Full policy

Privacy Policy

1.0 Purpose of Privacy Policy

The protection of personal data is a key issue for the Company Group / Offen-Group. Offen-Group undertakes to maintain international compliance regarding data protection rights in the context of its social responsibility. Therefore, we shall process the personal data of our employees, customers and business partners according to the applicable legislation on the protection of personal data and data security.

As a global company, we are committed to the worldwide different legal requirements regarding the collection and processing of personal data. Our first priority is to ensure a uniform and worldwide standard for the handling of personal data. Safeguarding personal rights and the private life of each individual gives us the foundation for trusting business relationships.

In our Corporate Guideline on Data Protection, we determined strict conditions for the processing personal data of customers, interested parties, business partners and employees. We thus set a worldwide standard for data protection and data security in our company.

This Privacy Policy creates one of the necessary framework conditions for worldwide data transfers. It ensures an adequate level of data protection required by the Regulation (EU) 2016/679 (General Data Protection Regulation) and national laws for trans-border data flows also to countries with lacking legislation on adequate levels of data protection. Our managers and employees are obliged to comply with this Corporate Guideline on Data Protection and to safeguard the respective data protection laws.

2.0 Scope of Privacy Policy

This Privacy Policy contains globally accepted data protection principles without replacing existing national laws. It complements the respective national data protection laws. The respective national law shall prevail in cases it should require deviations from this Privacy Policy or in cases it should lay down further conditions. The contents of this Privacy Policy shall also be observed if no respective national law should be in place. The existing reporting obligations for data processing based on national law should be respected.

This Privacy Policy shall cover all processing operations involving personal data. In countries having the same protection level for data from legal persons compared to personal data, this Privacy Policy shall apply equally to legal person’s data.

Anonymized data, e.g. for statistical purposes or surveys are not subject to this Privacy Policy.

The latest version of this Privacy Policy can be accessed under the Data Protection Notice on the Offen-Group’s Intranet site.

3.0 Material Principles for Processing Personal Data

The following principles shall apply when Offen-Group processes personal data under this Privacy Policy:

3.1 Admissibility and Legality of Data Processing

The processing of personal data shall take place in a lawful manner, in compliance with the respective, applicable legal provisions and with due regard for the principles laid down in this Guideline.

The processing shall be permitted only if at least one of the following prerequisites is fulfilled:

• The data subject has given its effective consent on a voluntary and explicit basis; or
• The data processing serves the purpose of a contractual relationship or quasi-contractual relationship of trust with the data subject; or
• The processing is necessary for safeguarding the legitimate interests of the data controller and there is no reason to believe that the legitimate interest of the data subject concerning the exclusion of the processing of these data prevails; or
• The processing is prescribed or permitted by national regulations binding for the data controller; or
• The processing is necessary for complying with legal obligations binding for the data controller; or
• The processing is needed, in exceptional cases, for protecting life, health or security of the data subject.

The data controller shall provide the data subject with the opportunity to withdraw their consent in a simple, swift and efficient manner at any time.

3.2 Purpose

Personal data shall only be processed for specified, explicit and legitimate purposes. Under no circumstances, a processing of personal data shall be allowed that is not in line with the legitimate purposes for which the personal data were collected.

A change in purpose is only allowed with the consent of the data subject or to the maximum extent permitted by applicable law.

3.3. Transparency

Personal data must be processed in transparent way. Data subjects affected by the processing of their personal data shall be informed about the following:

• The identity of the data controller;
• The categories of recipients or identity of the recipient body;
• The purpose of processing;
• The origin of the data (insofar as no direct survey of the personal data from the data subject took place);
• The right to object to the processing of personal data of the data subject for advertising purposes; and
• Other information, where necessary on grounds of equity, e.g. regarding claims for access, rectification, deletion.

Insofar as personal data were not directly collected from the data subject, information may exceptionally not be required. This shall be the case, if it aims at the necessary protection of the data subject or of the rights of other persons, if the data subjects have already been informed or if this would entail a disproportionately high effort.

3.4 Data Quality and Data Economy

Personal data must be accurate and, where necessary, kept up to date. Appropriate measures shall be taken for assuring that inaccurate or incomplete data is corrected or erased.

Data processing must follow the principle of data economy. The aim is to process only necessary personal data, i.e. collecting, processing and sharing of personal data to the lowest possible extent. In particular, use is to be made of the possibilities of anonymous or pseudonymous data, insofar as this is possible and the effort involved is reasonable in relation to the desired purpose. Statistical evaluations or studies based on anonymous data or data used with pseudonyms are not relevant for data privacy, provided that such data can no longer be used for identifying the data subject.

Personal data, which are no longer required for the business purposes for which they were originally collected and stored, must be deleted. In case of statutory storage periods, access to the data shall be blocked instead of data deletion.

3.5. Onward Transfer of Data

The transfer of personal data from one participating company [teilnehmende Gesellschaft] to a non-participating company (i.e. a company not bound by this Privacy Policy) outside the EEA shall only be permitted following the following conditions:

• The recipient body shows an adequate level of personal data’s protection in the meaning of Article 44, Regulation (EU) 2016/679 (General Data Protection Regulation), ensured by e.g. concluding an EU-Standard Contract (standard contractual clauses for processors 2010/87/EU or standard contractual clauses for data controllers [responsible units for data processing] 2001/497/EC or 2004/915/EC) or by concluding other, appropriate contractual arrangements between the supplying body and the receiving body; or
• The transfer is legal according to the exceptions stated under Article 49, Regulation (EU) 2016/679 (General Data Protection Regulation);
• Insofar as the recipient body is processor, the conditions of Article 5 (1) lit. f and 28 of the Regulation (EU) 2016/679 (General Data Protection Regulation) shall be fulfilled, as well.

3.6. Special Categories of Personal Data

The processing of personal data, i.e. of information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual preference is strictly prohibited.

If the processing of personal data should become necessary, the data subject must expressly agree to this processing, unless

• The data subject is unable to give its consent (e.g. medical emergency), and the processing is necessary for protecting the data subject’s or another person’s vital interests; or
• The processing is required for the purposes of medical diagnosis, preventive medicine or the provision of treatment or management of healthcare services, where those data are processed by a medical professionals subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy; or
• The data subject itself made the data publicly available; or
• The processing is necessary for the establishment, exercise or defence of legal claims, provided that there are no grounds for assuming that the data subject has an overriding legitimate interest in ensuring that such data is not processed, or
• The processing is explicitly permitted by the applicable national laws (e.g. for purposes of collection or protection of minorities), and, during data processing, additional guarantees are provided in the sense of Regulation (EU) 2016/679 (General Data Protection Regulation) - such as appropriate security measures.

3.7. Automated Individual Decisions

Where personal data is processed for taking of an automated decision, the data subject’s legitimate interests must be guaranteed by appropriate measures. Decisions that may produce negative legal effects for the data subject or substantially affect the data subject shall not be based solely on automated processing of data intended to evaluate certain personal aspects, e.g. not exclusively be taken by using information technology. Exceptions to the above shall only apply if the decision

• will be taken in the context of a contract conclusion or fulfilment and the request of the data subject related to contract conclusion or fulfilment was accepted; or if the safeguarding of his/her legitimate interest will be guaranteed by appropriate measures – such as putting his/her point of view; or
• is authorized by a legal provision stating guarantees for protecting the legal interests of the data subject.

3.8 Data Security

The data controllers have to take appropriate technical and organizational measures for ensuring data security, protecting personal data against unintended or unlawful deletion, illegal use, alteration, loss, destruction and unauthorized disclosure or access. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Special categories of personal data shall be particularly protected.

The planned security measures relate in particular to computers (servers and workstations), networks or communication links and applications.

For ensuring an adequate level of personal data, especially access, entry, sharing controls, transfer, input, order, availability and separation controls will be applied.

All individual workstation computers – mobile devices (e.g. laptops) included – are equipped with password protection. The transfer of personal data within the company’s network is usually encrypted, insofar as required by the nature and intended use of the personal data.

3.9 Confidentiality of Data Processing

Only authorized and specially instructed personnel according to data protection requirements may collect, process or use Personal Data. The access authorisation of the individual employee shall be restricted according to the nature and scope of his/her specific field of work. The employee is prohibited from using personal data for private purposes, from transmitting them to unauthorized persons or otherwise sharing these data with them. Unauthorized persons in this sense are, for example, also other employees, insofar as they would not need these personal data for fulfilling professional tasks imposed on them. The confidentiality obligation shall also be binding after the termination of the affected employee’s employment relationship.

3.10 Commissioned Data Processing

In case a participating company commissions the processing of personal data to another company (“contract data processor”) in the context of this Guideline, the following measures must be observed:

• The data controller is obliged to carefully select the contract data processor; the data controller shall select a contract data processor that can guarantee the necessary technical and organizational security measures needed for a data protection-compliant processing;
• The data controller must ensure and regularly monitor full observance of the agreed technical and organizational security measures;
• The execution of data processing shall be defined by a written or otherwise documented contract that clearly specifies the contract data processor’s rights and obligations;
• The contract data processor shall be contractually obliged to process the data received by the data controller only within the scope of the order and based on the instructions given by the data controller; data processing for own purposes or that of third parties shall be excluded by contract; and
• The data controller shall remain responsible for the admissibility of the processing and shall continue to serve as contact person for the data subject.

4.0 Data Subject’s Material Rights

The data subject shall have the following, indispensable rights regarding his/her processed personal data within the scope of this Guideline:

• The data subject has a right of access to data stored on him-/herself, its origin and the purpose of processing. Moreover, the data subject can request information about the data controller’s identity and – in case of a personal data’s transfer – information about the recipients or categories of recipients. In case automated decisions are affected, the right of access shall also contain the logical structure of automated processing methods. Insofar as provided for by the respective, applicable law, the data subject’s right of access lapses if this would entail a substantial endangerment to business purposes, e.g. the revelation of business secrets, and the interest of undertakings in the protection of business secrets outweigh the data subject’s right of access. Locally applicable, legal regulations may restrict the data subject’s right of access if this right is exercised repeatedly within short time, unless the data subject has legitimate reason for the repeated assertion of claims to information. Insofar as permitted by the respective, applicable national law, the participating company may demand an appropriate fee from the data subject for providing the information.
• The data subject has a right of rectification of his/her personal data if it is determined that these are incorrect or incomplete.
• The data subject has a right of blocking of his/her personal data, if neither their accuracy nor inaccuracy can be established.
• The data subject has a right of deletion regarding his/her personal data, provided that the data processing was unlawful or became unlawful in the meantime, or if the data is no longer needed for the purpose of the processing. The data subject’s legitimate claims for deletion shall be executed within a reasonable time, unless such a deletion is not prohibited by statutory retention periods or contractual obligations. In case of existing statutory retention periods, the data subject has a right of blocking his/her data instead of being deleted. The same applies if the deletion of data should become impossible.
• The data subject has a right to object to the processing of his/her personal data for advertising purposes and purposes of market and/or opinion research. The data subject must be informed about his/her right of objection.
• Moreover, the data subject shall have a general right of objection to the processing of his/her personal data, if, due to his/her specific personal situation, the legitimate interest of the data subject should outweigh the interest of the data controller regarding the personal data’s processing.

5.0 Control of Data Protection

Based on data protection audits and further controls, compliance with the Privacy Policy and applicable data protection laws will be checked on a regular basis. On request, the results of data protection controls will be made available to the responsible data protection supervisory authority. Within the limits of its competence under national law, the responsible data protection authority may also execute own controls regarding compliance with the provisions of this Privacy Policy.

6.0 Data Security Incidents

Each employee shall promptly report violations of this Privacy Policy or other provisions regarding the protection of personal data (data security incidents) to his/her respective supervisor.

In cases of

• illegal transfer of personal data to third parties, or
• unlawful access to personal data by third parties, or
• loss of data

the notifications foreseen by the company shall immediately take place, thus aiming at the fulfilment of obligations to report data security incidents according to applicable law

7.0 Company Events

In connection with company events such as Christmas party, HSH-Nordbank Run, etc. the company will engage a professional photographer documenting these events by means of photographs. These photographs will be stored by the photographer and made available to the company’ employees in file format. Prior to the publication for the employees, these will be checked and improper pictures be deleted. On request of the person depicted, further pictures can be deleted, as well. Prior to the disclosures in company publications, the persons depicted will be asked for permission in written form.

8.0 Contact

Data subjects can directly submit a request to the Offen-Group’s (CPO Holding (GmbH & Co.) KG)

Data Protection Officer:

Thilo Noack, Saebystraße 17a, 24576 Bad Bramstedt

Mail to: Thilo Noack

Full policy

A. I, the undersigned seafarer, hereby acknowledge and confirm that I have been duly informed of the provisions of national and European law, and of the rights established concerning the protection of my personal data.

B. I, the undersigned seafarer, hereby acknowledge and confirm that I have been duly informed of the provisions of national and European law, and of the rights established concerning the protection of my personal data.

• Full Name
• Date of Birth
• Postal Address
• E-mail Address
• Photo

in order to enable me to use the Software “Assessment Module, SMS Module and Reflective learning, Resilience Module” provided by MTR Informatics, Training and Consultancy Ltd. Co.