1. Background and introduction
Prime Cargo is subject to data protection obligations originating from EU regulation such as the General Data Protection Regulation (GDPR) and various local requirements under national law. Prime Cargo is committed to ensuring compliance with those requirements and a general high and adequate level of personal data protection as privacy compliance is a keystone in gaining and maintaining the trust of our customers, suppliers and employees and thus, ensuring Prime Cargo’ business in the future.
In order to ensure compliance with applicable data protection legislation, Prime Cargo has set out these internal guidelines for processing of personal data within Prime Cargo.
2. Collection and processing of personal data
2.1. What is personal data?
“Personal data” is all information which may be related to an identified or identifiable natural person (the data subject). Personal data covers a wide range of information and includes general information such as name, address, phone number, age, gender, etc. but also special categories of personal data (sensitive personal data) such as information on health, trade union membership, religion, etc. and confidential information such as social security number.
Although, information regarding companies/businesses is not as such personal data, please note that information relating to your contacts within such companies/businesses, e.g. name, title, work email, work phone number, etc. will be considered personal data.
Prime Cargo collects and uses personal data for a variety of legitimate business purposes, including establishment and management of customer and supplier relationships, recruitment, managing all aspects of terms and conditions of employment, fulfilment of legal obligations or requirements, performance of contracts, etc.
2.2. General principles
Personal data shall always be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
3. Legal basis for processing personal data
Processing of personal data requires legal basis. The most predominant legal bases for processing personal data within Prime Cargo are:
- consent from the data subject
- the performance of a contract
- a legal obligation or requirement
- legitimate interests pursued by Prime Cargo, provided that these interests are not overridden by the interests of the data subject
- an obligation in the field of employment and social security and social protection law
If the collection, registration and further processing of personal data on employees, trial subjects, customers, suppliers and other business relations are based on such persons’ consent, the consent shall be:
- Provided voluntarily (the person providing his or her consent must not feel pressured to do so)
- Specific and unambiguous (so that he or she is aware of the scope of the consent)
- Informed (each individual shall be provided with information regarding the type of personal data processed, the purpose of the processing, any transfers of personal data, etc.)
To process special categories of personal data (sensitive personal data) the consent shall also be explicit.
The data subject is entitled to withdraw his/her consent at any time and upon such withdrawal, we will stop collecting or processing personal data about that person unless we are obligated or entitled to do so based on another legal basis, e.g. performance of a contract.
The processing of personal data regarding customers, suppliers or other business relations does not necessarily require such persons’ consent. In case an agreement is in place with Prime Cargo, e.g. a purchase order, the personal data required to fulfill such agreement can be processed. In additional, consent is not required in situations where Prime Cargo is required to process the personal data in order to comply with applicable legislation or requests from authorities. Sensitive personal data is not processed without the data subjects’ consent unless the processing is authorized by law.
3.2. Necessary for the performance of a contract
It will be legitimate to collect and process personal data relevant to the performance of a contract. This applies to all sorts of contracts and agreements, including purchase orders, customer supply contracts, supplier contracts and employment agreements, business development agreements, etc. This also applies to the pre-contractual phase irrespective of the success of the contract negotiation or not. Sensitive personal data shall not be collected and processed on the basis of a contract.
3.3. Comply with a legal obligation
Prime Cargo has to comply with various legal obligations and requirements to collect, register and/or make available certain types of information relating to employees, customers, etc. Such legal requirements will then form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring Prime Cargo to process certain personal data also set out requirements in relation to storage, disclosure and deletion.
3.4. Legitimate interests
In many cases our processing of personal data will be based on “the balance of interest”. Pursuant to the “balance of interest” rule, Prime Cargo is allowed to process non-sensitive personal data if the processing is necessary for the purposes of the legitimate interests pursued by Prime Cargo, and these interests are not overridden by the interests of the data subject. The Data Subject must be given information on the specific legitimate interest if a processing is based on this provision, cf. section "Rights of the data subjects".
3.5. Obligations in the field of employment and social security and social protection law
This legal basis applies if the processing of personal data is necessary for the purposes of carrying out the obligations and exercising specific rights of Prime Cargo or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by EU law or a collective agreement.
3.6. Anonymized data
If it possible to anonymize or aggregate the personal data registered to an extent where it is no longer possible for anyone to identify the persons behind the data, such data is no longer considered personal data and consequently the data is not subject to the same restrictions as personal data.
The requirements for considering the anonymization/aggregation completed is very strict. It may not be possible for anyone – neither inside nor outside Prime Cargo – to identify the persons whose previous personal data is included in the anonymized/aggregated data.
Please note that pseudonymized data is still considered personal data. If it is possible to identify the persons behind the personal data via additional information (e.g. a digital key) the information is only pseudonymized and the processing shall therefore comply with the requirements in this policy.
4. Records of processing activities
Prime Cargo shall maintain records of processing activities under Prime Cargo’ responsibility. The records shall contain the following information:
- the name and contact details of Prime Cargo;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, if relevant, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the applied technical and organizational security measures.
Prime Cargo shall make the records available to the Danish Data Protection Agency (Datatilsynet) or other supervisory authorities on request.
5. Identification of new processing activities
Before any new activity involving the collection and processing of personal data is initiated an assessment form must be completed and filed with Business Excellence.
6. Disclosure, making available and transfer of personal data
6.1. Disclosure of personal data
Before disclosing personal data to others, please consider whether the recipient is employed in Prime Cargo or not. You can share personal data with other people in Prime Cargo, who are employed in the same department as you and have a legitimate business purpose in obtaining the personal data.
It is your responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and to ensure that sharing of personal data is restricted and kept to a minimum.
You must likewise be cautious before sharing personal data with persons or entities outside Prime Cargo. Personal data shall only be transferred to third parties acting as individual data controllers if a legitimate purpose for such transfer exists.
If the third party recipient is located in a third country which does not ensure an adequate level of data protection an individual transfer basis is required. As regards transfer of personal data to recipients located in the US, such transfer basis exists if the recipient is certified under the Privacy Shield framework. In the absence of the recipient having such Privacy Shield certification or if the recipient is located in another third country which does not ensure an adequate level of data protection a proper transfer basis exists if Prime Cargo enters into a transfer agreement between the exporter of personal data (Prime Cargo) and the importer of personal data (third party). The transfer agreement shall be based on the EU Standard Contractual Clauses.
6.2. Use of data processors
A data processor is a company, which processes personal data on behalf of Prime Cargo and in accordance with Prime Cargo’ instructions, e.g. in relation to HR systems, access control, surveys, etc. When Prime Cargo outsources the processing of personal data to data processors, Prime Cargo ensures that said company as a minimum applies the same degree of data protection as Prime Cargo. If this cannot be guaranteed, Prime Cargo will choose another data processor.
6.3. Data processor agreements
Prime Cargo shall enter into a written data processor agreement with the data processor before making available any personal data to the data processor. The data processor agreement ensures that Prime Cargo controls the processing of personal data which takes place outside Prime Cargo but which Prime Cargo is responsible for. The data processor agreement shall be prepared in accordance with Prime Cargo’ data processor agreement template.
If the data processor/sub-data processor is located outside the EU/EEA, please refer to "Disclosure of personal data".
7. Rights of the data subjects
7.1. Duty of information
7.2. Rights to access, objection, etc.
Any person whose personal data Prime Cargo is processing, including Prime Cargo employees, job applicants, external suppliers, customers, business partners, etc. has the right to request access to the personal data which Prime Cargo processes or stores about him/her. In addition, such persons may object to the processing and require that incorrect personal data be updated, corrected or deleted or that any processing be restricted.
7.3. Data portability
Under certain circumstances, the data subjects also have the right to receive the personal data registered in a structured and commonly used and machinereadable format.
8. Deletion of personal data
Personal data shall be deleted when Prime Cargo no longer has a legitimate purpose for the continuous processing or storage of the personal data or when it is no longer required to store the personal data in accordance with applicable legal requirements.
9. Special areas
Processing of personal data forms the basis of and supports Prime Cargo’ business in various areas. However, certain functions/business areas are subject to special attention as the processing of personal data is more extensive in these areas.
9.1. HR data
Prime Cargo processes personal data about its employees in order to manage all aspects of an employee’s employment relationship, including, payroll, education and training, parental leave, sickness, absence, travel management, access management and other general company, administrative and human resource related processes.
9.2. Business Development and Data Protection Impact Assessment
During development of new products, solutions, websites, apps, etc. Prime Cargo takes specific considerations to the potential processing of personal data. New products, etc. must be developed so that they meet the requirements in applicable privacy legislation, including preparation of documents regarding data protection by design/data protection by default. Data protection by design means that when designing new products due consideration to data protection is taken, e.g. by ensuring that adequate security is in place and that compliance is monitored. Data protection by default requires that relevant data minimisation techniques are implemented.
Head of Business Excellence is included already in the early stages of the product development as the privacy requirements may impact the design of the product. The person responsible for the development of a new product or process is also responsible for completing an assessment of potential processing of personal data related to such product/process.
If Prime Cargo processes personal data which is likely to result in a high risk for the persons whose personal data are being processed, a Data Protection Impact Assessment (DPIA) shall be carried out. A DPIA is an assessment of the risks related to a specific processing of personal data and the subsequent minimization of the established risks via various security measures and procedures.
Especially when developing new technologies which include the processing of personal data, high risks in relation to protection of privacy are involved and therefore such risks shall be considered very early in the development, including the decision as to complete a DPIA. The person responsible for the development is also responsible for completing a DPIA.
9.3. CRM/SRM systems
As part of fulfilling Prime Cargo’ obligations towards our customers and suppliers and in order to ensure business development, Prime Cargo registers certain information on its customers, suppliers and other business relations. When information is registered in Prime Cargo’ CRM and/or SRM systems the necessity of the personal data to be registered has to be considered.
It is crucial to Prime Cargo’ business that customers, suppliers and other business partners have complete confidence in Prime Cargo and the protection of their privacy. Registration of sensitive personal data, e.g. health data or data regarding religious or political beliefs is prohibited in the CRM/SRM system.
10. Training and education
The high level of data protection within Prime Cargo can only be ensured if the employees are conscious of their responsibility to comply with Prime Cargo’ privacy policies/manuals. Employees become familiarized and are trained in the various data protection requirements through training programmes and tests.
Employees are required to complete the mandatory privacy training programmes. Non-completion may lead to employment sanctions.
The level of personal data protection within Prime Cargo is closely related to information security. In order to ensure the highest degree of data security, Prime Cargo’ IT/Information Security Policy shall be complied with at all times.
If you have any questions regarding the content of this policy, please contact Business_Excellence@primecargo.com.