GDPR and Crew Management

As Members will have seen from our Circular on the General Data Protection Regulation (‘GDPR’) issued on 27 February 2018 the implementation date for GDPR is fast approaching.

Review your Crew Management Arrangements

In this article, the Club recommends that as part of your preparations for GDPR you complete a review of your crew management arrangements to ensure they will be GDPR compliant. We are grateful to Ian MacLean of Hill Dickinson LLP for his input into this article.

Key Actions to Consider

In relation to crew management, you should consider the following key actions as part of your wider GDPR compliance programme:

• Data controller or data processor? Review your crew management arrangements and crew information to determine if you are the ‘data controller’ or the ‘data processor’ of crew personal data. You will be a data controller if you decide the purposes and means in which the personal data is processed; you will be a data processer if you are responsible for the processing of personal data on behalf of a data controller. If you are a data processor, the GDPR places specific legal obligations on you to maintain records of personal data and processing activities concerned with it. However, if you are a data controller the GDPR places additional obligations on you to ensure that the data remains properly controlled/secured if you pass it on to third parties.

• Determine the lawful basis for the processing of personal data relating to crew –whether or not you are a data controller or a data processer you must determine a valid lawful basis for the processing of crew personal data. GDPR provides for the following lawful bases for the processing of personal data:
• Consent
• Contractual
• Legal obligation
• Vital interests
• Public task
• Legitimate interest

Some practical examples of these lawful bases are considered further in this briefing.

• Consider whether you hold and process any special category data (data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) as you will need to identify:
• a lawful basis for the processing of this information; and 
• a separate condition or reason for the processing of special category information. These reasons are detailed in Article 9 of the GDPR and include where an individual has given their explicit consent to the processing of this personal data.

• Complete your ‘record of processing’ – data controllers and data processors are responsible for maintaining a ‘record of processing’ which records their data processing activities. Members should ensure their data processing records detail the data processing activities being undertaken in relation to their crew.

• Privacy Notices – These explain how you as an organisation collect and process personal data. GDPR sets out the information that you should supply to individuals when collecting and processing personal data. Review your current privacy notices to ensure they meet the GDPR requirements.

• Contracts – review any third party contracts relating to the processing of personal data and ensure they meet the requirements of GDPR. Members may need to seek specific legal advice in this area in order to ensure data processing arrangements are GDPR compliant.

• Consider local requirements – if you are located outside of Europe you will need to comply with any applicable local requirements concerning data protection and privacy issues. GDPR will also apply to you if you are offering services to, or are processing personal data relating to, individuals located in the European Union.

• Unless additional safeguards are in place, the GDPR prohibits the transfer of personal data outside of the European Economic Area to a country that does not, in the view of the European Commission, have adequate data protection (1).

Such safeguards include:

• a legally binding agreement between public authorities or bodies binding corporate rules (agreements governing transfers between organisations within a corporate group)
• standard data protection clauses in the form of template transfer clauses adopted by the European Commission
• standard data protection clauses in form of template transfer clauses adopted by a supervisory authority and approved by the European Commission
• Compliance with an approved code of conduct approved by a supervisory body
• Certification under an approved certification mechanism as provided for in the GDPR
• Contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority

• Supervisory authority guidance – sign up to alerts and guidance issued by your local data protection supervisory authority. For the United Kingdom, this is the Information Commissioner’s Office: https://ico.org.uk/

Data Processing Examples

By way of illustration, we have set out some data processing scenarios and the possible lawful basis for the processing of the associated personal data:

If you are unsure of your rights or obligations as a data controller or data processor, you should seek independent legal advice.

Find out more

Visit our dedicated insights area: www.nepia.com/GDPR

(1) As at January 2018, Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay have been determined by the commission to offer and adequate level of protection, (see Article 45). Some entities in Canada and USA may also fall within this category, but legal advice will required on a case by case