Introduction

1.    A person’s privacy is important to SIA “Ultramarin”. The purpose of this Policy is to provide information on personal data processing intentions, legal basis, extent, protection and processing term in the time of acquiring the data, as well as following good practice and protecting the reputation of Company.

Data Controller and contact information

2.    The Data Controller is - SIA “Ultramarin” (hereinafter referred to as – Company), Registration number: 40103185820, Legal address: 76, Gustava Zemgala Gatve, 16th Floor, " EUROPA" business centre, Riga, LV-1039, Republic of Latvia. Contact information: +371 67383938, info@ultramarin.lv.

Policy scope and legal basis

3.    This Policy is applied to ensure the privacy and personal data protection in regard to physical persons – seafarers, hereafter referred to as – Clients, and other natural persons related to the Client, whose data has been transferred or made known to the Company.

4.    This Policy applies to the protection of identifiable physical persons with regard to the processing of personal data and to the free movement of such data in accordance with General Data Protection Regulation No 2016/679 of European Union, the data protection normative acts of Republic of Latvia and rules of this Policy.

5.    This Policy applies to the Company, all branches and employees of the Company, as well as all contractors, partners and other people and companies, cooperating with the Company.

6.    This Policy concerns data processing regardless of the form and/or environment that the Client has submitted their personal data in and in what electronic systems or physical form of the Company they are processed in.

7.    This Policy will be reviewed periodically, but not later than every 3 (three) years. The Company reserves the right to modify and update this Policy at any time. Changes to this Policy will come into effect immediately upon such changes being approved by the Company Board.

Personal data

8.    A list of categories of personal data that can be processed with the Client’s consent and other legal bases of data processing is established in the Company’s data processing record that is available in person in the Company’s office.

Purposes of processing personal data

9.    The Company processes the Client’s personal data for the following purposes:
a)    providing services, including but not limited to the Client’s identification, the identification of the position and qualification, determining work experience, employing on Latvian and foreign ships, the preparation and execution of the contract of employment (hereinafter referred to as - CoE), finalising visas, airline tickets, and other travel documents, confirming health status, administrating settlements, drawing up professional documents, for arranging the necessary documents and formalities of the flag state, port and border control needs, settling insurance formalities;
b)    business planning and analytics – statistics and business analysis, planning and accounting, increasing efficiency, ensuring data quality, preparing reports, purposes of risk management activities;
c)    provision of information to any government administration of the Republic of Latvia or foreign and the subjects of operational activity in the events and amount set in external normative acts;
d)    other specific purposes of which the Client is informed at the moment that Client submits the relevant data to the Company.

Legal bases for processing personal data

10.    The Company processes personal data according to the following legal bases:
a)    the Client has given consent to the processing of Client’s personal data for one or more specific purposes;
b)    processing is necessary for the performance of a contract to which the Client is a party or in order to take steps at the request of the Client prior to entering into a contract;
c)    processing is necessary for compliance with a legal obligation to which the Company is subject;
d)    processing is necessary in order to protect vital interests of the Client or of another natural person;
e)    processing is necessary for the purposes of legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedom of the Client which require protection of personal data.

11.    The legitimate interests of the Company are  - commercial activity, verification of the Client’s identity, qualification and work experience before signing a CoE, provision of the CoE commitments, preservation of data submitted by the Client, analysis of the usage of the Company’s data base, development and introduction of its improvements, administrating the Client’s account in the Company’s data base, promotion of the Client’s motivation to cooperate with the Company, segmentation of the Client’s data base for providing efficient services, provision and development of the Company’s service, notifying of the course of execution and significant events relating to the CoE, fraud prevention, providing efficient enterprise administration, accounting and analytics of business and finances, providing and developing service efficiency and quality, administrating payments, turning to government and operative action agencies and court for the protection of legal interests.

Personal data processing and protection

12.    The Company processes and protects personal data by using the means of modern technology, regarding existing risks of privacy and the Company’s sensibly available organizational, financial and technical resources.

13.    Within the framework of consent, which the Client has given to the Company, the Company has the right to transfer the Client’s personal data to the shipowners and/or their authorized management companies. If the shipowners and/or their authorized management companies process the Client’s personal data, the relevant shipowners and/or their authorized management companies are regarded as Data Controllers.

14.    To provide an operational and high-quality conduct of commitment of a CoE signed with a Client, the Company has the right to authorize their cooperation partners to carry out separate services, for example, processing a visa, providing training and qualification, administrating the Client’s professional documents. If by fulfilling these tasks the cooperation partners of the Company process the personal data of the Client, the relevant partners are regarded as Data Processors and the Company has the right to transfer the personal data of a Client to the cooperation partners in such an amount that is necessary to achieve these tasks.

15.    The cooperation partners of the Company (in the status of data processors) will provide the fulfillment of requirements for the procession and protection of personal data according to the Company’s requirements and legislation, and will not use the personal data for other purposes other than the obligations on behalf of the Company.

Personal data recipient categories:

16.     The Company does not disclose the Client’s personal data to a third party, except for the following cases:
a)    if the data must be submitted to Latvian and/or foreign shipowners or their representative management companies, in accordance to the Client’s clear and indisputable consent that has been given willingly, for the purpose of signing a potential CoE;
b)    if the data must be submitted to the maritime Administration of the flag state for carrying out necessary documentation;
c)    if the data must be submitted for executing necessary travel documentation, including but not limited to, foreign embassies, travel agencies, airline companies, etc;
d)    if the data must be submitted to agents in foreign ports to provide safe embarkation and disembarkation to and from the vessel including all required immigration and ISPS formalities; as well as including cases in which the agent’s services are necessary for medical assistance during the time when the vessel is in a foreign port;
e)    if the data must be submitted to an insurance company, if medical assistance and investigation is needed in case of an incident during the contract time;
f)    if the data must be submitted to law enforcement or other authorities according to the rules stated in normative acts.

Personal data submission/transferring to third countries and/or international maritime organizations (outside of the European Union and EEZ)

17.    Only in necessary cases, abiding the rules stated in the normative acts and the cases stated in the subarticles of Article 16 (sixteen) of this Policy, can the Client’s personal data be transferred to third countries and/or international maritime organizations, if:
a)    the Client has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Client due to the absence of a sufficient decision and appropriate safeguards;
b)    the transfer is necessary to carry out a contract between the Client and the shipowners and/or their authorized management companies or the implementation of pre-contractual measures taken at the Client's request;
c)    the transfer is necessary in order to protect the vital interests of the Client or of other persons, where the Client is physically or legally incapable of giving consent.

Personal data storage duration

18.    The Company stores and processes the Client’s personal data as long as one of the following criteria is met:
a)    while the Client consents to the personal data processing, but no longer than 10 (ten) years after signing the Client’s last CoE, unless there is another legal reason for processing;
b)    while in the order of external normative acts the Company or the Client can carry out their legitimate interests;
c)    while the Company has a legal responsibility to store the personal data.

19.    After the reasons mentioned in the Article 18 of this Policy expire, the Client’s personal data is permanently deleted.

Access to personal data and other rights of the Client

20.    The Client has the right to receive information concerning the Client’s personal data processing mentioned in the normative acts. The majority of the Client’s data is already submitted to the self-service site ultramarin.crewinspector.com remotely accessible to the Client, where the Client can make certain of Client’s data and/or edit them.

21.    The Client holds the right to demand the Company access to Client’s personal data, as well as the right to demand adding, editing or deleting them, or limiting the processing in regard to the Client, as well as the right to restriction to processing altogether (including the personal data processing that has been done based on the legitimate and legal interests of the Company), as well as the right of portability the Client’s data. These rights are to be realized as far as data processing does not stem from the Company’s responsibilities that have been bestowed upon it according to normative acts.

22.    The Client can submit a demand for the realization of their rights:
a)    in writing at the Company’s office, providing a document of identification;
b)    submitting a demand electronically that has been signed with a secure e-signature; sent to the e-mail address GDPR@ultramarin.lv
c)    on the self-service site ultramarin.crewinspector.com

23.    By receiving the Client’s demand of realizing their rights, the Company confirms the Client’s identity, evaluates the demand and carries it out according to the normative acts.

24.    The Company responds to the Client via registered mail at Client’s provided address or using e-mail or on self-service site ultramarin.crewinspector.com regarding the Client’s preferred way of receiving an answer. The answer must be given within 30 (thirty) days from the day of receiving the demand. In the time of one calendar year, 2 (two) demands of the Client are processed for free, each of the next costing 10,00 euro.

25.    The Client holds the right to turn to the Company’s personal data protection officer (e-mail: GDPR@ultramarin.lv) with a request of possible personal data processing and protection law breach and its prevention. As a safeguard against the possibility of victimization of Client all complaints sent to data protection officer will be confidential. The answer must be given within 30 days from the day of receiving the demand.

26.    The Company guarantees a fulfillment of requirements concerning data processing and protection in accordance to the normative acts and in the case of the Client’s complaints carries out the necessary actions to solve the complaint. However, if it fails, the Client has the right to turn to a supervisory authority – Data State Inspectorate of Republic of Latvia.

The Client’s consent to data processing and the right to withdraw it

27.    The Client’s consent to personal data processing, which the legal basis of is a consent, is given on the self-service site ultramarin.crewinspector.com, the Company’s service application form.

28.    The Client has the right to withdraw Client’s consent to data processing at any moment in self-service site ultramarin.crewinspector.com or face to face in the Company’s office and in which case any further data processing that is based on a previous consent to it will not be carried out.

29.    The withdrawal of consent does not affect the data processing that took place while the Client’s consent was valid.

30.    By withdrawing consent, data processing that is being done based on other legal bases cannot be interrupted.

Communication with the Client

31.    The Company contacts the Client by using the contact information provided by the Client (telephone number, e-mail address, mail address, access to the self-service site).