“Personal data” shall have the same meaning as in the Data Protection Legislation and refers to information about an individual who can be identified directly or indirectly from that information, or from that and other information to which we process.
WHY AND HOW WE COLLECT PERSONAL DATA
We hold and process individuals’ personal and sensitive personal data in relation to recruitment and employment. We collect and maintain such data in order to meet our legitimate interests as an employer, to comply with statutory requirements and to fulfill individual employment contracts with our employees.
We collect most personal data directly from an individual. For example, personal data will be collected when an individual enters into employment with BW, fills in an application form, deals with us over the telephone, sends us a letter or an email, visits our websites or when the individual visits us in person.
The type of personal data we collect may include the individual’s name, residential address, telephone number, e-mail address, passport or other personal identification number, date of birth, bank account details, annual income and other financial details and place of work.
There may be occasions when we need to source personal data about you from a third party. For example, we may collect personal data from a recruitment agency, manning agent, our business alliance partners and governmental agencies.
WHAT TYPES OF EMPLOYEE PERSONAL DATA DO WE PROCESS?
We will only process employee personal data when we have an objective and legitimate purpose for doing so as part of our business. The data will be deleted when they are no longer required for this purpose. We may process specific information about our employees. Below are examples of different categories of personal data we may process about you.
General Employee Data
- Identification Data: including name, address, telephone number and other contact information, date of birth, national identity number, marital status, gender, nationality, next-of-kin, family members, family status, and similar data;
- Basic Employee Detail: employee number, job title, work location, date of joining the company, job description and job percentage, promotions, demotions, reassignments, career history/development, the name of an employee’s superior, group/departmental affiliations at the workplace, agreements between the employee and employer, pictures of the employee, copies of identity documents, period of absence, job applications with enclosures, education, courses and qualifications, CV data, personality tests, credit card information, copies of the employees passport, visas and travel documents, information on prior employers and information about positions/interests in other companies or secondary occupations;
- Salary Data: including information about your pay and pay scale, other employment terms and conditions, bank account(s), account number, tax deductions, information about national insurance benefits, pensions and pension accruals, insurances, bonus or other variable payments and overtime work;
- Performance and Disciplinary Data: including employee assessments made by BW in different contexts – and the basis for such assessments – including assessments carried out in connection with consideration of bonuses, promotion, assignment of work tasks and roles, time sheets and time spent on different tasks, appropriate group affiliations, disciplinary reactions, dismissals, redundancies etc. This may also include assessments focusing on, for example, an employee’s personal characteristics, performance, qualifications or suitability for certain types of tasks and positions, as well as notes made during staff performance reviews, including feedback from other employees. BW may also process personal data in the form of written warnings or other sanctions applied to an employee. BW may also process personal data about an employee in connection with the processing of complaints or a whistleblowing report submitted by another employee or an external party.
- Communication Data: including communications between the employer and an employee regarding your employment relationship, including confirmations that instructions and guidelines have been sent and received, and that warnings and feedback have been sent.
- Work Activities Data: an employee’s own work activities may also generate personal data which are processed by BW. Examples include correspondence between the employee and BW’s customers or suppliers, or with other employees, authorities, etc., whether by email, letter or other means. Further examples include meeting minutes, notes and other documents in which the employee has been involved or mentioned. Normally, Work Activities Data will not relate primarily to the employee, nor be processed because BW is interested in information about the employee as such. Rather, the data will form part of data related to the company’s operations as a whole, but may nevertheless constitute personal data because they show what the employee has been involved in, where the employee has been, what travels the employee has undertaken and what the employee has written and said in the work context, etc.
- Monitoring Data: an employee’s use of BW’s IT solutions and telephones may also generate personal data due to functions and settings of the software that is used. Examples include time logs and usage logs in different programs and systems, internet surfing data and passwords, IP addresses, etc. Many of these functions, such as the retention of passwords and the enabling of cookies in a browser, will be managed and activated/deactivated by the employee itself, and the company will not process data relating to the use of IT systems as such for its own purposes, although such data may nevertheless be stored in the company’s system for the reasons mentioned above. We may also process information about the access rights and use of the IT-system.
Special categories personal data (Sensitive Employee Data)
Wherever possible, BW will seek to avoid processing special categories (sensitive) of personal data about its employees, but may do so when necessary in special cases:
- BW may process data about employee trade union membership, when relevant to the employment.
- BW may process health data when necessary in connection with, for example, EHS, administering compensation and insurance and statutory registration of absence, injuries and accidents at the workplace or in connection with work, a follow-up plan in connection with sick leave or health-related adaptations of the workplace and/or work tasks or other measures due to health conditions (i.a. such as IA-agreements, etc.). BW may also store voluntarily provided information about allergies and other illnesses in connection with service of food, etc. In special circumstances, when permitted by law, data may also be processed that relates to medical examinations, vaccinations or the results of drug and alcohol tests.
- BW may also process data which an employee has provided voluntarily, such as information about political posts contained in the employee’s job application.
BW will not process biometric data related to employees, such as fingerprints or voice recognition. However, employees may – at their own discretion and for their own purposes – choose to register their fingerprints or voice recognition on PCs and mobile telephones provided to them by BW, for use in alternative login/password systems, etc.
Criminal convictions and offences
Data concerning criminal convictions and offences will in general not be processed. In particular cases, and when allowed by applicable laws, certificates of good conduct or similar may be obtained from the police or other relevant authorities. If it is claimed or suspected that an employee has committed or been involved in a criminal offence, BW may also process related data to the extent necessary to discover what has happened, to report the matter to the police and take other necessary actions, or to establish, assess or defend against any related legal claims or sanctions.
Nationality identity numbers
BW may collect and store the national identity numbers of employees. These shall only be used as necessary in connection with payroll transactions, tax reporting, etc. National identity numbers shall be subject to special security measures, and shall only be made available to personnel who need to perform such tasks. A national identity number shall never be displayed on the outside of an envelope.
PURPOSE AND USE OF PERSONAL DATA
We collect, share and hold personal data for various employment purposes such as:
- recruitment, training, career development, redeployment;
- payroll processes, including calculating and transferring payroll data by and to finance staff and independent auditors;
- administering the workforce, including managing work activities, providing performance evaluations and promotions, entity and intra-group-entity staffing and team management, managing and monitoring business travel, managing career development
- information about employee work activities, including correspondence between the employee and BW’s customers or supplier, or with other employees, authorities, meeting minutes, notes and other documents in which the employee has been involved or mentioned,
- determining and calculating various employee benefits, including pension and medical care;
- contacting next of kin in the event of illness, injury or death at work;
- disciplinary purposes relating to an employee’s conduct or capabilities at work;
- ·occupational health, sickness and security monitoring purposes;
- providing references/reports to potential future employers, medical practitioners, financial institutions, educational establishments, military or civil protection services and legal representatives;
- complying with statutory requests from tax, social security, benefits and other relevant public authorities and agencies.
THE LEGAL BASES FOR PROCESSING
General personal data
Legal basis for the processing of personal employee data may be found in Article 6(1) (b) of the GDPR, for processing that is necessary for the performance of an employment contract with an employee.
Legal basis for the processing of personal employee data may also be found in Article 6(1) (c) of the GDPR, in the case of processing that is necessary for compliance with the company’s legal obligations, for example the obligation to submit tax reports linked to employee’s income, or report employee information to the AA-register.
Further, legal basis for the processing of personal data related to employees may also be derived from Article 6(1) (f) of the GDPR (balancing of interests). The interests pursued by BW in this context are those set out above (please see the section regarding purposes).
Other legal bases for processing of personal employee data may be found in Article 6(1) (d), which relates to the protection of the vital interests of you or of another individual, or Article 6(1) (e) which relates to performance of a task carried out in the public interest or in the exercise of official authority vested in the company.
Sensitive personal data
In respect of sensitive employee data (special categories of data), legal basis for processing may be found in Article 9(2) (b) of the GDPR, when such processing serves the purpose of enabling BW to exercise its rights and carry out its obligations in the field of employment, social security and social protection law, and the corresponding provisions under local data protection law. Any processing of sensitive personal data in relation to the drug and alcohol testing that takes place, will have its legal basis in Article 9 (2) (b) of the GDPR.
Legal basis for processing may also be found in Article 9(2)(e) of the GDPR if it involves data which have manifestly been made public by the data subject, and in Article 9(2)(f) when processing is necessary for the establishment, exercise or defence of a legal claim.
Further, legal basis for processing may be derived from Article 9(2) (h) of the GDPR when processing relates to assessment of the working capacity of an employee, adaptions to the work situation in connection with health conditions or follow-up according to applicable laws.
Consent as a legal basis for processing
Normally, BW’s processing of personal employee data is not based on consent, since such consent normally cannot be regarded as having been given voluntarily. Ordinarily, therefore, no such consent should be obtained from employees. However, consent may be obtained and used in special cases where consent is needed and can be deemed to have been given voluntarily (cf. Articles 6(1)(a) or 9(2)(a) of the GDPR). Potential examples include when BW obtains consent for the retention of the job application of an unsuccessful candidate who is nevertheless regarded as an interesting prospect for future opportunities. Such consent may also be obtained when BW receives job applications that are not linked to a specific position, but where it may be relevant to store the job application for prospective engagements.
When relevant, BW has a process for obtaining consent from the relevant individual. An individual has the right to withdraw consent which has been given and we have a procedure for the withdrawal of such consent (See Form A) which individuals are free to use, unless they prefer to use their own method to notify us of withdrawal of consent (e.g. email).
WE STORE PERSONAL DATA SECURELY
BW protects any personal data that we hold or control about an individual from misuse and loss. We also protect it from unauthorised access, modification and disclosure.
We protect your data
Personal data can only be accessed by people properly authorised to have access. Any sensitive data collected with the permission of the employee will be accessed only by members of the human resources staff who are instructed that such information must be treated as confidential.
Personal data may be stored in hardcopy documents or electronically. BW maintains physical security, such as locks and security systems, over our paper and electronic data stores and premises.
BW also maintains computer and network security: for example, we use firewalls (security measures for the Internet) and other security measures such as identification codes and passwords to control access to computer systems. Sufficient access restrictions have been implemented.
STORAGE LIMITATIONS – FOR HOW LONG DO WE RETAIN DATA?
We delete personal data we no longer need
BW deletes personal data or removes the means by which personal data can be associated with particular individuals when the personal data is no longer necessary to fulfill the purposes for which it was collected. We take appropriate measures to dispose of all paper files, letters, correspondence and any other hardcopy documents that contain personal information that is no longer needed.
Job applicants and current employees
Application forms, interview records and references for unsuccessful internal and external candidates will routinely be destroyed after the recruitment process has ended, at the latest within 6 months after such a process, unless there is a clear business need for longer retention and consent is obtained from the individual. However, for unsuccessful candidates, BW may for the purpose of fulfilling its contractual obligations towards external recruiters, retain the following information for a period of 12 months following the recruitment process: the email address of the candidate, the name of the candidate, the name of the external recruiter, the applied-for position and the date of application. The company has a legitimate interest in retaining personal data related to job applications as described in the foregoing for the purpose of matching candidates with vacant job positions and for complying with its contractual obligations.
Employment record data are stored to ensure performance of the employment contract, etc. Most employment record data can and will therefore be stored for the duration of the employment relationship, since they are needed for the employer’s administration and follow-up of the employment relationship. If it is clear that certain data are no longer needed for the administration of the employment relationship, they shall be deleted.
Deletion of certain types of data stored for more specific purposes shall be considered for deletion regardless of whether the employment relationship is on-going. This may for example apply to data related to accommodation based on reduced work capacity and/or follow-up of individuals on sick leave, if it is related to smaller incidents such as fractures etc., or to strictly temporary health conditions, such as pregnancy.
As a main rule the company will also have a legitimate interest in retaining written warnings, and documents prepared in connection with such warnings, for the duration of the employment. However, exceptions may apply to long lasting employments, depending on how old the warning is and its content. This will be individually assessed by the company on a regular basis. If the written warning was subsequently withdrawn by the company, it will be erased.
After termination of employment
When an employment relationship is terminated, the relevant employee’s employment record shall be reviewed. In general, employment data will be deleted 5 years after employment has ended, except for basic employment relationship data such as title, position and tasks, duration of employment relationship and place of work. Data which are required for future tax reporting and accounting may also be stored for as long as necessary. Personal employee data which is related to pension obligations and entitlements may be stored for as long as the pension obligation is relevant. Agreements entered into with the employee, such as agreements regarding severance payments etc. may also be stored for as long as necessary. Furthermore, BW may store other employment record data which the company has a particular need for in its future operations, even if the employee in question has left BW.
In the event of a dispute with, or a claim, by an employee linked to termination of the employment relationship or other circumstances, or if there is reason to believe that such a dispute may arise or that such a claim may be brought, relevant data may be stored until the matter has been resolved or the deadline for initiating litigation has expired or the claim has been time barred.
The remaining parts of the employee file will be reviewed again as a matter of routine every 5 years to consider the need for additional deletion.
Employee data which are not included in an employment record may be stored for as long as they are needed in BW’s business operations. Examples include correspondence between an employee and customers or suppliers that the company needs to store in connection with the customer or supplier relationship, meeting minutes showing that the employee was present, notes prepared by the employee concerning company projects, etc.
The retention restrictions set out in this section apply to employees and job seekers governed by the GDPR. The retention of personal data belonging to employees and job seekers that are not governed by the GDPR, will be governed by applicable data protection legislation.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES AND/OR OUTSIDE THE EU/EEA (RECIPIENTS OF PERSONAL DATA)
Subject to any general duties of confidentiality towards our employees, customers, vendors, suppliers and partners and subject to applicable Data Protection Legislation, a BW company may need to transfer personal data to another country and/or disclose personal data to third parties, other companies within the BW Group or our service providers. Examples of such categories of recipients of personal data include;
- employee’s referee(s);
- an organisation that is in an arrangement or alliance with it for the purpose of promoting or using their respective products and services (and any agents used by that organisation in administering such an arrangement or alliance);
- any service provider we engage to carry out our functions and activities;
- regulatory bodies, government agencies, law enforcement bodies and courts;
- ·other parties that we are authorised or required by law to disclose information to;
- ·other financial institutions (such as banks);
- insurers and any reinsurer of any such insurer; and
- authorised agents of an individual or the individual’s executor, administrator or legal representative.
- BW’s HR department in Singapore.
BW has mechanisms in place to ensure that: i) the standard of protection applicable to the transferred data is comparable to the protection under applicable Data Protection Legislation; and ii) the recipient of the data is required to provide a standard of protection to the transferred personal data comparable to the protection granted under applicable Data Protection Legislation as appropriate. Thus, transfer of personal data to third parties and/or outside the EU/EEA will only take place when a legal basis for such transfer can be found. For transfers outside the EU/EEA legal basis for this will be EU Model Contracts, Privacy Shield certification or other recognised legal bases. BW will occasionally transfer personal data to third parties located outside the EU/EEA when such transfer is necessary for the performance of a contract between the employee and the BW. However, it will sometimes also be necessary for BW to transfer personal employee data to authorities and other third parties located outside of EU/EEA, in situations where it will not be possible to enter into an EU Model Contract, and where other recognised legal bases do not apply. Potential examples include situations where BW must transfer personal employee data to embassies in third countries for visa application purposes or in connection with inspections at shipyards. In such situations, BW will only transfer the personal data outside of the EU/EEA when consent has been obtained from the employee.
PERSONAL DATA IN EMAIL ACCOUNTS, ETC
BW may provide employees with email accounts and other personal areas on the company’s IT system, as well as other electronic equipment.
An employer’s right to access and examine such areas and the data contained in them may be restricted by data protection legislation in some countries, and BW will comply with these restrictions. BW will not monitor employees’ email accounts, personal areas or logs as mentioned above, and may only access these in specific circumstances, and as allowed by applicable law. For detailed information regarding local law requirements on this area, please see our BW Group Intranet.
THE RIGHTS OF THE EMPLOYEES AS DATA SUBJECTS
Data Protection Legislation grants you certain rights in your capacity as a data subject. As a data subject you have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and (vi) object to the processing of your personal data. If the processing of the personal data is based on consent, the employee has the right to withdraw the consent at any time with future effect. The employee also has the right to lodge a complaint with the competent data protection/surveillance authority (See Appendix 2).
BW has formal procedures to handle access and correction requests in respect of personal data in our possession or under our control.
An individual can access his/her personal data that we hold by making a request in writing or by contacting your Contact Person as listed in Appendix 1. BW has an access request form (See Form B) and a form for correction of personal data (See Form C) for use by individuals requesting access, rectification or deletion of data. However, individuals are not obliged to use these forms and may lodge an access request in any written format.
BW is committed to ensuring that personal data we hold and control is accurate and complete at the time of collecting, using or disclosing the information.
If you have any questions or concerns about our handling of your personal data, or want to exercise your rights as a data subject, please feel free to contact our Contact Persons (See Appendix 1). Further information about rights and obligations regarding data protection can be found through the data protection authority in your country (See Appendix 2)