Data Protection Policy

This document provides the policy framework through which effective management of Data Protection matters can be achieved. The General Data Protection Regulation (“GDPR”) is the new legal framework for the protection of individuals from the processing of personal data which will be enacted on 25th of May 2018.

1. Scope of the Policy

The purpose of this policy is to ensure that ASTRA Shipmangement Inc. complies with the provisions of the GDPR when processing Personal Data. Astra Shipmanagement Inc. establishes, maintains and implements appropriate technical and organisational measures to ensure the security of Personal Data. Our company collects the Personal Data in a transparent way and only with the full cooperation and knowledge of interested parties. The Company expects all of its employees, Crew Personnel and Third Parties Providers (i.e. port agents, Manning agents, contractors, external business partners, suppliers, visitors) to comply with the Regulation. Any serious infringement of the Regulation will be treated seriously by ASTRA.

2. Data Protection Principles

ASTRA sets the principles of collecting, organizing, retaining, modifying, forwarding, transmitting, keeping, managing, sharing and using of Personal Data according to the Regulation:

• Personal Data must be collected and processed for specified, explicit and legitimate purposes.
• Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Personal Data must be accurate and, where necessary, kept up to date.
• Personal Data must be kept for no longer than it is necessary for the purposes for which the personal data are processed.
• Personal Data must be processed in a manner that ensures their appropriate security

3. Procedures by ASTRA Shipmanagement Inc.

• ASTRA adopts measures and procedures that ensure that by default only Personal Data strictly necessary for ASTRA’s purposes are processed and these Data are not accessible to an indefinite number of natural persons within the Company.
• ASTRA defines the limitation period which the Personal Data shall be kept.
• ASTRA obtains the Data Subject’s written consent.
• ASTRA ensures that persons authorised to collect, organize, retain, modify, forward, transmit, keep, manage, share and use personal data have committed themselves to confidentiality.
• ASTRA adopts measures against accidental loss, destruction, damage, alteration or disclosure of Personal Data.
• ASTRA undertakes to carry out an assessment of the impact of high-risk processing operations on the protection of Personal Data, especially when new technologies are involved.
• To be able to demonstrate that the Data protection principles are respected.

4. Third Parties Data Processors

Where external companies or individuals are used to process personal data for and on behalf of ASTRA Shipmanagement Inc, responsibility for the security and appropriate use of that data remains with ASTRA.

Where a third-party data processor is used:

• A Data Processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of Personal Data;
• Reasonable steps must be taken that such security measures are in place;
• A written contract establishing what Personal Data will be processed and for what purpose must be set out;
• A Data Processing Agreement, available from ASTRA, must be signed by both parties.

A Third Party must process the personal data only to the extent required in the course of the work with ASTRA and always in a strictly confidential manner.

5. Data Protection breaches

Where a Data Protection breach occurs, or is suspected, it should be reported immediately in accordance with the GDPR to ASTRA Shipmanagement Inc: Confirmed or suspected data security breaches should be reported promptly to the Safety & Quality or Legal Department; as the primary point of contact on +30 213 0175 100, email: legal@astraship.com or sqe@astraship.gr . The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.

6. Contact

Queries regarding this policy or the General Date Protection Regulation at large should be directed to sqe@astraship.com & legal@astraship.com

7. Implementation

This policy will be updated as necessary to reflect best practices in Data management, security and control and to ensure compliance with any changes or amendments in the law.