Data protection

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A key objective of the GDPR is to protect and strengthen the rights of data subjects. The GDPR provides data subjects with a broad set of rights in relation to their data:

The right to information

One of the most important rights of data subjects is the right to information. In order to ensure that personal data are processed fairly, data controllers must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. Please see our privacy notice for more information about how we will process your data.

The right of subject access

Data subjects have the right to file a subject access request (SAR) and obtain from the data controller a copy of their personal data, together with an explanation of the categories of data being processed, the purposes of such processing, and the categories of third parties to whom the data may be disclosed, retention periods and information about other rights of data subjects. Subject access requests can be submitted using the form on this page.

The right to rectification

Data subjects have the right to require the data controller to correct errors in personal data which is processed by, or on behalf of, that controller.

The right to erasure (the ‘right to be forgotten’)

Data subjects can require data controllers to delete their personal data where the data is no longer needed and no other lawful basis for the processing exists.

The right to restrict processing

In certain circumstances in which the relevant personal data either cannot be deleted or where the data subject does not wish to have the data deleted, the data controller may continue to store the data, but the purposes for which the data can be processed will be strictly limited (e.g. the exercise or defence of legal claims).

The obligation to notify relevant third parties

In giving effect to the rights discussed above, where a data controller has disclosed personal data to third parties, and the data subject subsequently exercises any of the rights of rectification, erasure or restriction, the data controller is required to inform such third parties of the fact that the data subject has exercised those rights.

The right to data portability

The right to data portability permits the data subject to receive from the data controller a copy of his or her personal data in a commonly used machine-readable format, and to transfer their personal data from one data controller to another.

The right to object

Data subjects have a right to object to processing of their personal data on certain grounds, including the right to object to processing carried out for the purposes of profiling or marketing.

The right to not be evaluated on the basis of automated processing

Data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them. The Club does not currently engage in any automated decision-making.

The purpose of the Club in processing personal data

The Club’s processes personal information for the following purposes:

• Performance of financial crime and sanctions screening
• Assessment of underwriting risk and provision of underwriting service
• Collection of sums due, accounting, invoicing, and payment processing
• Performance of claims investigations and meeting claims obligations
• Provision of its loss prevention service
• Marketing and promotion of the Club’s services and products
• Provision of its IT service
• To establish and maintain relationships between the Club’s service providers (including professional advisors), auditors, clients, and employees
• Compliance with data subject access requests
• Legal and regulatory compliance
• To maintain the Club’s records and accounts
• To promote the Club’s services and products

The Club processes personal information lawfully

The Club is under a legal obligation to ensure that it meets various legal and regulatoryrequirements.

The Club may therefore process information so as to comply with the following: legislation related to financial crime, sanctions, terrorist financing, money laundering, bribery, corruption and tax evasion. The Club is also under a legal obligation to process information related to data subject access requests pursuant to the provisions of the GDPR.

In order for the Club to take steps to enter into contracts of insurance with Members (at Member’s request) and/or for the purpose of the Club’s performance of its obligations under contracts of insurance, and/or for other legitimate reasons, the Club processes personal information relating to its underwriting, claims, finance, loss prevention, marketing, and IT services.

The Club also processes information for various legitimate reasons, in order to maintain records and accounts and to establish and communicate with service providers, (including professional advisors), auditors, clients, and employees.

From time to time, it is also necessary for the Club to process certain claims related information for the purpose of protecting the vital interests of a data subject and/or for the Club to meet its obligations under contracts of insurance. For example, the Club processes personal information of crew members or other persons, who have fallen ill or been injured, and who are the subject of claims against Members insured by the Club.

Transfer of Personal Data

It may be necessary for the Club to share personal information with the following third parties, some of which are based in other countries:

• other companies within the Club’s group of companies
• service providers
• lawful authorities, ombudsmen, regulators and auditors
• business contacts
• third parties associated with the data subject

If the Club shares your personal data, it will take every reasonable measure to ensure that data is securely transferred and that the recipient is aware of his obligations under the GDPR, if applicable, and has provided adequate safeguards.

The Club’s Storage of Personal Data

The Club may need to keep personal data for the purpose of dealing with any dispute or proceeding, for regulatory or compliance reasons, to monitor and evaluate the performance of our services and products or for other associated historical reasons.

We will store personal data in compliance with the GDPR’s data minimisation and storage limitation principles and in accordance with our own internal Data Retention Policy.

Personal data will be deleted once it is no longer needed for the purpose for which it was originally collected, unless we have other lawful grounds for retaining it.

Automated profiling and decision making

The Club does not use automated profiling or decision making.

Your rights relating to Personal Data provided to the Club

You have the following rights:

• to request the Club for access to your personal data.
• to ask the Club to rectify or erase your personal data.
• to object to the way in which the Club processes your personal data or to ask us to restrict
• the way in which we process it.
• to obtain and reuse your personal data for your own purposes (data portability)
• to lodge a complaint with the Information Commissioner’s Office
• to ask the Club for the source of your personal data and if it came from publicly accessible sources.

Contact the Club

To exercise your rights detailed above, and for all other enquiries regarding privacy and data processing, please contact the Club’s Data Protection Officer using this form. The Club aims to respond within one month of receiving your request. However, depending on the nature of the request, we may require longer to provide a response. If a response is likely to take longer than a month from receiving your request, you will be kept closely advised of progress.

Requests can also be sent to:
Sarah Chamberlain, Data Protection Officer

The Shipowners’ Club
White Chapel Building, 2nd Floor,
10 Whitechapel High Street
London
E1 8QS

In most cases we will consider Brokers to be Data Controllers, responsible for protecting the data of their customers.

Where personal information is transferred between a Broker and the Club in relation to a policy or claim, we expect this to be done securely and in compliance with the requirements of all relevant data privacy laws. The following security measures should be observed:

• Data should be relevant and limited to what is necessary, consider anonymization where possible
• Data should be accurate and up to date
• Data should only be transferred for the purposes it was originally obtained
• Data should be transferred securely. Emails should be encrypted or password protected.
• Hard copies of data should be sent by recorded deliver or courier
• Personal data should not be included in the subject lines of emails, or in any insecure
• format

Data subjects should be made aware of how their data may be used and who it will be shared with.

The Club takes no responsibility for obtaining consent for the purposes of sending marketing communications.

It is the responsibility of the Broker as a Data Controller to ensure there is an appropriate lawful basis for processing the data before it is transferred to the Club.

The available lawful grounds for processing personal data are:

• Consent of the data subject: this must be freely given, specific, informed, and unambiguous
• A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under a contract. This will apply to most of our Members as they have asked us to provide them with cover.
• Compliance with a legal obligation: when processing data is a legal requirement, such as processing staff data in compliance with tax or employment law.
• Vital interests of the data subject: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s), for example in a medical emergency.
• Legitimate interests: where there is a genuine and legitimate reason (including commercial benefit or loss prevention) to process personal data, provided using it will not affect an individual’s rights and interests.
• A public task: this will typically cover data exchanged with public authorities, such as government departments, schools, hospitals, and the police.

Where we hold personal information about any of the Brokers with whom we do business, this will always be kept in compliance with the GDPR. This includes contact details and correspondence. Further information about how we use and store personal information can be found in our Privacy Notice.

In order for the Club to take steps to enter into contracts of insurance with Members (at Member’s request) and/or for the purpose of the Club’s performance of its obligations under contracts of insurance, and/or for other legitimate reasons, the Club processes personal information relating to its underwriting, claims, finance, loss prevention, marketing, and IT services.

The Club also processes information for various legitimate reasons, in order to maintain records and accounts and to establish and communicate with service providers, (including professional advisors), auditors, clients, and employees.

From time to time, it is also necessary for the Club to process certain claims related information for the purpose of protecting the vital interests of a data subject and/or for the Club to meet its obligations under contracts of insurance. For example, the Club processes personal information of crew members or other persons, who have fallen ill or been injured, and who are the subject of claims against Members insured by the Club.

Please see our privacy notice for detailed information about how we process and store your personal information.

The Club has comprehensive Data Protection and IT Security policies in place, in addition to the following security measures:

• Access restricted offices – key fob entry to authorised personnel only
• Confidential onsite shredding
• Secure IT networks
• USB ports are disabled to prevent the copying of data to external unencrypted USB’s or removable storage devices
• All member data is transferred externally via secure sites, within our network or it is encrypted in transit
• All our staff undergo Data Protection training annually

In most cases we will consider Correspondents to be Data Controllers, responsible for protecting the personal data that is transferred to them so that they may provide assistance and guidance to our Members.

Where personal information is transferred between The Club and a Correspondent we expect this to be done securely and in compliance with the requirements of all relevant data privacy laws. The following security measures should be observed:

• Data should be relevant and limited to what is necessary, we will consider anonymization where possible
• Data should be accurate and up to date
• Data should only be transferred for the purposes it was originally obtained
• Data should be transferred securely. Emails should be encrypted or password protected
• Hard copies of data should be sent by recorded delivery or courier
• Personal data should not be included in the subject lines of emails, or in any insecure format

Where we hold personal information about any of the Correspondents with whom we do business, this will always be kept in compliance with the GDPR. This includes contact details and correspondence. Further information about how we use and store personal information can be found in our Privacy Notice.

In order to carry out a number of normal business activities and to fulfil our legal requirements it is often necessary to share both customer and company data with third parties.

As part of our efforts to ensure that we are GDPR compliant we have reviewed our contracts with third party suppliers to identify those suppliers that we work with who have access to personal data for which we are a data controller and who themselves fulfil the role of a data controller or data processor as a result of the services they provide to the Club.

GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

A “processor” is defined as a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The controller is responsible for all actions taken by the processor concerning the proper or improper handling of personal information.

We expect those third-party organisations with which we share data to fully comply with the GPDR requirements.

Third party organisations must have appropriate security policies and infrastructure arrangements in place to protect the personal information they are controlling or processing in connection with the services being provided to the Club Personal Data should only be transferred to, or allow access by, Third Parties when it is confirmed that the information will be processed legitimately and protected appropriately by the recipient.

Personal Data will only be transferred to a third party where one of the following Conditions for Processing Personal Data can be met:

• The data subject has given consent to the processing and this was freely given, specific, informed, and unambiguous
• The processing is necessary for the performance of a contract which the individual has entered into or wishes to enter into
• The processing is necessary because of a legal obligation that applies to the club
• The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, for example, the transfer of medical records
• The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
• The processing is in accordance with the legitimate interests of the individual or Club

The European Parliament has determined that it is appropriate, subject to usual security considerations, to transfer data within the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) without any further safeguards being necessary. The Commission has also recognized Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

Different tools are available for the transfer of data to our third-party contacts and suppliers in the US. These include contractual clauses, binding corporate rules and the Privacy Shield.

From time to time, it is necessary for the Club to process certain claims related information for the purpose of protecting the vital interests of a data subject and/or for the Club to meet its obligations under contracts of insurance.

The Club may require detailed health and other relevant and appropriate personal information in order to assess whether a claim is payable under a policy, and if so, what amount should be paid.

Personal data collected in relation to a claim will not be used for any other secondary or unrelated purposes.

The Club has comprehensive Data Protection and IT Security policies in place to protect the data of claimants, in addition to the following security measures:

• Access restricted offices – key fob entry to authorised personnel only
• Confidential onsite shredding
• Secure IT networks
• USB ports are disabled to prevent copying of data to external unencrypted USB’s or removable storage devices
• All personal data is transferred externally via secure sites, within our network or it is encrypted in transit
• All our staff undergo Data Protection training annually

Please see our privacy notice for detailed information about how we process and store your personal information.

In most cases we will consider surveying companies/surveyors to be Data Controllers, responsible for protecting the personal data that is transferred to them so that they may carry out surveys on board our Member’s vessels.

Where personal information is transferred between The Club and a surveying company/surveyor we expect this to be done securely and in compliance with the requirements of all relevant data privacy laws. The following security measures should be observed:

• Data should be relevant and limited to what is necessary, anonymization should be considered where possible
• Data should be accurate and up to date
• Data should only be transferred for the purposes it was originally obtained
• Data should be transferred securely. Emails should be encrypted or password protected
• Hard copies of data should be sent by recorded delivery or courier
• Personal data should not be included in the subject lines of emails, or in any insecure format

Where we hold personal information about any of the surveyors with whom we do business, this will always be kept in compliance with the GDPR. This includes contact details and correspondence. Further information about how we use and store personal information can be found in our privacy notice.