignees, and payees
5. Claims investigators
6. Complainants, and enquirers
7. Courts and tribunals
8. Credit reference, debt collection, and tracing agencies
9. Current, past, and prospective employers
10. Customers
11. Debt collection and tracing agencies
12. Education and examining bodies
13. Employment and recruitment agencies
14. Family, associates, and representatives of the person whose personal data we are processing
15. Financial organisations and advisers
16. Healthcare professionals, social and welfare organisations
17. Insurance providers
18. Law enforcement and prosecuting authorities
19. Learning management system providers
20. Ombudsman and other regulatory authorities
21. Open reporting system providers
22. Other affiliated companies
23. Pension schemes
24. Police forces
25. Private investigators
26. Professional advisers
27. Share Administrators
28. Suppliers and services providers
29. Survey and research organisations
30. Training system and software providers
31. Unions, trade associations, professional bodies, and employer associations
The countries where personal data will be stored, processed and/or transferred
Your personal data we collect may be stored and processed in the EU or any other
country in which we or associated third parties maintain facilities. In case we need to
transfer your personal data, we will take all reasonable measures to safeguard the
transfer of your personal data to third parties in a manner that complies with the
applicable data protection laws.
How long will the personal data be retained?
Retention of specific records may be necessary for one or more of the following
reasons:
1. Fulfilling statutory or other regulatory requirements
2. Evidencing events/agreements in case of disputes
3. Operational needs
4. Historical and statistical purposes
Where we collect personal data for which we subsequently have no use for any
business purpose we will then review and may destroy such personal data at our
discretion.
The right to withdraw consent
In situations where we request and receive your consent to perform processing, we are
also obliged to stop such processing if you decide to withdraw your consent.
Withdrawing consent is as straightforward as giving consent. Withdrawing consent
cannot be back-dated so it has no effect on processing already performed during the
period of consent.
The right to access, change, delete, restrict, object, request a copy
Under certain circumstances you have rights regarding your personal data. These are:
1. Access to a copy of your personal data
2. Object to processing of your personal data
3. Stop receiving direct marketing material
4. Object to decisions being taken by automated means
5. Have inaccurate personal data rectified, blocked, erased or destroyed
6. Lodge a complaint with the relevant data protection authority
7. Claim compensation for damages caused by a breach of the GDPR
If you are an employee, and wish to exercise any of these rights, please follow the
relevant Company procedure. If you are not an employee, please contact CSM
directly.
What happens if the personal data is not collected?
Your personal data is required for communication and setting up a contractual
agreement to provide employment, products, and services. Without this data we will
not be able to communicate with you or enter into a contractual agreement with you.
This includes both business and employment contracts.
We need personal data to:
1. Enable consensual bilateral communications
2. Engage in pre-contractual activities
3. Honour contractual obligations
4. Be able to employ people
Without this personal data, we will not be able to perform these primary activities.
Automated decision making
We do not use automated decision making.
Cookies
Our use of cookies
Cookies are small text files that are placed on your computer by websites that you
visit. They are widely used in order to make websites work, or work more efficiently,
as well as to provide information to the owners of the site. We use necessary cookies
to make our website work. We would also like to set analytics cookies that help us
make improvements by measuring how you use the website.
Necessary cookies
Necessary cookies are crucial to your experience of a website, enabling core features
like user logins, account management, shopping carts, and payment processing.
Necessary cookies enable core functionality such as security, network management,
and accessibility. You may disable these by changing your browser settings, but this
may affect how the website functions.
We use necessary cookies to enable certain functions on our website.
Functional cookies
Functional cookies are used to collect information about your device and any settings
you may configure on the website you’re visiting (like language and time zone
settings). With this information, websites can provide you with customised, enhanced,
or optimised content and services. These will be off by default and set only if you
accept.
Performance cookies
Performance cookies track how you use a website during your visit. Typically, this
information is anonymous and aggregated, with information tracked across all website
users. They help companies understand visitor usage patterns, identify and diagnose
problems or errors their users may encounter, and make better strategic decisions in
improving their audience’s overall website experience. The cookies collect
information in a way that does not directly identify anyone. These will be off by
default and set only if you accept. We use performance cookies on our website.
Targeting cookies
Targeting cookies help determine what promotional content is most relevant and
appropriate to you and your interests. Websites may use them to deliver targeted
advertising or limit the number of times you see an advertisement. This helps
companies improve the effectiveness of their campaigns and the quality of content
presented to you. These will be off by default and set only if you accept. Targeting
cookies set by third-parties may be used to track you on other websites that use the
same third-party service.
Analytics cookies
We would like to set Google Analytics cookies to help us improve our website by
collecting and reporting information on how you use it. The cookies collect
information in a way that does not directly identify anyone. These will be off by
default and set only if you accept.
How do I change my cookie settings?
You can change your cookie preferences relating to our website at any time by
clicking on the ‘Cookie Settings’ link on website’s footer section. You can then adjust
the available buttons to ‘Allow All’ or ‘Reject All’, then clicking ‘Confirm My
Choices’. You may need to refresh your page for your settings to take effect.
Alternatively, most web browsers allow some control of most cookies through the
browser settings. To find out more about cookies, including how to see what cookies
have been set, we recommend to
visit www.aboutcookies.org or www.allaboutcookies.org.
To find information relating to your specific browser, please visit your browser’s
website.
To opt out of being tracked by Google Analytics across all websites, you can
visit http://tools.google.com/dlpage/gaoptout
Changes to our Notice
Any changes we make to our Notice in the future will be posted on this page. Please
check back frequently to stay informed of any updates or changes.
Where we intend to further process your personal data for a purpose other than that
for which the personal data were collected, we shall provide you, prior to that further
processing, with information on that other purpose and with any relevant further
information.