PERSONAL DATA PROTECTION POLICY

This Policy aims to bring PALM OVERSEAS TRAFFIC (hereinafter "the Company") into compliance with the legislation (EU General Data Regulation 2016/679 - GDPR), regulatory framework and best practices for the protection of individuals with regard to the processing of personal data by or on behalf of the Company.

Its faithful application aims to:

  • Protecting the reputation and status of the Company by taking all necessary due diligence measures to effectively protect the personal data it manages
  • Avoidance of penalties, fines and prosecutions by competent supervisory authorities that may result from unintentional failure to comply with the legislative framework
  • Avoidance of penalties, fines and prosecutions by competent supervisory authorities that may result from unintentional failure to comply with the legislative framework
  • Compliance of the Company's personnel with the requirements of the legal and regulatory framework and the revision of the operation of all its Units with regard to the Management of Personal Data.

1 Scope

This Policy applies to all natural persons whose data is processed by the Company, including but not limited to customers, prospective, current and former employees and their affiliates, partners, shareholders, affiliates and other stakeholders.

2 Basic Definitions - Concepts

2.1 Personal Data

All data about an identified or identifiable natural person, including data that identifies the person or could be used to identify, detect, monitor or communicate with him. Indicative and not restrictive, Personal Data includes direct or indirect identification information such as name, ID number, work address, home address, email, telephone, date of birth, etc.

2.2 Editor

The natural or legal person, service or other body that determines the purposes and manner of processing personal data. For the purposes of the present, the Company is the controller.

2.3. Perform the processing

The natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

2.4. Receivers

The natural or legal person, service or other body to whom personal data are disclosed.

2.5. Processing

Conduct any process or series of processes on human data, with or without automated means, including but not limited to, collecting, recording, organizing, storing, accessing, adapting, converting, retrieving, consulting, evaluating, analyzing, reporting, distribution, disclosure, dispersion, transmission, disposition, alignment, combination, interference, deletion, erasure or destruction.

2.6. Sensitive personal data

Any type of data that contains an inherent risk of causing harm to individuals, including but not limited to data related to health, race, ethnicity, religion, political or philosophical beliefs, criminal record, accurate geographic location information, banking or other financial numbers state-of-the-art accounts, government-issued registration numbers, minors, sex life, labor union relations, security, social security and other employers or government employees Hess.

2.7. Third person

Any organization not affiliated with the Company or a person not working in the Company

2.8. Data security breach

Any security breach that results in accidental or unlawful destruction, loss, tampering, unauthorized disclosure or that allows unauthorized access to third-party personal data that has been transferred, stored or otherwise processed.

3 General principles

The processing of personal data is carried out in accordance with the following principles:

3.1. Necessity Principle

The processing of Personal Data takes place after the specific and legitimate business purpose for which it is necessary has been identified and recorded.

3.2. Transparency

Processing is done in ways and for purposes that are always transparent. In order to fulfill this obligation, the Company takes all necessary measures to update the data subjects it processes.

3.3. Legality

The processing of personal data is carried out in a manner that is not unfair to the data subjects and always subject to one of the following legal processing bases:

  • There is consent of the data subject
  • Processing is required to execute a contract
  • The processing is necessary to comply with a legal obligation of the Company as the controller
  • Processing is necessary to perform a task performed in the public interest
  • Treatment is necessary for the purposes of the legitimate interests pursued by the Company.

3.4. Data Quality

Personal data is kept accurate, complete, up-to-date and always in accordance with their desired and agreed upon use.

3.5. Security

The Company, as controller, takes all necessary measures and integrates security safeguards to protect personal and sensitive data processed from loss, unauthorized access, misuse, loss or destruction.

4 Updating Subjects

The Company takes all necessary measures to inform, by any means available (electronic, by mail, by press), the subjects that their personal data is processed in accordance with applicable data protection legislation (General Data Protection Regulation) and the Company's Privacy Policy. Specifically, the update includes information on:

  • The categories of personal data being processed
  • The purposes and modes of processing
  • The recipients of personal data
  • Their rights, as data subjects, derive from the General Data Protection Regulation.

5 Managing Data Subject Requests

The Company is obliged to respond promptly (within 30 calendar days) to the Data Subjects (ESAs) requests processed. The following requests are illustrative:

  • Request access
  • Request for correction
  • Request for opposition
  • Request to delete
  • Portability request

The answer to ESAs is given in a concise, transparent, comprehensible and easily accessible format, using clear and simple language, in written or other (including digital) media.

6 Data Breach Management

In the event of a breach of data security, the Company shall take all necessary measures and shall comply with the procedures for:

  • identifying and categorizing the violation
  • the reduction of injury
  • data recovery (where technically feasible)
  • the damage assessment, which is the calculation of the potential adverse effects of the security breach on the data subjects

The Editor is responsible for informing the ASCPS within 72 hours of the finding of a Security Violation, if necessary.

7 Retention, Review and Destruction of Documents and Archives

Documents and records containing the respective rights and obligations of the Company and the Client, as provided for in the Service Contracts or the terms under which the Company provides services to the Client, shall be maintained at least throughout the relationship with the Client. The format these documents and files may have, but not limited to, are:

  • Meeting books and calendars
  • Optical recordings
  • Contracts and Variations of Contracts
  • Digital archives
  • E-mails
  • Handwritten notes
  • Invoices
  • Correspondence
  • Objects of controls
  • Recorded telephone conversations

7.1. Document retention principles

The files are stored in a medium that allows the information to be stored for future review.

7.2. Maintenance time

The records / documents described above will be kept for as long as applicable law, national and Community law or customary practice.

7.3. Destruction of Documents and Files

Document destruction must be effective, permanent and carried out by appropriate means (eg recycling, document destruction, incineration, etc.).

The Company follows a specific practice of destroying documents and records, ensuring, in all cases, that the following are observed:

  • Assessment of the nature and content of the document
  • Period of retention of documents to meet the Company's obligations as such arising from national and Community law or customary practice
  • Compliance with General Privacy Policy Obligations
  • Retention of documents that serve as evidence before the Judicial Authorities
  • Indication of the date, method and approval of the disaster where appropriate
  • Compliance with the Document / File Destruction Protocol.