Implementation of the EU General Data Protection Regulation 2016/679 – General Guidance to Members


  • Date: 23/04/2018
Implementation of the EU General Data Protection Regulation 2016/679 – General Guidance to Members

Introduction
Regulation (EU) 2016/679 containing the General Data Protection Regulation (the "GDPR” or “Regulations") will come into force on 25 May 2018 and such will have direct effect in the EU/EEA. Therefore there will be no need for domestic legislation in the UK or other member countries to give effect to the GDPR.  The General Data Protection Regulation, which is some 88 pages long, may be found here:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

English version: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1490179745294&from=en

This general guidance intends only to provide a brief introduction to the GDPR, as relevant to TT Club and its Members.

The broad intention of the Regulation is to replace Directive 95/46/EC, and strengthen and harmonise EU/EEA procedures concerning the collection, storage, processing, access, use, transfer and erasure of personal data. By establishing responsibilities for "controllers" and "processors" of personal data, the Regulation aims to provide natural persons with the same level of legally enforceable rights throughout the EU/EEA, and a supervisory and enforcement framework to ensure compliance.

The aim of the GDPR is to protect natural persons in relation to the processing of data. The Regulation effectively applies globally; firstly to those entities within the EU/EEA which may hold such data and secondly outside the EU/EEA to those which may offer goods or services to natural persons within the EU/EEA, or send personal data to organisations or other recipients within the EU/EEA.

Since TT Club operates within the EU/EEA, the GDPR will immediately apply to the Club. The impact of the Regulation will most often be felt in claims relating to bodily injuries, as well as policies provided to individuals (such as cargo all risks). Data originating from a legal entity that does not contain personal information, or information otherwise not related to natural persons is unaffected.

Similarly, the Regulation will apply to Members and third-party service providers wherever personal data is held or handled.  It is particularly important to note that it applies extensively outside the EU/EEA and therefore all Members need to consider the requirements of the Regulation, assess their exposure and put in place appropriate procedures and controls in order to comply.

Penalties for infringement
The level of administrative fines under the new regime is substantially higher than under the old legislation. The amount of a fine will depend on a number of factors in each individual case, including the nature and duration of the infringement, and any actions taken to mitigate damage suffered by the “Data Subject”. It is, however, worth noting that the penalties for infringements of the GDPR, in relation to certain provisions, can be up to €20 million or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.

Relevant definitions 
• "Personal Data" means any information relating to a Data Subject;
• "Data Subject" means an identified or identifiable living natural person or individual. This is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of the relevant data.
• "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated or manual means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Roles of TT Club, Members, brokers, external service providers and claimants
The Club considers that it will be a controller for the purposes of the Regulations.  The Club outsources day to day management of its business to the Thomas Miller Group, who will in some circumstances act as a joint controller.  This will permit the Club to operate under the GDPR framework built by Thomas Miller, which will be able to perform  administrative tasks that only a controller or joint controller are permitted to do.  Thomas Miller will also be able to represent TT Club when dealing with the Data Regulator.

Further, where the GDPR applies, Members, brokers and external service providers such as Club Network Partners, correspondents, surveyors, and experts, will generally be controllers, since they are each independently likely to determine the purpose and means of the processing of the relevant data. If a processor determines “the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing”.

This would be relevant only where the matter in issue contains personal data, for example a bodily injury claim or one relating to cargo all risks. In that case, the relevant individual(s) bringing the claim would be the data subject, benefiting from the rights provided in the GDPR.

Some relevant requirements of the GDPR
• Principles for processing personal data;
• Rights of the data subject;
• Responsibilities of the controller and processor;
• Duty to notify Data Protection Authorities;
• Appointment of Data Protection Officer; and
• Transfer of personal data to third countries.

Principles for processing personal data 
The principles for processing personal data can be summarised as follows:
• Lawfulness – personal data should be processed only when there is a legal basis for doing so, such as consent, by contract, or where there is a legal obligation, or where it is necessary in order to protect the vital interests of the data subject, or where it is for the legitimate interests of the controller.
 Fairness – those involved in processing personal data should provide the data subject with sufficient information about the processing and the data subject's rights.
• Transparency – information should be provided in a concise and readily understandable manner.
• Purpose limitation – personal data should only be collected and processed for specified, explicit and legitimate purposes and it should not be processed for reasons unconnected with these purposes.
• Data minimisation – personal data should be adequate, relevant and limited to what is necessary for the purposes for which it has been collected and processed.
• Accuracy - personal data should be accurate and up-to-date.
• Storage limitation – personal data should be kept in a form permitting identification of data subjects for no longer than is necessary.
• Security – using appropriate measures, personal data should be secured to protect against unauthorised or unlawful processing, accidental loss, destruction or damage.

Personal data
Processing of personal data is prohibited unless specific conditions apply, such as express consent or where processing is a necessary consequence of the establishment, exercise or defence of legal claims, or wherever courts are acting in their judicial capacity.

It is recommended however that all Members and their associated named assureds, brokers, agents, etc. consider including suitable GDPR wording on their websites, in contracts, employment contracts, collective bargaining agreements and the like to allow the processing of sensitive personal data on a permitted basis.  This will be of particular importance when dealing with claims involving minors where more stringent GDPR conditions apply.

Stricter requirements apply to sensitive personal data. This includes data such as race, ethnic background, religious and political affiliations, and health and medical information about a data subject. 

Rights of the data subject 
Below is a summary of some of the rights which the data subject has, including the right to request information.
• Transparency and information – steps should be taken to provide the required information to the data subject, including details of the controller(s) and the purpose of processing the relevant personal data. This includes advising the data subject of any third parties to whom the personal data will be disclosed.
• Right of access – the data subject has a right to require a confirmation of whether personal data is being processed, and for what purpose, and that there is a right to request access to it.
• Right to rectify – the data subject has a right to rectify inaccurate information.
• Right to be forgotten – the data subject has a right to request that his or her personal data is erased, without undue delay, if certain conditions apply.
• Right to restrict processing – the data subject has a right to obtain from the controller restriction of processing where, for example, the accuracy of the personal data is contested by the data subject.

Responsibilities of those dealing with affected data

a. The controller and joint controller
The controller and joint controller are required to implement appropriate measures for the processing of personal data in accordance with the Regulation.  This includes establishing and implementing a 'data protection policy' and other specific requirements, such as:
• Only data necessary for the purpose – procedures must ensure that only personal data necessary for the purpose is processed.
• Processor – procedures must ensure that the processor has implemented compliant measures.
• The controller and joint controller are responsible for demonstrating compliance with the Regulation.

In the case of TT Club, it is envisaged that the Club will be the controller, and Thomas Miller will be a joint controller.  Members and their assureds will be controllers of the personal data that they have received from their crew and claimants. 

b. The processor
The processor must provide guarantees to the controller of appropriate technical and organisational measures so that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. A separate contract or agreement complying with specific requirements should be concluded between the controller and the processor.

c. Both controller and processor are responsible for the following
• Record of processing – processing records should be maintained and these should be available for inspection by the supervisory authority.
• Security of processing – appropriate security measures should be established.

d. Duty to notify Supervisory Authority
The controller shall notify the appropriate Supervisory Authority of a personal data breach in accordance with the GDPR where the rights and freedoms of the data subject have been affected. The processor is obliged to notify if it becomes aware of a breach of the GDPR.

e. Data Protection Officer
In certain circumstances, including where personal data is processed on a large scale, there is a duty to appoint a Data Protection Officer (“DPO”). The DPO has specific responsibilities, including the monitoring of compliance with the Regulation, to report and to give internal advice. The Club has appointed a DPO, Mr Jim Ashton.

f. Transfer of data to a third country
Unless there is a valid legal basis or permitted derogation under the GDPR for transferring data to a third country, in other words outside the EU/EEA, which may be the case where the transfer is necessary (such as in accordance with a legal obligation) to bring an insurance claim, for example a personal injury claim, then a transfer of data to a third country requires either the EU Commission to have decided that the relevant third country has established adequate levels of protection or that the controller or processor in the third country has established or will establish appropriate levels of security . 

In some circumstances, the use of the EU Standard Model Clauses may be appropriate.


What does the Regulation mean for TT Club and its Members?
Some of the actions TT Club has taken, or is in the process of taking, in response to the GDPR are as follows:
• A Data Protection Policy is being established and implemented;
• A DPO has been appointed;
• Internal written procedures and processes are being updated to include, for example, a regular review to ensure that unnecessary personal data is deleted;
• Standard privacy notices to data subjects giving details of rights under the GDPR will be issued when required ; and
• The security and integrity of IT and communication systems have been verified, in relation to both systems containing personal data and systems containing sensitive personal data.

Further impact on Members
Members operating within the EU/EEA area and those outside the EU/EEA offering goods or services to individuals in that area, or who hold personal data within the EU/EEA relating to individuals outside the EU/EEA, may need to undertake a similar exercise.

TT Club recommends that affected Members undertake a review with a focus on the following areas:
• Updating or adoption and implementation of a Data Protection Policy;
• Where handling data on a large-scale ought to consider the appointment of a DPO;
• Establish routines to ensure that data subjects receive appropriate information about processing of personal data and their rights;
• Unless there is another legal basis upon which to continue to store it, personal data which is no longer necessary should be deleted;
• Security should be enhanced for communications with third parties (including other P&I clubs) relevant to sensitive personal data as defined (e.g. health and medical data); and
• Additional checks should be established to ensure that personal data is transferred to third countries only when permitted (e.g. when there is a legal basis or a separate agreement exists).

The information on this page should not be construed as providing legal advice. Members should seek independent advice from a lawyer or their local Data Protection Authorities.

Any questions or comments can be directed to your usual TT Club contact.

Through Transport Mutual Insurance Association Limited and TT Club Mutual Insurance Limited, trading as the TT Club. TT Club Mutual Insurance Limited, registered in the UK (Company number: 02657093) is authorised by the Prudential Regulation Authority and regulated in the UK by the Financial Conduct Authority and Prudential Regulation Authority. In Hong Kong, TT Club Mutual Insurance Limited is authorised and regulated by the Hong Kong Insurance Authority, in Singapore by the Monetary Authority of Singapore and in Australia by the Australian Prudential Regulation Authority. In the United States, TT Club Mutual Insurance Limited is approved as a surplus lines insurer in all states and is accessible through properly licensed surplus lines brokers. The registered offices are: 90 Fenchurch Street, London, EC3M 4ST.

Through Transport Mutual Insurance Association Limited, registered in Bermuda (Company number: 1750) is authorised and regulated in Bermuda by the Bermuda Monetary Authority. 

The UK VAT Identification number for Through Transport Mutual Insurance Association Limited is: GB 564 5244 35 and for TT Club Mutual Insurance Limited is: GB 564 3375 30. The Italian VAT Identification number for TT Club Mutual Ltd is: 03627210101.