In accordance with the provisions under EU Regulation no. 679/2016, “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”, this document provides a brief summary of the main regulations on the processing of data carried out by Grimaldi Euromed S.p.A. (with registered office in Palermo at Via Enrico Amari 8, 90139, tax identification code/VAT number 00278730825), in its capacity as Data Controller, with regard to the activities of shipping freight and issuing of “Driver Cards”.
Grimaldi Euromed S.p.A. with registered office in Palermo at Via Enrico Amari 8, 90139, tax identification code/VAT number 00278730825 (hereinafter the “Controller” or “Company”)
Possible, with adequate guarantees in place to protect the data subject’s rights
Rights of the Data Subject
a. access to personal data;
The Data Controller has designated a person Responsible for Data Protection (DPO), who has the specialised knowledge of data protection law and practices, and who is therefore able to discharge the duties pursuant to article 39 of EU Reg. 679/2016.
- Subject of the processing
Processing operations may refer to:
- the information and contact details of Drivers.
- Purpose for which the data will be processed (Art. 24 letters a, b, c Privacy Code and Art. 6 letters b, e of GDPR)
This data shall be processed for the purposes related to the mutual obligations arising from the freight shipping contract or the issuance of the “Driver Card”.
More specifically, the data will be processed:
- to manage quotation requests;
- for the conclusion, management and execution of the operations connected with the freight transport contract;
- to send logistical information on the journey (e.g. delays, departure quay, etc.);
- to send data to maritime agencies, terminals and port authorities, judicial authorities and public security forces;
- to manage the requests for issuing “Driver Cards”;
- to manage the “Driver Cards” issued;
- to guarantee the benefits provided by the “Driver Card” are enjoyed by the companies providing the services contemplated by the agreement;
- for the extraction of statistical information in anonymous form.
- Data processing method (Art. 4 Privacy Code and Art. 5 GDPR)
Personal data shall also be processed using computer instruments, in compliance with the procedures stipulated in the GDPR, which requires, inter alia, that the data:
- is processed based on the principles of lawfulness, transparency and correctness;
- collected and recorded for specified, explicit and legitimate purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and kept up to date (‘accuracy’);
- stored for no longer than is necessary for the purposes, which the personal data is processed for (‘storage limitation’);
- processed using instruments that ensure the security and confidentiality of the personal data, including protection against unauthorised or unlawful processing and against loss, destruction or damage, or accidental damage (‘integrity and confidentiality’).
Personal data is stored as shown in the table below.
Purpose of storage
Driver’s information details
10 years from issue of “Driver Card”
For accounting purposes, and to challenge any disputes that may be raised against the Company
Driver’s contact details
10 years from issue of “Driver Card
To resolve any problems associated with the issuing/operation of the “Driver Card”
- Legal basis
The legal basis of the processing listed above from point 1 to point 3 of paragraph 2 “Purpose for which the data will be processed” lies in the fulfilment of contractual obligations, precontractual measures and the law in order to manage the shipping contract.
With regard to point 4 of paragraph 2 “Purposes of processing that the data is intended for”, this falls within the scope of the Data Controller’s obligations in terms of the law and public interest in protecting port security.
In respect of points 5, 6 and 7 of paragraph 2 “Purposes of processing that the data is intended for”, the legal basis for processing falls within the scope of executing the pre-contractual measures taken at the data subject’s request and in meeting the legal obligations pursuant to managing the issuing of the “Driver Card”, and for data subjects to enjoy the benefits provided therein.
- Transfer and/or communication of data
You are hereby informed that data may be communicated to other companies in the Grimaldi Group, as well as establishments in third-party countries, including those outside the territory of the European Union, complying with the appropriate procedures and in the context of the aforementioned purposes.
We may also be required to provide personal data based on legislation, legal proceedings, disputes and/or requests received from public or government authorities within or outside of the data subject’s country of residence, for the purposes of national security and other issues relating to public interest. When legally possible, we will inform the data subject prior to the communication of data.
Furthermore, we may communicate personal data if we ascertain in good faith that this communication is reasonably necessary to enforce and protect our rights, and undertake the remedies available.
- Rights of the Data Subject (Art. 7 Privacy Code and Art. 15 - 21 GDPR)
Finally, please note that the data subject can, at any time, exercise the rights:
- to access his or her personal data, requesting that this data is made available in an intelligible format, and for the purposes that the processing is based on (pursuant to Art. 15);
- to rectification (former Art. 16) or erasure (pursuant to Art. 17) of such or restriction of processing (former Art. 18);
- to data portability (pursuant to Art. 20);
- to object to data processing (pursuant to Art. 21);
- to lodge a complaint with the competent supervisory authority.
The above rights can be exercised by e-mailing a request to firstname.lastname@example.org.
In this regard, we advise further that the Data Protection Officer (DPO) appointed by the Company may be contacted on the following email address email@example.com.