Personal Data Processing and Protection Policy

This Data Protection Policy applies to ALBA Group (the Group)

The policy is to ensure and substantiate that the Group protects its personal data in accordance with the provisions for processing of personal data and that the Group provides information on the processing and use of recorded personal data.

The Policy is reviewed annually.

 

Record of Processing of Personal Data

The Group processes personal data on:

  • Employees, shore staff and seafarers
  • Customers
  • Suppliers

The Group has prepared a record of the processing of personal data. The record summarizes the processing that is the responsibility of the Group.

Personal data is a prerequisite for the Group to enter into employment, customer and supplier contracts.

 

Objective and Lawfulness of the Processing

Personal data are processed and kept on the relation to:

  • Personnel administration, including recruitment, end of employment, and payment of wages and salaries
  • Basic data of customers, orders and sales
  • Basic data of suppliers, requests and purchases
  • Contacts

The processing is legal under the provision described in the attached record.

The Group does not use personal data for purposes other than those described. The Group collects solely the personal data required to fulfill the objective.

 

Retention and Erasure

The Group has implemented the following guidelines for retention and erasure of personal data:

  • Personal data are kept in physical binders
  • Personal data are stored in IT systems and on server drivers
  • Personal data are retained no longer than necessary to fulfill the objective of the processing
  • Personal data of personnel are erased five years after the end of the employment, and personal data on applicants are erased after two years

 

Data Security

The Group has implemented the security measures described below for protection of personal data based on the attached risk assessment:

  • Only personnel having a work-related need for access to the recorded personal data have access hereto either physically or through IT systems with rights control
  • All computers have password, and personnel are not allowed to disclose their passwords to other individuals
  • Firewalls and antivirus program must be installed on computers and be updated regularly
  • Personal data are erased in an appropriate manner at phasing out and repair of IT equipment
  • USB keys, external hard disks, etc. containing personal data must be kept in a locked drawer or cabinet
  • Physical binders are placed in a locked office or in a locked cabinets
  • Personal data in physical binders are erased by shredding
  • All personnel must receive instructions how to process personal data and how to protect personal data.

 

Disclosure

Personal data on personnel may be disclosed to public authorities, for example Skattestyrelsen and pension companies.

 

Data Processors

The Group uses data processors only if the data processors provide the required guarantees that they will implement suitable technical and organisational security measures to fulfill the requirements of personal data legislation. All data processors sign a data processing agreement before the processing is started.

 

Rights

The Group is responsible for the data subject's rights, including the right of access to personal data, withdrawal of consent, rectification, and erasure, and will inform the data subjects of the Group's processing of personal data. Data subjects are entitled to make a complaint to the Danish Data Protection Agency.

 

Breach of the Personal Data Security

In the event of breach of personal data security, the Group will notify the Danish Data Protection Agency of the breach without delay and within 72 hours. Director is responsible for the notification of the breach. The notification must include a description of the breach, the group of individuals affected by the breach, and the consequences of the breach for these individuals, and how the Group has remedied or will remedy the breach. In the events where the breach involves a considerable risk for the individuals subject to the Group's processing of personal data, the Group will inform the relevant individuals. The Group will provide documentation of all breaches of the personal data security.