Privacy Regulations

Article 1. Definition of terms

In these Privacy Regulations the following terms have the following meanings:
Employee: anyone who is employed by the Employer for a fixed or indefinite period on the basis of an employment contract;
Employer: Alblasserdam Yachtbuilding B.V., Blue Ocean Engineering B.V and Oceanco SAM (hereinafter referred to as Oceanco);
Controller: Oceanco;
Employees of Third Parties: anyone who carries out activities at the premises of Oceanco on the basis of a contractual obligation;
Data Subject: the person to whom Personal Data relates;
GDPR: the General Data Protection Regulation (Algemene Verordening Gegevensbescherming);
Personal Data: any information concerning an identified or identifiable natural person;
Processing: any action or whole of actions concerning Personal Data, including the collection, transmitting, recording, dissemination, organizing, making available, storing, assembling, updating, combining, modifying, blocking, retrieving, erasing, consulting, using and destroying;
Filing System: any structured set of Personal Data that are accessible according to certain criteria, irrespective of whether this is entirely centralized or decentralized or has been disseminated on functional or geographical grounds;
Third Party: anyone other than Data Subject, the Controller, the Processor or any person authorized to process Personal Data under the direct authority of the Controller or the Processor;
Recipient: the person to whom Personal Data are provided;
Consent of the Data Subject: any free, specific, informed and unambiguous expression of will with which the Data Subject accepts the Processing of his/her Personal Data by means of a declaration or unambiguous active conduct;
Data Leak: a breach of security that inadvertently or unlawfully results in the destruction, loss, modification or unauthorized disclosure or unauthorized access to transmitted, stored or otherwise processed Personal Data.

Article 2. Scope of application

These Privacy Regulations apply to the fully or partially automated Processing of Personal Data. They also apply to non-automated Processing of Personal Data that is included in a Filing System or intended for that purpose.
These Privacy Regulations apply to Employees, job applicants, persons who perform work for Oceanco on a temporary/secondment basis and to self-employed workers without employees. These Privacy Regulations also apply to all Employees of Third Parties who carry out activities at the premises of Oceanco on the basis of a contractual obligation.

Article 3. Purpose and Processing of Personal Data

3.1 The purpose of these Privacy Regulations is to:
(1) protect the privacy of Data Subjects, whose Personal Data are processed, from misuse and from any incorrect Processing of Personal Data;
(2) prevent Personal Data from being Processed for any purpose other than the purpose for which it was collected;
(3) safeguard the rights of the Data Subjects.
3.2. Only Personal Data that have been legitimately obtained are Processed.
3.3. Processing of Personal Data is only permitted for those categories of Processing referred to in paragraph 8 of this provision.
3.4. The Processing of Personal Data must be in accordance with the purpose for which the Processing took place. The purpose differs per category and is described in the Appendices to these Privacy Regulations.
3.5. Personal Data are processed on the basis of the principles that this Processing is necessary for the execution of the (employment) contract between Oceanco and the Data Subject or for compliance with a legal obligation. On the basis of these principles, the Data Subject is obliged to provide the requested Personal Data because Oceanco is otherwise unable to adequately comply with its obligations with respect to the Data Subject and because this is necessary for conducting a proper personnel policy. If the Data Subject refuses to provide certain Personal Data, this may have consequences for the (continuation of the) (employment) relationship.
3.6. In the case of the Processing of Personal Data of job applicants, the Processing takes place on the basis of a legitimate interest, which importance is evident from the purposes described in Appendix 1.
3.7. No Personal Data may be processed other than the Personal Data mentioned in the Appendices to these Privacy Regulations, unless separate agreements have been made about this.
3.8. The categories of Processing are:
a. job applicants (Appendix 1);
b. personnel administration (Appendix 2);
c. payroll records (Appendix 3);
d. severance pay (Appendix 4);
e. pension (Appendix 5);
f. Oceanco Compliance administration (Appendix 6);
g. entrance records (Appendix 7).

Article 4 Provision of Personal Data

Personal Data are only provided to those who are mentioned in the Appendices to these Privacy Regulations.

Article 5 Access to Personal Data

5.1 With the exception of statutory provisions of legislation and regulations to this effect, access to Personal Data is granted exclusively to:
• those, including Third Parties, who are in charge of or who direct the activities related to the Processing of the Personal Data or who are necessarily involved in doing so;
• others, in the cases referred to in Article 6, paragraph 1, under a, c and/or d of the GDPR.
5.2 Those referred to in paragraph 1, point a must register in the Filing System that is attached to these Privacy Regulations as Appendix 6.

Article 6 Security and confidentiality

6.1 Oceano will ensure the implementation of appropriate technical and organizational measures to prevent the loss or unlawful Processing of Personal Data. These measures will guarantee an appropriate level of security,
taking into account the state of the art and the costs of implementation, having regard to the risks involved in the Processing and the nature of the Personal Data to be
protected. The measures are also aimed at preventing unnecessary collection and further Processing of Personal Data.
6.2 If electronic Processing of Personal Data occurs, the administrator will use the personnel information system to give the various persons, as referred to in Article 5, access to certain parts of the Personal Data or to all the Personal Data as their work requires.
6.3 Anyone who is involved in the implementation of these Privacy Regulations and who thereby acquires access to the Personal Data of which he/she knows or can reasonably suspect is confidential in nature and for which an obligation of secrecy does not yet apply by virtue of an occupation, position or statutory provision in respect of the Personal Data, has a duty to maintain confidentiality. This does not apply if any statutory provision obliges him/her to disclosure or the necessity of disclosure arises from his/her duties for the implementation of these Privacy Regulations.
6.4 Anyone who is involved in the implementation of these Privacy Regulations and who becomes aware of a (possible) Data Leak, is obliged to report this to Oceano immediately.
The report must be submitted to the DPO (Data Protection Officer) Manager.
6.5 Oceano will notify the Data Subject of any Data Leak, if such Data Leak is likely to have adverse effects on his/her personal privacy.

Article 7 Duty to inform

7.1 Oceano will inform the Data Subject about the Processing of his/her Personal Data prior to the collection of the Personal Data or, if the Personal Data originate from Third Parties, prior to the moment of recording.
7.2 Oceano will inform the Data Subject about the Personal Data that is processed, the purpose of the Processing and to whom the Personal Data are provided.

Article 8 Rights of the Data Subject

8.1 The Data Subject is entitled to access to the Personal Data processed that relate to him/her (right of access).
8.2 The Data Subject is entitled to rectification of incorrect Personal Data relating to him/her or the right to provide a supplementary statement where the Processing takes place on the basis of incomplete Personal Data. Oceanco is obliged to notify any recipient to whom Personal Data has been provided of any rectification, unless this is impossible or requires a disproportionate amount of effort.
8.3 Oceanco is required, in certain cases, to erase Personal Data of the Data Subject at his/her request without unreasonable delay. This is the case, for example, where:

  • the Personal Data are no longer required for the purposes of Personal Data Processing;
  • the Data Subject has withdrawn his/her consent and there is no other legal basis for the Processing;
  • the Data Subject objects to the Processing;
  • the Personal Data have been processed unlawfully.


8.4 The Data Subject is entitled to the portability of his/her Personal Data (data portability).
8.5 The Data Subject is entitled to restrict the Processing (that is to say the Personal Data may not (temporarily) be processed) if:

  • the Personal Data may be incorrect;
  • the Processing is unlawful but the Data Subject does not yet want the Personal Data to be erased;
  • the Personal Data is no longer needed for the purpose for which it was collected, but the Data Subject still needs it for a legal action;
  • an objection is made against the Processing of the Personal Data.


8.6 Within one month of receipt of the request from the Data Subject, Oceanco will inform him/her in writing about putting the request into effect. This will also take place if the request is not put into effect. A refusal to comply with the request will be accompanied by reasons and the Data Subject will be informed of the possibility of submitting a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
If more time is needed to respond to the request, the Data Subject will be informed of this within one month. The extra time required will not exceed two months.

Article 9 Retention periods

With regard to the retention periods applied by Oceanco, a distinction is made according to the nature of the Personal Data:
1. Personnel administration/payroll accounting: the Personal Data will be erased no later than seven years after the end of the employment or the activities of the Data Subject on behalf of the Controller, unless the Personal Data are necessary for compliance with a legal retention obligation.
2. Job applicant records: the Personal Data will be deleted at the request of Data Subject and in any case no later than four weeks after the application procedure has ended.

Article 10 Objection


10.1 If the Data Subject considers that the provisions of GDPR, as detailed in these Privacy Regulations, are not complied with, he/she should contact the DPO Manager.
10.2 If the complaint submitted by the Data Subject does not lead to a result acceptable to him/her, he/she can apply to the Dutch Data Protection Authority or the courts.

Article 11 Entry into effect

These Privacy Regulations enter into effect on 25 May 2018.

Appendix 1 Job applicants

1. The Data Processing takes place only for the following purposes:
a. an assessment of the suitability of the job applicant for a position that is or may become vacant;
b. settlement of the expenses incurred by the job applicant;
c. internal control and company security;
d. the implementation or application of another law or regulation.

2. The only Personal Data that will be processed is: a. name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, e-mail address and similar data required for communications, as well as the bank account number of the Data Subject;
b. a personnel number containing no information other than that referred to under a;
c. nationality and place of birth;
e. data concerning training programmes, courses and internships taken or to be taken;
f. data concerning the job that was applied for;
g. data on the nature and content of the current employment and its termination;
h. data on the nature and content of the previous employment and its termination;
i. other data with a view to performing the duties, which are provided by the Data Subject or known to him/her;
k. data, other than those referred to under a to h, the Processing of which is required pursuant to or necessary due to the application of another law.

3. The Personal Data will only be provided to: a. those, including Third Parties, who are in charge of or who direct the activities referred to in the first paragraph or who are necessarily involved in doing so;
b. others, in the cases referred to in Article 6, paragraph 1, under a, c and/or d of the GDPR.

Appendix 2 Personnel administration

1. The Processing will take place only for the following purposes:
a. to provide guidance to the activities of the Data Subject;
b. for dealing with personnel matters;
c. to determine and pay salary claims;
d. to arrange claims for benefits in connection with the termination of employment;
e. the training programmes of the Data Subject;
f. the company medical care of the Data Subject;
g. for arranging matters relating to absenteeism and reintegration and related support;
h. staff welfare;
i. for the election of members of an employee participation body, as stipulated by law;
j. for internal control and company security purposes;
k. to implement a condition of employment that applies to the Data Subject;
l. to compile a list of birthdays of Data Subjects and other festivities and events;
m. dismissal;
n. the records of the staff association;
o. to collect debts, including passing on these debts to Third Parties;
p. to deal with disputes and have an audit performed;
q. to implement or apply a law.

2. The only Personal Data that will be processed is: a. name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, e-mail address and similar data required for communications, as well as the bank account number of the Data Subject;
b. a personnel number containing no information other than that referred to under a;
c. the citizen service number (burgerservicenummer);
d. nationality and place of birth;
e. data concerning training programmes, courses and internships taken or to be taken;
f. data concerning the position or the former position, as well as the nature, content and termination of the employment;
g. data with a view to the administration of the presence of the Data Subjects at the place where work is carried out and their absence in connection with leave, reduction of working hours, birth or illness, with the exception of data on the nature of the illness;
h. data that is included in the interests of the Data Subjects, for the purpose of their working conditions;
i. data that are important for the guidance of Data Subjects in the event of sick leave/incapacity for work;

j. data, including data concerning family members and former family members of the Data Subjects, that are necessary in view of an agreed condition of employment;
k. a telephone number that can be called in the case of an emergency;
l. data with a view to organizing a personnel assessment and career counselling, insofar as these data are known to the Data Subjects;
m. data, other than those referred to under a to n, the Processing of which is required pursuant to or necessary in view of the application of another law.

3. The Personal Data will only be provided to: a. those, including Third Parties, who are in charge of or who direct the activities referred to in the first paragraph or who are necessarily involved in doing so;
b. others, in the cases referred to in Article 6, paragraph 1, under a, c and/or d of the GDPR.
c. a trade union or a federation of trade unions for the purpose of consultations with its members on the composition of the list of candidates for a legally scheduled election of the members of an employee participation body of the organization of the Controller, insofar as it only concerns data as referred to in the third paragraph, under a, and after the intention thereto has been communicated to the person concerned or his/her legal representative.

Appendix 3 Payroll accounting

1. The Processing will take place only for the following purposes:
a. the calculation, recording and paying of salaries, allowances and other sums of money and rewards in kind to or for the Data Subject;
b. the calculation, recording and paying of taxes and premiums for the Data Subject;
c. a condition of employment that applies to the Data Subject;
d. the personnel administration;
e. to arrange claims for benefits in connection with the termination of an employment contract;
f. dismissal;
g. the collection of debts, including the passing on of debts to Third Parties;
h. to deal with disputes and have an audit performed;
i. to implement or apply another law.

2. The only Personal Data that will be processed is:
a. name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, e-mail address and similar data required for communications, as well as the bank account number of the Data Subject;
b. a personnel number containing no information other than that referred to under a;
c. the citizen service number; (except for hirers)
d. nationality and place of birth;
e. data for the purpose of the calculation, recording and paying of salaries, allowances and other sums of money and rewards in kind to or for persons referred to in the first paragraph;
f. data for the purpose of the calculation, recording and paying of salaries and allowances for the Data Subject;
g. data, including data concerning family members and former family members of the Data Subjects, that are necessary for the purpose of an agreed condition of employment;
h. data other than those referred to under a to g, the Processing of which is required pursuant to or necessary with a view to the application of another law.

3. The Personal Data will only be provided to:
a. those, including Third Parties, who are in charge of or who direct the activities referred to in the first paragraph or who are necessarily involved in doing so;
b. others, in the cases referred to in Article 6, paragraph 1, points a, c and/or d of the GDPR

Appendix 4 Severance pay

1. The Processing will take place only for the following purposes:
a. the calculation, recording and paying of benefits, as referred to in the first paragraph, to or for the Data Subjects;
b. the calculation, recording or the payment of taxes and premiums for the Data Subjects;
c. a condition of employment that applies to the Data Subject;
d. the personnel administration;
e. the payroll accounting;
f. the transfer of the Data Subject to or his/her temporary deployment to another part of the group, as referred to in Article 2:24b of the Dutch Civil Code (Burgerlijk Wetboek), with which the Controller is affiliated;
g. to grant dismissal;
h. the collection of debts, including the passing on of debts to Third Parties;
i. to deal with disputes and have an audit performed;
j. to implement or apply another law.

2. The only Personal Data that will be processed is:
a. name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, e-mail address and similar data required for communications, as well as the bank account number of the Data Subject;
b. a personnel number containing no information other than that referred to under a;
c. the citizen service number;
d. nationality and place of birth;
e. data as referred to under a, of the parents, guardians or caregivers of employees who are still minors and former staff members;
f. data, including data concerning family members and former family members of the Data Subjects, for the purpose of determining the amount of the claim to or for the persons referred to in the first paragraph;
g. data for the purpose of the calculation, recording and paying of salaries and allowances for the persons referred to in the first paragraph;
h. data, including data concerning family members and former family members of the Data Subjects, that are necessary for the purpose of an agreed condition of employment;
k. data, other than those referred to under a to h, the Processing of which is required pursuant to or necessary due to the application of another law.

3. The Personal Data will only be provided to:

a. those, including Third Parties, who are in charge of or who direct the activities referred to in the first paragraph or who are necessarily involved in doing so;
b. others, in the cases referred to in Article 6, paragraph 1, points a, c and/or d of the GDPR

Appendix 5 Pension

1. The Processing will take place only for the following purposes:
a. to determine the amount of the claim of the Data Subject;
b. the calculation, recording and collecting of contributions;
c. the calculation, recording and paying of the benefit, as referred to in the first paragraph, to or for the Data Subjects;
d. the calculation, recording or the payment of taxes and premiums for the Data Subjects;
e. the collection of debts, including the passing on of debts to Third Parties;
f. to deal with disputes and have an audit performed;
g. to implement or apply another law.

2. The only Personal Data that will be processed is:
a. name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, e-mail address and similar data required for communications, as well as the bank account number of the Data Subject;
b. a personnel number containing no information other than that referred to under a, the time at which data on the Data Subject are recorded in the administration, a reference to the employer through whose intervention the claim referred to in the first paragraph has been reached and a reference to the branch of industry concerned;
c. the citizen service number;
d. nationality and place of birth;
e. data, including data relating to beneficiaries other than the Data Subject, for the purpose of determining the amount of the claim of the Data Subject;
f. data for the purpose of the calculation, recording and paying of premiums;
g. data for the purpose of the calculation, recording and paying of the benefits to or for the Data Subject referred to in the first paragraph;
h. data other than those referred to under a to g, the Processing of which is required pursuant to or necessary with a view to the application of another law.

3. The Personal Data will only be provided to:
a. those, including Third Parties, who are in charge of or who direct the activities referred to in the second paragraph or who are necessarily involved in doing so;
b. others, in the cases referred to in Article 6, paragraph 1, points a, c and/or d of the GDPR
c. an association of former staff members for the consultation and the organization of a representative body of pensioners in pension schemes, insofar as it only concerns data as referred to in the third paragraph, under a, and after the intention to do so has been communicated to the Data Subject or his/her legal representative.

Appendix 6 Oceanco Compliance administration

1. The Processing will take place only for the following purposes:
a. to allow work to be carried out at the premises of Oceanco in accordance with the relevant legislation;
b. to check for the presence for safety guidelines at Oceanco.

2. The only Personal Data that will be processed is:
a. name, first names, initials, gender, date of birth, telephone number, e-mail address and similar data required for communications;
b. nationality and place of birth;
f. data for the purpose of determining social security;
d. information with a view to verifying that all necessary documents are present which justify the carrying out of work at the premises of Oceanco;
e. the duration of the work to be carried out.
f. data from the contractual client of the Data Subject.

Appendix 7 Entrance records

1. The Processing of the following data is for the purpose of:
- identifying the presence or absence of the Data Subject at the collection point at the time of an evacuation drill;
- identifying the Data Subject at the time of a visitation in the context of guaranteeing public safety and protecting property owned by Oceanco and its employees, and the protection of the privacy of our customers.

2. The only Personal Data that will be processed is:
- Date of authenticity check of the ID document;
- First name and surname;
- Date of birth;
- Passport photo;
- ID document number;
- Validity date ID document.
In addition, a mobile telephone number and vehicle registration number are recorded for the Drivers visitor group
Only the name and surname are recorded for the registration of the Drivers visitor group and manual identification is performed by security.

Appendix 8

Overview of those who have access to the personnel records of Oceanco, as referred to in Article 5, paragraph 2 of these Privacy Regulations.

See Appendix A for the personnel file.
In accordance with Appendix 6, access to the Oceanco compliance administration data is restricted to HR administration (see Appendix A for the details of relevant employees).
Access to entrance records is restricted to the hired security organization and all HSSE employees.

READ OUR COOKIE REGULATIONS →