DATA PROTECTION POLICYScorpio Services Holding Limited (“SSH”) and its subsidiaries (collectively, “Scorpio”) attach great importance to the protection of Personal Data, and are committed to ensuring a high level of data protection and data security. It is for this reason, Scorpio considers it is its duty, as an international group, to comply with the laws and regulations that govern the collection and Processing of Personal Data in each of the locations they are established. On May 25, 2018, the European Union’s new General Data Protection Regulation (“GDPR”) entered into force and have direct effect in the European Union, including the United Kingdom. Similar data protection laws apply in Norway, Iceland, Turkey and other countries.
Each Scorpio entity shall adhere to this Data Protection Policy and, as applicable, comply with local data protection laws and the GDPR.
1 Definitions“Biometric Data” means Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
"Data Concerning Health” means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
"Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the framework of an inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of data by public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing.
“Restriction of Processing” means the marking of stored Personal Data with the aim of limiting their Processing in the future.
“Supervisory Authority” means an independent public authority which is established by a Member State of the European Union, Norway, Iceland or Liechtenstein.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data.
2 Aim of the Data Protection PolicyScorpio is committed to international compliance with data protection laws. This Data Protection Policy applies worldwide to Scorpio and is based on globally accepted, basic principles on data protection. This Data Protection Policy provides one of the necessary framework conditions for cross-border data transmission among the group entities. It ensures the adequate level of data protection prescribed by the GDPR and similar laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.
Scorpio attaches great importance to the protection of Personal Data. For this reason, Scorpio entities will process Personal Data exclusively if required by applicable laws and regulations, with the Data Subject’s explicit Consent and/or as necessary for the legitimate interests of Scorpio, on the condition that the Data Subject’s fundamental rights and freedoms are not harmed.
3 Scope of the Data Protection PolicyThis Data Protection Policy applies to SSH, its subsidiaries and their employees. The Data Protection Policy extends to all Processing of Personal Data.
4 Application of National Laws and the GDPREach Scorpio entity must comply with its local data protection laws where it exists and comply with the requirements of the GDPR when it applies.
5 Principles relating to processing of personal data5.1 Fairness, lawfulness and transparency
When Processing Personal Data, the individual rights of the Data Subjects must be protected. Personal Data must be collected and processed in a legal and fair manner. The Data Subject must be informed of how his/her data is being handled. When the data is collected, the Data Subject must either be aware of, or informed of: - The identity of the data Controller; - The purpose of Processing; - Which kinds of Personal Data will be processed; - How long the Personal Data will be retained; - That the data will be kept confidential; - That Data Subjects have certain rights set out under the GDPR and/or local data protection laws; - That adequate security measures are in place to protect Personal Data; and - The third parties (or categories of third parties) to whom Personal Data might be transmitted.
5.1.1 Specific, explicit and legitimate purposes (Purpose limitation)
Personal Data can be processed only for the defined purposes that was informed to the Data Subject before the data was collected. Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed for any other purposes without properly informing the Data Subject of the new purpose.
5.1.2 Adequate, relevant and limited (data minimisation)
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Personal Data may not be collected in advance and stored for potential future purposes unless required or permitted by applicable law or regulation.
5.1.3 Accurate and updating of data (accuracy)
Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5.1.4 Retention (Storage limitation)
Personal Data shall not be kept longer than is necessary for the purposes for which the Personal Data is processed and to comply with legal obligations.
5.1.5 Confidentiality and Data Security (Integrity and confidentiality)
Personal Data is subject to data secrecy and must be treated as confidential. Personal Data shall be processed in a manner that ensures appropriate security of these Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5.1.6 User data and internet (Cookies)
When Personal Data is collected, processed and used on websites or in apps, the Data Subjects must be informed of this in a privacy statement and, if applicable, informed about cookies. Cookies are data that is sent from the web server to a browser, and stored for later recovery. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the Data Subjects.
6 Reliability of processingCollecting, Processing and using Personal Data is permitted only under the following legal bases. One of these legal bases is also required if the purpose of collecting, Processing and using the Personal Data is to be changed from the original purpose.
6.1 Customer and Partner data
6.1.1 processing for a contractual relationship
Personal Data of the relevant prospects, customers and partners can be processed to establish, execute and terminate a contract.
6.1.2 Consent to processing
Where Processing is based on Consent, the Controller shall be able to demonstrate that the Data Subject has consented to the Processing of his or her Personal Data.
6.1.3 processing pursuant to legal authorization
The Processing of Personal Data is also permitted if national legislation requests, requires or allows this. The type and extent of Processing must be necessary for the legally authorized Processing activity, and must comply with the relevant statutory provisions.
6.1.4 processing pursuant to legitimate interest
Personal Data may also be processed if it is necessary for a legitimate interest of Scorpio. Legitimate interests are generally of a legal or commercial nature.
6.2 Employees’ data
6.2.1 processing for the employment relationship
In employment relationships, Personal Data can be processed if needed to initiate, carry out and terminate the employment agreement.
When initiating an employment relationship, the applicants’ Personal Data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other group entities.
In the existing employment relationship, Processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized Processing apply. If it should be necessary during the application procedure to collect information on an applicant from a Third Party, the requirements of the corresponding national laws should be observed. In cases of doubt, Consent must be obtained from the Data Subject. There must be legal authorization to process Personal Data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, Consent of the employee, or the legitimate interest of the company.
6.2.2 processing pursuant to legal authorization
The Processing of employees’ Personal Data is also permitted if national legislation requests, requires or authorizes this. The type and extent of Processing must be necessary for the legally authorized Processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
6.2.3 Collective agreements on processing
If a Processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and the employees’ representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended Processing activity, and must be drawn up within the parameters of applicable data protection legislation.
6.2.4 Information and Consent to processing
Employee data can be processed upon information or Consent (in case of sensitive Personal Data) of the person concerned. Declarations of Consent must be submitted voluntarily. Involuntary Consent is void. The declaration of Consent must be obtained in writing or electronically for the purposes of documentation.
6.2.5 processing pursuant to legitimate interest
Personal Data can also be processed if it is necessary to enforce a legitimate interest of Scorpio. Legitimate interest is generally of a legal nature.
6.2.6 Automated decisions
If Personal Data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic Processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and this evaluation is the basis for the decision. The Data Subject must also be informed of the facts and results of automated individual decisions and be given the possibility to respond.
6.2.7 Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by the company primarily for work-related assignments.
They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies.
In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the Scorpio’s network that block technically harmful content or that analyses the attack patterns.
6.3 Processing of highly sensitive data
Highly sensitive data is data about racial, ethnic origin, political, religious or philosophical beliefs, Biometric Data, union membership, and the Data Concerning Health and sexual life of the Data Subject.
Under local law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
Highly sensitive data shall be processed only if it is a legal requirement (for instance under employment law), if the Data Subject has given express Consent to the Processing or if Processing is necessary for asserting, exercising or defending legal claims regarding the Data Subject.
Scorpio’s data protection team shall be informed in advance about all Processing of highly sensitive data.
7 Transmission of personal dataTransfer of Personal Data to third countries or international organisations is subject to the authorization requirements for Processing Personal Data under Section V of GDPR (articles 44 to 50).
The Recipient must be required to use the data only for the defined purposes. In the event that data is transmitted to a Recipient outside Scorpio to a third country, the Recipient must agree to maintain a data protection level equivalent to this Data Protection Policy.
Local laws must be respected. Scorpio may transfer Personal Data where the organisation receiving the Personal Data has provided adequate safeguards.
8 Processing agreementAll Scorpio entities must ensure that their Processors provide the necessary guarantees, that Processing will be in compliance with applicable data protection laws, for instance by entering into a data processing agreement.
9 Data breachIn the case of a Personal Data Breach, the Controller shall report such breach to the relevant authorities as required by applicable data protection laws.
Scorpio entities subject to the GDPR shall without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of it, notify the Personal Data Breach to the competent Supervisory Authority unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Supervisory Authority is not made within seventy-two (72) hours, it shall be accompanied by reasons for the delay.
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.
The notification shall at a minimum:
- describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
If a Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate that Personal Data Breach to the Data Subject without undue delay.
10 Rights of data subjectsUnder the GDPR, Data Subjects have certain rights in relation to Personal Data collected by Scorpio, including:
- The right to be informed
The Data Subjects have the right to be informed about the collection and use of their Personal Data.
- The right of access
The Data Subjects have the right to obtain certain information, such as the purpose of Processing, the categories of Personal Data concerned, the Recipients (or categories of Recipients) to whom the Personal Data have been disclosed, the retention period, the right to request rectification, erasure, Restriction of Processing and to object to Processing, the source of Personal Data, the existence of automated decision making and profiling, and the safeguards implemented to transfer Personal Data to a third country or international organisation.
- The right to rectification
The Data Subjects have the right to have their Personal Data rectified or completed in case Personal Data has been recorded inaccurately or incompletely.
- The right to erasure
In certain circumstances, Data Subjects have the right to be forgotten.
- The right to restrict Processing
Under the GDPR, the Data Subjects have the right to request Restriction of Processing of their Personal Data in certain circumstances. This is an alternative to requesting the erasure of Personal Data.
- The right to data portability
The right to data portability gives Data Subjects the right to receive Personal Data they have provided to a Controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a Controller transmits this data directly to another Controller.
- The right to object
The right to object to the Processing of their Personal Data in certain circumstances. Data Subjects have a right to stop their data being used for direct marketing for example.
- Rights in relation to automated decision making and profiling
Under the GDPR, solely automated individual decision-making (that means deciding without human involvement), including profiling (automated Processing of Personal Data to evaluate certain things about an individual) with legal or similarly significant effects is restricted).
In addition to the rights under the GDPR, Data Subjects may have additional rights under local data protection laws. Scorpio is committed to complying with local data protection laws.
The data protection team shall promptly respond to requests made by Data Subjects in connection with their rights in accordance with the GDPR and/or local data protection laws.
Data Subjects may contact Scorpio by email at: firstname.lastname@example.org at any time.
THIS DATA PROTECTION POLICY MAY FROM TIME TO TIME BE AMENDED, SUPPLEMENTED AND UPDATED