If your personal data is processed, you are a natural person (a data subject within the meaning of the GDPR) and you have the folloing privacy rights with respect to SHIPSTA as the data controller:
6.1. Rights to access
You can request that SHIPSTA confirms whether personal data that concerns you is processed by SHIPSTA, and grant you access to a copy of such data.
If such processing is taking place, you can request and obtain the following information:
- the purposes for the processing of personal data;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom your personal data has been or will be disclosed;
- the planned storage duration of your personal data or, if specific information in that regard is not possible, criteria for determining the storage period;
- the existence of any right to have your personal data rectified or deleted by SHIPSTA, or restrict or object to the processing activity due to your particular situation;
- the existence of a right to file a complaint to the Luxembourgish data protection authority (CNPD) or to a supervisory authority relative to your place of residence or work. We kindly invite you to find a full list following this link : https://edpb.europa.eu/about-edpb/about-edpb/members_en ;
- all available information on the source(s) of the data, if the personal data has not been directly collected from you;
- the existence of automated decision-making processes, including profiling, as defined in Art. 22 (1) and 4 of the GDPR, and meaningful information on the logic involved and the scope and intended effects of such processing for you;
- the right to request information regarding whether your personal information will be transmitted to a non-EEA country or an international organization. In this respect, you can request information about the appropriate guarantees regarding the data transfer, in accordance with Art. 46 of the GDPR.
6.2. Right to have data rectified
You have a right to correct and/or add to the personal data we have on file about you if it is incorrect or incomplete. We will take care of rectifying your data without undue delay.
If you have asserted the right to have your data rectified, we are obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
6.3. The right to restrict a processing activity
You may request that the further processing of your personal data is restricted if:
a) you dispute the accuracy of the personal data we have on file; its processing would then be restricted for as long as it takes us to verify its accuracy;
b) the processing is unlawful, you do not wish to have the data deleted, but instead wish its further use to be restricted;
c) SHIPSTA no longer needs the personal data for the predefined purposes, but you need it to assert, exercise, or defend legal claims; or
d) you have objected to the processing activity pursuant to Art. 21 (1) GDPR and it has not yet been established whether our legitimate reasons for its continued processing outweigh your right to object to the same.
If the processing of your personal data has been restricted, it may then be processed beyond its previewed retention period only with your consent or for the purpose of asserting, exercising, or defending legal claims, or protecting the rights of another natural or legal person, or for reasons of an important public interest on the part of the Union or a Member State.
If the processing restriction has been placed in accordance with the aforementioned conditions, we will inform you before such a restriction is about to be lifted.
If you have asserted the right to restrict the further processing of your data, SHIPSTA is obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
6.4. Right to erasure (“right to be forgotten”)
a) Obligation to delete data
You may request that SHIPSTA deletes your personal data, and we will comply with this request without undue delay, if one of the following reasons applies:
- The personal data is no longer necessary in relation to the purpose(s) for which it was collected or otherwise processed;
- You withdraw the consent that was the basis of its processing per Art. 6 (1) a) or per Art. 9 (2) a) of the GDPR and there is no other legal basis for its further processing;
- You object per Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for its further processing; or you submit an objection according to Art. 21 (2) of the GDPR;
- Your personal data has been unlawfully processed;
- Your personal data is required to be deleted in order to comply with a legal obligation under Union or the Luxembourgish law to which SHIPSTA is a subject;
- Your personal data has been collected in relation to services offered by information society services pursuant to Art. 8 (1) of the GDPR.
b) Transfer of personal data to third parties
If SHIPSTA has made your personal data public and is required to delete it under Art. 17 (1) of the GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the third parties who process the personal data, that you have requested the deletion of all links to the same as well as any copies thereof.
If you have asserted the right to have your data deleted, SHIPSTA is obliged to notify all recipients to whom your personal data has been disclosed of the same, unless this proves to be impossible or involves disproportionate effort to be accomplished.
The right to erasure does not apply insofar as the processing is necessary:
- to exercise the right to freedom of expression and information;
- for the performance of a legal obligation which makes such processing mandatory under the law of the Union or of the Luxembourgish law to which SHIPSTA is subject, or for the performance of a task in the public interest, or in the exercise of official authority conferred upon SHIPSTA;
- for reasons of public interest in the field of public health in accordance with Art. 9 (2) h) and i), as well as Art. 9 (3) of the GDPR;
- for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) of the GDPR, to the extent that the right referred to in Section a) of 6.4 is likely to render impossible or seriously inhibit the ability to achieve said purposes; or
- to assert, exercise, or defend legal claims.
6.5. The right to data portability
You have the right to obtain a copy of the personal data we have on file about you in a structured, commonly used, machine-readable format.
Moreover, you have the right to transmit this data to another data controller without any obstruction from SHIPSTA if:
1. the processing is based on consent pursuant to Art. 6 (1) a) or Art. 9 (2) a) of the GDPR, or based on a contract in accordance with Art. 6 (1) b) of the GDPR and
2. the processing is carried out using automated methods.
In exercising this right, you also have the right to have us transfer the personal data we have on file about you directly to another party, if this is technically feasible.
Please, take into consideration that such action must not affect the freedoms and rights of other persons.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on us.
6.6. Right of objection
You have the right, for reasons arising from your specific situation to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 (1) f) of the GDPR. The same applies to profiling based on these provisions.
SHIPSTA will no longer process the personal data relating to you unless we can prove a compelling legitimate reason for the same, which outweighs your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend our legal claims.
If the personal data concerning you, is being processed for direct marketing purposes/lead generation, you have the right to object at any time to the processing of the personal data for the purpose of such marketing; this also applies to profiling, insofar as it is associated with direct marketing.
If you object to the processing that is for direct marketing purposes, the personal data will no longer be processed for these purposes.
6.7. Right related to automated decision in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner.
This shall not apply if the processing activity:
- is necessary for us to establish or fulfill a contract between you and SHIPSTA;
- is authorized by Union or by the Luxembourgish law to which we are subject, provided said law also sets forth suitable measures for safeguarding your rights, freedoms, and legitimate interests; or
- is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) of the GDPR, unless Art. 9 (2) a) or g) of the GDPR apply, and appropriate measures have been taken to protect your rights and freedoms, as well as your legitimate interests.
In the cases referred to in (1) and (3) of 6.7, SHIPSTA shall take reasonable and proportionate measures to safeguard your rights, freedoms, and legitimate interests, including, at a minimum, the right to obtain the intervention of a person to state our position and to examine the decision taken during the processing activity.
6.8. Right to withdraw your consent
You have the right to withdraw your consent at any time. Please, follow the unsubscribe link available or the instructions regarding the processing activity.
Please, note that after withdrawing your consent, you will no longer benefit from the service.
6.9. Right to file a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority (a full list can be found following this link : https://edpb.europa.eu/about-edpb/about-edpb/members_en), in particular in the Member State where you reside, work or where the infringement is suspected to be committed, if you believe that the processing of personal data that concerns you is in contravention of the GDPR.