Guide to the General Data Protection Regulation (GDPR)

Hereby SeaRates approves its obedience to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) published at eur-lex.europa.eu

Duration of processing. According to the GDPR (Art. 28.3) the description of processing must contain the following information: (i) the subject-matter of the processing; (ii) the duration of the processing; (iii) the nature and purpose of the processing; (iv) the type of personal data to be processed; (v) the categories of data subjects; and (vi) the obligations and rights of the data controller. At the moment the Providers do not contain the information under (ii);

Onward transfer of the data outside the EEA without the data controller's permission. The Providers do not regulate the situation when the data processor aims to further transfer the data outside the EEA. Under the GDPR Article 28.3, in case of such onward transfer the data processor must inform and ask for permission from the data controller;

Confidentiality provision. The Providers in the current form do not include a provision obliging the data processor to ensure that its personnel authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

Data processor's obligation to assist the data controller who has to respond to data subject’s requests. In their current form the Providers in clauses 5(d)(iii) and 5(e) prescribe only that the data processor must notify the data controller of the data subject's request. GDPR, however, require that the data processor cooperate with the data controller in responding to the requests by data subjects when they exercise their rights under the Regulation;

The obligation of the data processor to cooperate in a data protection impact assessment (DPIA) conducted by the data controller. Under the Data Protection Directive there is no obligation for the data controller to conduct a DPIA, so the Providers do not regulate cooperation between the controller and the processor in that regard. The companies should introduce in the Providers the new processor's obligation to assist the data controller in the event the controller initiates a DPIA;

The data processor's obligation to assist the data controller in case of a data breach. The data controllers have to include in their agreements with data processors a provision on the obligation of the data processor to notify the data controller without undue delay after becoming aware of a data breach and to assist the controller in the investigation and notification to the supervisory authority and data subjects; and

Requirements concerning the audit. Although the Providers currently specify, in clauses 5(f) and 12(2), that the data controller may inspect the processor for compliance with the requirements of the clauses, the audit provision still does not meet the requirements enshrined in the GDPR. Specifically, the data processor has to contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.