Last revised on 23 May 2019

This data protection policy applies to EF Marine which is established in Singapore and has a subsidiary office in Netherlands (“EFM” or “we”). As a global company, it is the policy of EFM to fully comply with the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 – “GDPR”), the Singapore Personal Data Protection Act 2012 (PDPA), and all relevant data protection regulations in the jurisdictions in which we operate. We have appropriate data protection compliance framework in place to protect the personal information we are controlling or processing in connection with the services we are providing.

Who we are?

EFM is a specialized Marine Underwriting Agent with its head office in Singapore and a subsidiary office in the Netherlands.

Our Clients typically are Shipowners, Ship Operators, Charterers of vessels, Freight Forwarders and Port Operators. EFM need to process personal data to manage insurance policies and settle claims.
Our contact details can be found at https://efmarinegroup.com/contact

Our Supervisors

  • The Personal Data Protection Commission (PDPC), Singapore
  • The European Data Protection Supervisor (EDPS)
  • Dutch Data Protection Authority (DPA), Netherlands

Personal Data Definition

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Our policies and standards

EFM handles personal data with the greatest care and use it only for legitimate and specified business purposes.

We respect the privacy rights of EFM's employees, customers, clients, business partners and other individuals whose personal data we have and use.

We protect personal data by implementing appropriate technical and organisational measures in our data processing operations.

We obtain personal data fairly and only use it for legitimate business purposes.

We hold ourselves accountable for demonstrating compliance with applicable legal and regulatory requirements and understanding of our roles and responsibilities.

These principles are applicable to all EFM's entities worldwide. They are derived from internationally recognized privacy principles as well as the foundational principles of the European Union's (EU) General Data Protection Regulation (GDPR) and the Singapore Personal Data Protection Act (PDPA). We take care to understand relevant laws and regulations and assess the risks that arise as personal data is processed in our global operations.

Our role as a data controller

What kind of personal data do we process?

We collect these personal data when it is necessary for business purposes or to meet the purposes for which the individuals have submitted the information.

  • Information about you – for example name, age, gender, date of birth, nationality.
  • Contact information – in some cases, for example, we may receive your email, address, postcode and phone number.
  • Online information – for example cookies and IP address (your computer’s internet address), if you use our websites.
  • Financial information – we may process information related to payments you make or receive in the context of an insurance policy or claim.
  • Contractual information – for example details about the policies you hold and with whom you hold them.

We also might collect data falling within the Special Category of personal data as per GDPR regulation (Art. 9, 2 (f)). EFM processes health information as e.g. medical records, diagnosis and description of injury/illness when needed to handle personal injury/illness claims. This information will only be used for the specific purposes for which it was provided and to carry out agreed service.

Why do we process this data?

We use personal data for the following purposes:

  • Performance of financial crime and sanctions screening
  • Assessment of underwriting risk and provision of underwriting service
  • Collection of sums due, accounting, invoicing, and payment processing
  • Performance of claims investigations and meeting claims obligations
  • Loss prevention assessment
  • Marketing and promotion of our services and products
  • Establishment and maintenance of relationships between our service providers (including professional advisors), auditors, clients, and employees
  • General management and reporting purposes, such as invoicing and account management
  • Legal and regulatory compliance
  • To maintain our records and accounts
  • All other purposes related to our business

Who do we share personal data with?

Our employees have access to and process personal data based upon a "need to know" basis in order to do their job. We regularly check who has access to our systems and data.

We may also share personal information with the following third parties, some of which are based in other countries:

  • Our service providers and agents e.g. IT companies who support our technology.
  • Our professional advisers: auditors; reinsurers; medical agencies and legal advisers.
  • The client who provided us with your data.

When applicable, we apply cross-border rules in line with European data protection laws and regulations. So, if any personal data needs to be processed by internal services teams or by third parties outside the EU, we make sure adequate safeguards are in place with those internal and external parties. We typically do this by using EU model contract clauses to make sure this processing also complies with EU data protection laws and regulations.

How long we keep personal data?

We keep your personal information for as long as necessary for dealing with any dispute or proceeding, for regulatory or compliance reasons, to monitor and evaluate the performance of our services and products or for other associated historical reasons.

We will store personal data in compliance with the GDPR’s data minimization and storage limitation principles. This means it will be safely stored digitally in a specific folder with limited access. Only the persons directly dealing with the data for the intended purpose (for example handling of a claim) will have access to the folder. If it is stored physically it will be stored in a separate locked closet with restricted access.

Personal data will be deleted once it is no longer needed for the purpose for which it was originally collected, unless we have other lawful grounds or legal obligations to retain it.

Further notes on our implementation of the GDPR

Many of the disclosures and safeguards required by the EU's GDPR reflect widely accepted standards and laws which apply around the globe and are described throughout this document. In addition, we also set forth here additional information required by the GDPR.

What are our legal grounds for processing personal data?

We only process personal data for legitimate business purposes and when a legal ground as set out in data protection law is applicable. There are a number of legal grounds that may apply, and the table below describes the ones most likely to be relevant to you.

  • Consent - We may process your personal data when we obtain your consent or when our client obtains consent from you.
  • Contractual necessity - Your personal data may be processed on the basis that such processing is necessary to enter into or perform a contract with you.
  • Compliance with a legal obligation - Your personal information may be processed where we have a legal obligation to perform such processing, such as where we share information with our regulators, law enforcement agencies of the courts.
  • Necessary for an insurance purpose - The laws that implement GDPR include legal ground for processing your medical and other sensitive personal data when it is necessary to do in connection with an insurance product, in particular the handling of claims.
  • Legitimate interests - when we have a legitimate interest in so doing and we can demonstrate that our interests are not outweighed by your rights or interests.

Your GDPR (EU) privacy rights

Under GDPR you have the following rights regarding our processing of your data:

  • Access your data - You have the right to file a subject access request (SAR) to obtain a copy of your personal data as well as other supplementary information. We have a legal obligation to give effect to the rights of data subjects.
  • Rectify your data - You have the right to require us to have inaccurate personal data, which is processed by, or on behalf of us, rectified, or completed if it is incomplete. This may involve providing a supplementary statement to the incomplete data.
  • Have “portability” of your data - you can ask us to send your personal data to either you or another organization in a structured, commonly used and machine-readable format (portable format) provided that (1) the processing is carried out by automated means and (2) the processing is based on your consent or on the performance of a contract with you.
  • Right to object - You have the right to object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing.
  • Prevent marketing - You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon.
  • Restrict processing - In certain circumstances in which the relevant personal data either cannot be deleted or where you do not wish to have the data deleted, we may continue to store the data, but the purposes for which the data can be processed will be strictly limited (e.g. the exercise or defence of legal claims).
  • Right to be forgotten - You can ask us to delete your personal information if deleting your data is not in conflict with our legal and regulatory obligations. If we are using consent to process your information and you withdraw it, you can ask us to erase your information.
  • Object to automated decision making - You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

If you wish to exercise any of the rights set out above, you must make the request in writing to the Data Protection Officer (details below). Please note some of these rights are restricted in some circumstances.

If you have provided your consent to any of the processing of your personal data, you have the right to withdraw your consent to that processing at any time, where relevant. Please contact the Data Protection Officer if you wish to do so.

If you object to processing based on legitimate interests, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.

If you are unhappy with how we process your personal data you have the right to complain to a data protection regulator or supervisory authority. The list of data protection regulators can be found at: https://edpb.europa.eu/about-edpb/board/members_en

DATA PROTECTION OFFICER

All requests can be sent to:
Kelsi Deng, Data Protection Officer
Email: dataprotection@efmarinegroup.com

EXERCISING YOUR RIGHTS

If you wish to exercise any of the rights set out above, you must make the request in writing to the Data Protection Officer (details above). Please note some of these rights are restricted in some circumstances.

We will revert with the requested information without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.

If you have provided your consent to any of the processing of your personal data, you have the right to withdraw your consent to that processing at any time, where relevant. Please contact the Data Protection Officer in writing if you wish to do so.

If you object to processing based on legitimate interests, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.