Introduction

At Maersk Supply Service A/S (“MSS”, “we”, “us” and “our”) confidentiality and data protection is a high priority. This Privacy Policy explains and sets out the guidelines for our processing of your personal data and provides you with information according to applicable data protection law. As well as this Privacy Policy, bespoke privacy notices and supplementary privacy statements may contain further information about how we process your personal data in relation to particular processes. In those instances, such privacy notices will be communicated to you separately. These privacy notices may vary among the countries in which we operate to reflect local practices and applicable law requirements.

This privacy notice explains what personal data are processed about you, why we are processing your personal data and for which purposes, how long we hold your personal data for, how to access and update your personal data, as well as the options you have regarding your personal data and where to go for further information.

Data Controller

The entity responsible for the processing of your personal information in Denmark is:

Maersk Supply Service A/S
Lyngby Hovedgade 85
DK-2800 Kongens Lyngby
CVR no. 31 41 43 77

Depending upon your location, another MSS group entity may be responsible for processing your personal data.

Contact: legalcompliance@maersksupply.com

Purposes for processing your personal data

We process personal data covered by this Privacy Policy for the following purposes:

1. Business execution
This includes processing for the purpose of providing, researching, developing and improving products or services; concluding and executing agreements with customers, suppliers, and business partners; recording and settling services, products and materials; managing relationships and marketing, such as maintaining contact with existing and prospective customers; account management, customers services and development; and execution and analysis of market surveys and marketing strategies.

2. Organisation and management of business
This includes processing for the purpose of financial management, asset management, mergers, demergers, acquisitions and divestitures, implementation of controls, management reporting, analysis, internal audits and investigations.

3. Human Resources, personnel management, business process execution, internal management, management reporting, organisational analysis and development
This includes processing for the purpose of budgetary, financial and organisation planning, administration, compensation, performance management, and execution of employment or consultancy agreements.

4. Health, safety and security
This includes processing for the purposes of protection of life or health, occupational health and safety, protection of MSS premises and assets, and authentication of access rights, including those of visitors to MSS property.

5. Legal and/or regulatory compliance
This includes processing for the purposes of compliance with legal and/or regulatory requirements (including bookkeeping, tax and reporting), internal policies, the undertaking of any necessary screenings (including information relating to criminal convictions and offences) or due diligence, and operation of our whistleblower program.

Categories of personal data we collect about you

The personal data collected and/or processed for the purposes above may include personal contact information, date of birth, marital status, payroll and bank account information, wage and benefit information including beneficiary information, emergency contacts, work performance information, information required to ensure you have the right to

work in the country/ies you are engaged in, as well as any other information necessary for managing the employment and business relationships.. Business contact information may also be collected, such as job title, department, name of organisation, and your dealings with MSS on behalf of yourself or the relevant business customer, supplier or business partner.

We may also process some special categories of personal data (‘sensitive personal data’) such as data relating to an individual’s health or criminal background, their racial or ethnic origin, religious or philosophical beliefs, sexual orientation, political opinions and trade union membership. We will only process such sensitive personal data where it is necessary for the purposes of complying with employment and social security laws, for the establishment, exercise or defence of claims, or where necessary for the purposes of providing occupational medical advice and support, or to protect the vital interests of an individual (such as in an emergency), where necessary for reasons of public health or where the individual has provided their explicit consent.

We also collect and process images captured by video surveillance in marked areas at MSS premises/properties.

Legal basis for processing your personal data

We will only process your personal data where we have a legal basis to do so. We process your personal data:

  • In order to satisfy our obligations to comply with local laws and regulations (ref. Article 6(1)(c) of the General Data Protection Regulation (“GDPR”), and e.g., the Danish Bookkeeping Act and applicable tax legislation);
  • For legitimate business interests, provided these interests are not overridden by your interest in protection of your personal data (ref. Article 6(1)(f) of GDPR);
  • For performance of a contract between you and MSS (ref. Article 6(1)(b) of GDPR)
  • For health, safety and security purposes (ref. Article 6(1)(d) of GDPR);
  • Where the information has been manifestly made public by you (ref. Article 9(2)(e) of GDPR)
  • Where our data processing clearly overrides the interests of the data subject (ref. Section 8(3) and/or Section 11 (2) of the Danish Data Protection Act)
  • Where we have your explicit consent (ref. Article 6(1)(a) of GDPR).

As a general principle, MSS does not seek or rely on the consent of MSS staff for processing personal data. However, there are limited circumstances where consent is required, such as if required by applicable local law.

Personal data requested from data subjects are the minimum required in order to fulfil legal and/or contractual requirements. In those cases where processing is based on consent, and subject to applicable local law which provides otherwise, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent. Withdrawal of consent may, however, impact ability to be engaged on a particular project.

Sharing of personal data

We may in some cases share your personal data with other MSS entities and/or third parties such as business partners, suppliers, vendors, consultants, agencies, customers, consumers, governmental bodies, courts and IT hosting, supply and service providers that we use for our group’s IT environment. We only share personal data to the extent necessary for us to perform the activities described in this privacy policy.

Transfer and protection of your personal data As a global organisation with offices and operations throughout the world, we may transfer personal data collected by us on an aggregated or individual level to various divisions, subsidiaries, joint ventures and affiliated companies of MSS around the world for the purposes stated above and in accordance with applicable laws and regulations, as well as to contractors and sub-contractors to MSS (data processors and sub-processors) for storage and service purposes. Your personal data will not be disclosed to anyone outside MSS unless permitted or required under applicable legislations and regulations where necessary subject to appropriate written assurances from third parties who have access to your personal data, in which they must guarantee that they will protect the data with security measures designed to provide an adequate level of protection. Unless you are otherwise notified, any transfers of your personal data will be based on applicable local data privacy laws, which among other includes appropriate international data transfer mechanisms and safeguards such as an adequacy decision, standard contractual clauses, or the like. You can always request a copy of the transfer mechanisms which includes the transfer of personal data by contacting legalcompliance@maersksupply.com.

Security measures

We choose to use suppliers that implement security in accordance with industry practices for good IT security, and we only use encrypted data communications when transferring sensitive and confidential personal data. We also maintain organizational, physical and technical security arrangements for all the personal data we hold. We have protocols, controls and relevant policies, procedures and guidance to maintain these arrangements taking into account the risks associated with the categories of personal data and the using we undertake. We store personal data on servers with limited access located in secured facilities, and our security measures are evaluated on an ongoing basis. The servers are protected by anti-virus software and firewalls, among other measures.

Data subjects rights

You are entitled, in the circumstances and under the conditions, and subject to the exceptions set out in applicable law, to:

  • Request access to the personal data we use about you; there are some exemptions under data privacy legislation, which means you may not always receive all the data we use.
  • Request rectification of your personal data if it is inaccurate or incomplete.
  • Object to the use of your personal data; however, this right only applies in certain circumstances, and we may not need to stop the use if we can provide legitimate reasons to continue using your personal data.
  • Request the erasure of your personal data;
  • Request the restriction of the use of your personal data;
  • Request portability of your personal data, which entitles you to receive a copy of personal data that you have provided to us or request us to transmit such personal data to another data controller.
  • Withdraw your consent; you can withdraw your consent at any time by opting out in the email or by contacting us. However, this will not affect our right to use personal data obtained prior to the withdrawal of your consent, or our right to continue parts of the use based on other legal bases than your consent.
  • File a complaint; you can always lodge a complaint with a data protection authority, for example the Danish Data Protection Agency.

Please note that certain personal data may be exempt from the above-mentioned rights pursuant to applicable data privacy laws, or other laws and regulations.

Contact information

If you have a general question about how MSS uses and/or protects your personal data, if you wish to exercise your rights, or if you wish to make a complaint about how MSS uses your personal data, please contact our legal compliance team by sending an email to legalcompliance@maersksupply.com, or sending a letter to Maersk Supply Service, Lyngby Hovedgade 85, DK-2800 Lyngby Denmark, Attn: Data Privacy, Legal Department.