Dear visitor, client, partner,
Are you considering the possibility to be working with SHIPSTA?
The following links might be of interest to you when you aim to achieve data privacy compliance :
SHIPSTA is dedicated to compliantly manage natural persons’ data at every level and by every SHIPSTA employee. Compliance with data privacy regulations is a major building block in our data management strategy. We see the current data protection regulation as an advantage in terms of efficient data management and a way to demonstrate the value of all types of data along with their secure processing within a structured framework.
The data governance plan ultimately allows us to demonstrate our accountability to the natural persons, providing them with control measures over their personal data. Based on auditing, implementation of compliance measures, regulatory authorities’ guidelines, best practices and maintaining the compliance on the long term, this plan provides us with a road map, an opportunity to demonstrate to our customers, partners and employees our respect towards their personal data and our capacity to manage it in a secure and transparent way.
Specifically, we implemented the following steps and are committed to evaluate all data processing activities within SHIPSTA on a regular basis in order to maintain compliance with the applicable regulation.
1. As a product of our internal auditing, a specific action plan has been drafted for each team/department, is being followed, containing concrete measures to be applied and implemented, updated and monitored.
2. An up-to-date records of processing activities is drafted and maintained by our internal DPO.
3. Information and links to our privacy policies in the data collection forms, ensuring transparency about how we process personal data.
4. Internal procedures allowing us to efficiently manage any request of exercise of the rights of the natural persons and the collaboration of different teams.
5. A set of dedicated and separate privacy policies for our website, for our e-procurement Platform and internally for our employees.
6. Gradual and proportionate implementation of Privacy by Design and by Default principles within the concept of our products, services and processes.
7. We have established a list of data processors, which are also bound by data protection agreements, as equally as strong in terms of providing an appropriate level of data protection, as to those binding us with our clients, but also ensuring we can map and track as far as possible the road personal data travels under our responsibility.
8. Ensuring readiness to support our customers through the compliance process.
9. SHIPSTA’s staff regularly follows data privacy compliance trainings, raising awareness regarding the data privacy legal framework requirements and informing about the best practices when processing personal data.
10. An extensive list of the applied state-of-the-art Technical and Organizational Measures (TOMs) is established and kept up to date. Implemented by our IT Team, those measures ensure compliance with the requirements of the regulation, allowing for an adapted to the level of risk security and protection of the personal data processing activities.
11. Application and support of appropriate safeguards in case of an international transfer, more specifically usage of Standard Contract Clauses of the European Commission and monitoring of the legal landscape post-Schrems II, to ensure the application of the required by the Supervisory Authorities legal control measures.
12. Continuous monitoring and maintenance of the compliance tools, procedures, but also guidances, decisions from European and local regulatory authorities and courts, which are utilized to steer and ensure SHIPSTA’s compliance within a constantly changing environment.
SHIPSTA’s team commits to follow the data management plan based on auditing and the GDPR compliance requirements, updating the technical and organizational measures, documentation and policies with any applied and confirmed changes in the data privacy legal framework in the European Union.
SHIPSTA and its employees are always striving to achieve competitive level of high quality of proposed products and services and will continue developing and applying the aforementioned risk control measures, as well as any additional ones, required by any confirmed change in the data privacy legal framework in the European Union, in order to ensure compliant and secure data processing activities.
1. Name and address of the data controller
The data controller responsible for compliance with the General Data Protection Regulation EU 2016/679 (commonly described as GDPR), as well as other data protection regulations, including the national data protection laws of the EU Member States, is:
SHIPSTA S.à r.l.
7E, Route du Vin
Tel. +352 27 86 31 80
Website : www.shipsta.com
2. Exercising your GDPR rights and contacting the data protection officer
In order to exercise the rights conferred to you as a natural person by the Regulation EU 2016/679 (GDPR), please contact our data protection officer. Naturally, any other question related to the data privacy practices of SHIPSTA can also be addressed to our Data Protection Officer (DPO).
The data protection officer can be reached by sending an e-mail or a letter to :
E-mail : firstname.lastname@example.org
Postal address :
Data Protection Officer SHIPSTA S.à r.l.
7E, Route du Vin
We recommend you to send your letter with an acknowledgment of receipt.
In case of doubt, when exercising any of your privacy rights, SHIPSTA reserves the right to ask you for a copy of your ID (this copy will be destroyed after verifying your identity).
In case that you aren’t convinced, that your rights over your personal data have been respected after contacting us, you can file a complaint with the CNPD of Luxembourg at: https://cnpd.public.lu/en/particuliers/faire-valoir.html) or the Data protection authority of your place of residence or work. A full list can be found following this link : https://edpb.europa.eu/about-edpb/about-edpb/members_en .
This will be necessary in the following cases:
1. Due to legal changes
2. Due to changes in the services, we offer
3. Due to changes in our activities
4.1. Scope and purpose of the personal data processing
SHIPSTA collects and processes your personal data only insofar as this is necessary for the following activities, most of them including a direct communication with you (Customer, Prospect, Partner, Subcontractor, visitor of our Website) via phone, email, mail or video conference call :
- Within the scope of managing a contractual relationship with a subcontractor of any type ;
- Within the scope of acquiring deals and converting them into customers;
- Within the scope of managing the relationship with a prospect/customer and the relevant potential contractual negotiations, visits;
- Within the scope of GDPR Compliance Management ;
- Within the scope of post-contractual relationship management ;
- Within the scope of customer support tickets reception and management ;
- Within the scope of partnership management ;
- Within the scope of customer experience evaluation ;
- Within the scope of external communication campaigns management, webinars organization and newsletter distribution ;
- Within the scope of lead generation and nurturing, and data analysis ;
- Within the scope of business optimization and deals analysis, customer and prospect data analysis for aggregated and statistics data production.
- Within the scope of the establishment, exercise or defense of legal claims and in case of a litigation ;
We may regularly collect and use your personal data, but only with your consent. An exception applies in those cases where prior consent cannot be obtained for legal and factual reasons and the processing of the data is permitted by law.
SHIPSTA reserves the right to transfer your personal data for compliance with the legal obligations to which SHIPSTA is subject.
4.2. Legal basis for processing personal data
As each data processing activity requires a relevant legal basis to be based on, we at SHIPSTA invite you to go through the following list of possible legal bases for a data processing activity which potentially might be applicable, when we are processing personal data.
Insofar as we obtain your consent for the processing of your personal data, Art. 6 (1) a) of the EU General Data Protection Regulation (GDPR) is the legal basis for its processing. You can freely withdraw your consent at any time, if you wish to do so, without invalidating the legal basis needed for such a processing activity.
When processing personal data, necessary to fulfill a contract agreement with you, Art. 6 (1) b) of the GDPR is the applicable legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures after your request.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which SHIPSTA is subject, the applicable legal basis is Art. 6 (1) c) of the GDPR.
In the event that your vital interests or those of another natural person require the processing of personal data, Art. 6 (1) d) of the GDPR will be the applicable legal basis.
Art. 6 (1) f) of the GDPR is the applicable legal basis, if a data processing is necessary to safeguard SHIPSTA’s legitimate interest or that of a third party, but only in a case if your interests, fundamental rights, and freedoms do not outweigh the aforementioned ones.
4.3. Data deletion and storage duration
Personal data might not be needed at some point for our operations. Therefore, we do take care of safely deleting it from our information systems and define strict rules over the retention periods of the collected and processed personal data.
Your personal data will be deleted or archived as soon as the purpose for its processing no longer applies or after you exercise your right to erasure regarding your personal data under the conditions set in Art. 17 GDPR. Your data may, however, continue to be stored in a distinct and secured database, if required by EU or national regulations, laws, or other provisions to which SHIPSTA is subject.
Data will be archived or deleted once said retention periods expire unless its further retention is required to establish or fulfill a contractual relationship.
- Within the scope of managing a relationship with a subcontractor of any type – 10 years for accounting documentation purposes, 10 years as of the date of end of contract for pre-contractual, contract-related and supporting documentation, including the written communication ;
- Within the scope of acquiring deals and converting them into customers – 2 years after the last contact with the prospect ;
- Within the scope of managing the relationship with a prospect/customer and the relevant potential contractual negotiations, visits – 2 years after the end of the contractual relationship with customer, 10 years at least for any contract-related information (including written pre-contractual and contractual communication) and 90 days after any visit ;
- Within the scope of GDPR Compliance Management – 10 years after the end of contract for pre-contractual and contractual written communication (for the establishment of DPA, sent and received e-mails and their copies), supporting documentation regarding compliance ;
- Within the scope of post-contractual relationship management – 2 years after the end of the contractual relationship with customer ;
- Within the scope of partnership management – after the end of contractual relationship with customer;
- Within the scope of customer support tickets reception and management – 2 years after the end of the contractual relationship with customer;
- Within the scope of customer experience evaluation – 2 years after the end of the contractual relationship with customer ;
- Within the scope of external communication campaigns management, webinars organization and newsletter distribution – 2 years after the last contact with the prospect, 6 months after end of webinar and after unsubscribing from the Newsletter reception (blacklisting email address for further 2 years, then definitive deletion) ;
- Within the scope of lead generation and nurturing, and data analysis – 2 years after the last contact with the prospect, 2 years after the end of the contractual relationship with customer ;
- Within the scope of the establishment, exercise or defense of legal claims and in case of a litigation – end of contractual relationship plus the time period for a definitive resolution ;
- Within the scope of business optimization and deals analysis, customer and prospect data analysis for aggregated and statistics data production – 2 years after the end of the contractual relationship with customer.
4.4. Data sharing, disclosure and transfers
In some cases, we would require the assistance of a partner or a subcontractor of ours in order to process the data. The processing of personal data is framed by specific contract (Data Processing Agreement or DPA), which defines how our subcontractors will process personal data on our behalf, in accordance with Art. 28 (3) GDPR. In the cases where such subcontractors are outside of the EU/EEA, the data transfer is subject to Standard Contractual Clauses of the European Commission of 4 June 2021 (Decision 2021/914/EU), in accordance with Regulation 2016/679 (GDPR), as well as by supplementary security (technical and organizational) measures.
- For the examination of contractual documentation, its processing or editing and the signature of any document between you (customer, subcontractor, partner) and us ;
- To manage contact-related data and pre-contractual negotiations, dispatch newsletters and general information to partners and customers regarding updates of our products and services, and manage external communication campaigns ;
- To manage customer reports, requests and questions via tickets/email ;
- To acquire deals and convert them into customers and to manage the relationship with a prospect/customer ;
- To manage communication via e-mail, video calls and webinars ;
- For the analysis of data about leads, customers, deals for reporting generation and business optimization.
4.5. How SHIPSTA has obtained your personal data?
In general, SHIPSTA has contacted you after you have provided directly your personal data to us (e.g. contact forms, directly providing a business card or meeting us and agreeing to be contacted, we have received an email from you without having an established contact with you etc.).
In some cases, however, when contacting you, we may have obtained your personal data from another source and not directly from you. We may obtain personal data from partners in order to :
- Contact you to generate leads and qualify prospect as a customer, nurture the contact. Our sources are : Lusha Systems Inc. , UpLead LLC, INFUSEmedia Inc., Lead Forensics Ltd (using sources COGNISM LIMITED or Rocket Reach LLC) , including the organizers of trade fairs, conferences and also sources of publicly available information (e.g. LinkedIn).
5. Security of processing
Per Art. 32 (1) of the GDPR, SHIPSTA takes appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing activities and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The data is processed and stored exclusively on servers located in member states of the European Union.
6. Your privacy rights as a natural person
If your personal data is processed, you are a natural person (a data subject within the meaning of the GDPR) and you have the folloing privacy rights with respect to SHIPSTA as the data controller:
6.1. Rights to access
You can request that SHIPSTA confirms whether personal data that concerns you is processed by SHIPSTA, and grant you access to a copy of such data.
If such processing is taking place, you can request and obtain the following information:
- the purposes for the processing of personal data;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom your personal data has been or will be disclosed;
- the planned storage duration of your personal data or, if specific information in that regard is not possible, criteria for determining the storage period;
- the existence of any right to have your personal data rectified or deleted by SHIPSTA, or restrict or object to the processing activity due to your particular situation;
- the existence of a right to file a complaint to the Luxembourgish data protection authority (CNPD) or to a supervisory authority relative to your place of residence or work. We kindly invite you to find a full list following this link : https://edpb.europa.eu/about-edpb/about-edpb/members_en ;
- all available information on the source(s) of the data, if the personal data has not been directly collected from you;
- the existence of automated decision-making processes, including profiling, as defined in Art. 22 (1) and 4 of the GDPR, and meaningful information on the logic involved and the scope and intended effects of such processing for you;
- the right to request information regarding whether your personal information will be transmitted to a non-EEA country or an international organization. In this respect, you can request information about the appropriate guarantees regarding the data transfer, in accordance with Art. 46 of the GDPR.
6.2. Right to have data rectified
You have a right to correct and/or add to the personal data we have on file about you if it is incorrect or incomplete. We will take care of rectifying your data without undue delay.
If you have asserted the right to have your data rectified, we are obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
6.3. The right to restrict a processing activity
You may request that the further processing of your personal data is restricted if:
a) you dispute the accuracy of the personal data we have on file; its processing would then be restricted for as long as it takes us to verify its accuracy;
b) the processing is unlawful, you do not wish to have the data deleted, but instead wish its further use to be restricted;
c) SHIPSTA no longer needs the personal data for the predefined purposes, but you need it to assert, exercise, or defend legal claims; or
d) you have objected to the processing activity pursuant to Art. 21 (1) GDPR and it has not yet been established whether our legitimate reasons for its continued processing outweigh your right to object to the same.
If the processing of your personal data has been restricted, it may then be processed beyond its previewed retention period only with your consent or for the purpose of asserting, exercising, or defending legal claims, or protecting the rights of another natural or legal person, or for reasons of an important public interest on the part of the Union or a Member State.
If the processing restriction has been placed in accordance with the aforementioned conditions, we will inform you before such a restriction is about to be lifted.
If you have asserted the right to restrict the further processing of your data, SHIPSTA is obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
6.4. Right to erasure (“right to be forgotten”)
a) Obligation to delete data
You may request that SHIPSTA deletes your personal data, and we will comply with this request without undue delay, if one of the following reasons applies:
- The personal data is no longer necessary in relation to the purpose(s) for which it was collected or otherwise processed;
- You withdraw the consent that was the basis of its processing per Art. 6 (1) a) or per Art. 9 (2) a) of the GDPR and there is no other legal basis for its further processing;
- You object per Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for its further processing; or you submit an objection according to Art. 21 (2) of the GDPR;
- Your personal data has been unlawfully processed;
- Your personal data is required to be deleted in order to comply with a legal obligation under Union or the Luxembourgish law to which SHIPSTA is a subject;
- Your personal data has been collected in relation to services offered by information society services pursuant to Art. 8 (1) of the GDPR.
b) Transfer of personal data to third parties
If SHIPSTA has made your personal data public and is required to delete it under Art. 17 (1) of the GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the third parties who process the personal data, that you have requested the deletion of all links to the same as well as any copies thereof.
If you have asserted the right to have your data deleted, SHIPSTA is obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
The right to erasure does not apply insofar as the processing is necessary:
- to exercise the right to freedom of expression and information;
- for the performance of a legal obligation which makes such processing mandatory under the law of the Union or of the Luxembourgish law to which SHIPSTA is subject, or for the performance of a task in the public interest, or in the exercise of official authority conferred upon SHIPSTA;
- for reasons of public interest in the field of public health in accordance with Art. 9 (2) h) and i), as well as Art. 9 (3) of the GDPR;
- for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) of the GDPR, to the extent that the right referred to in Section a) of 6.4 is likely to render impossible or seriously inhibit the ability to achieve said purposes; or
- to assert, exercise, or defend legal claims.
6.5. The right to data portability
You have the right to obtain a copy of the personal data we have on file about you in a structured, commonly used, machine-readable format.
Moreover, you have the right to transmit this data to another data controller without any obstruction from SHIPSTA if:
1. the processing is based on consent pursuant to Art. 6 (1) a) or Art. 9 (2) a) of the GDPR, or based on a contract in accordance with Art. 6 (1) b) of the GDPR and
2. the processing is carried out using automated methods.
In exercising this right, you also have the right to have us transfer the personal data we have on file about you directly to another party, if this is technically feasible.
Please, take into consideration that such action must not affect the freedoms and rights of other persons.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on us.
6.6. Right of objection
You have the right, for reasons arising from your specific situation to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 (1) f) of the GDPR. The same applies to profiling based on these provisions.
SHIPSTA will no longer process the personal data relating to you unless we can prove a compelling legitimate reason for the same, which outweighs your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend our legal claims.
If the personal data concerning you, is being processed for direct marketing purposes/lead generation, you have the right to object at any time to the processing of the personal data for the purpose of such marketing; this also applies to profiling, insofar as it is associated with direct marketing.
If you object to the processing that is for direct marketing purposes, the personal data will no longer be processed for these purposes.
6.7. Right related to automated decision in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner.
This shall not apply if the processing activity:
- is necessary for us to establish or fulfill a contract between you and SHIPSTA;
- is authorized by Union or by the Luxembourgish law to which we are subject, provided said law also sets forth suitable measures for safeguarding your rights, freedoms, and legitimate interests; or
- is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) of the GDPR, unless Art. 9 (2) a) or g) of the GDPR apply, and appropriate measures have been taken to protect your rights and freedoms, as well as your legitimate interests.
In the cases referred to in (1) and (3) of 6.7, SHIPSTA shall take reasonable and proportionate measures to safeguard your rights, freedoms, and legitimate interests, including, at a minimum, the right to obtain the intervention of a person to state our position and to examine the decision taken during the processing activity.
6.8. Right to withdraw your consent
You have the right to withdraw your consent at any time. Please, follow the unsubscribe link available or the instructions regarding the processing activity.
Please, note that after withdrawing your consent, you will no longer benefit from the service.
6.9. Right to file a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority (a full list can be found following this link : https://edpb.europa.eu/about-edpb/about-edpb/members_en), in particular in the Member State where you reside, work or where the infringement is suspected to be committed, if you believe that the processing of personal data that concerns you is in contravention of the GDPR.