Data Protection Policy

Policy 1 out of 4

Please read our Data Protection Policy


1 INTRODUCTION

1.1 This data protection policy (the " Policy") governs the collection, use, disclosure, transfer and storage of Personal Data by Susesea Ship Management Pte Ltd, and its subsidiaries and/or affiliates (together " Susesea") as controllers of Personal Data. For further details of the applicable Susesea subsidiary or affiliate processing Personal Data of Data Subjects and as a controller (where applicable), please see Schedule 1 to this Policy.

1.2 This Policy includes the following policies that set out Susesea's approach to the processing of Personal Data:

(a) the Personal Data Incident Notification Policy in relation to the procedures to be followed in the event of an incident relating to Personal Data;

(b) the Data Transfers Policy in relation to transfers of data to organisations outside of the European Economic Area (" EEA");

(c) the Data Retention & Destruction Policy in relation to the retention of data by Susesea; and

(d) the Privacy Policy for users of Susesea websites.

1.3 This Policy:

(a) has been approved by the Managing Director of Susesea;

(b) may be amended by Susesea at any time, consistent with the requirements of applicable laws and regulations. Any revisions will take effect from the date on which the amended Policy is published, as indicated in the version number set out herein; and

(c) applies to all Colleagues.

1.4 Any breach of this Policy will be taken seriously and may result in disciplinary action.

1.5 Any questions or concerns about the operation of this Policy, including whether this Policy has been followed should be referred to the Data Protection Officer.

1.6 Where there are local requirements in respect of a particular jurisdiction, Susesea may state so and/or publish further policies.

SUSESEA SHIP MANAGEMENT PTE LTD

Managing Director

Date**** September, 2018

2 DEFINITIONS

2.1" Colleague" means any full, part-time or temporary employee or seafarer, or any contractor of Susesea;

" Data Subject" means any individual who is the subject of Personal Data that is processed by Susesea;

" Data Protection Laws" means all applicable laws, rules, regulation, directives and governmental requirements relating in any way to the privacy, confidentiality, security, integrity and protection of Personal Data, including without limitation: (a) the Singapore Data Privacy Act of 2012 and its implementing rules and regulations (together the " DPA"); (b) the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, each as amended or superseded from time to time, and any EU Member State national implementing legislation; (c) applicable laws regulating unsolicited telephone calls, email, text/SMS or other electronic or anti-spam legislation; (d) applicable laws relating to data breach notification; (e) applicable laws imposing minimum security requirements; (f) applicable laws requiring the secure disposal of records containing Personal Data; and (g) applicable laws regulating cross-border data transfers of Personal Data;

" DPO" means the data protection officer for Susesea globally and for GDPR purposes as set out in

Schedule 2;

" Group**** Legal" means the legal department of Susesea;

" Personal Data" means any data relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity. Examples of information that may permit this kind of identification include without limitation addresses, email addresses, telephone numbers, dates of birth, identity card numbers, human resources files about employees, details of clients and suppliers;

" process" or " processing" or " processed" means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

" Sensitive Personal Data" means any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data, data concerning health, data concerning sex life or sexual orientation, and data concerning the commission or alleged commission of any offence.1

1 Singapore: For DPA purposes, Sensitive Personal Data includes any other Personal Data classified as "sensitive personal information" by applicable Singapore data privacy laws.

2.2 Words denoting the singular shall include the plural and vice versa.

3 DPO

3.1 The DPO is responsible for monitoring and enforcing and ensuring Susesea's compliance with Data Protection Laws.

3.2 Process for data protection queries

If there are data protection queries, please follow the following process:

(a) in the first instance, consult this Policy and/or the other policies mentioned in Section 1.2;

(b) if the query cannot be resolved as above, contact your DPO;

(c) if the query cannot be resolved as above, contact the Management.

**4 COLLECTION AND USE OF PERSONAL DATA **

4.1 Susesea collects Personal Data relating to:

(a) applicants for employment, full, part-time and temporary employees (" Employee Personal Data");

(b) applicants for seafarer employment, full, part-time and temporary seafarers whom Susesea may enter into employment contracts as agent only for and on behalf of ship owners and/or as employers (" Seafarer Personal Data");

(c) contractors (" Contractor Personal Data");

(d) clients (" Client Personal Data");

(e) suppliers and other persons who provide goods and/or services to Susesea (" Supplier Personal Data"); and

(f) users of our websites or other related services provided by Susesea (" User Personal Data").

4.2 Employee Personal Data and Seafarer Personal Data

(a) Susesea may hold and process the following types of Employee Personal Data and Seafarer Personal Data:

(i) personal details: name, address and contact information, national identity/registry/insurance numbers, date of birth, gender, immigration status and eligibility to work;

(ii) family composition: names of spouses and/or dependents and emergency contact details;

(iii) employment details: CVs, recruitment details and application forms, job history and experience, references, qualifications, appraisals and performance ratings, promotions/demotions, training records, information related to an employment contract, working time records and records relating to holiday and other leave, disciplinary actions, investigations or grievances, and workplace accidents;

(iv) education and vocational training, language, and other job-related skills;

(v) medical and fitness details;

(vi) financial details, including salary, bonuses, expense reimbursement and benefit information, bank account numbers, pensions, and details of any company loans, contractual payment and entitlements; and

(vii) photographs of individuals.

(b) The processing of Employee Personal Data and Seafarer Personal Data enables Susesea to perform its role as an employer and/or agent, including fulfilling its legal obligations under applicable laws and as necessary in connection with the performance of employment contracts. Without this information it would not be possible for Susesea to perform a worker's employment contract. Certain Employee Personal Data and Seafarer Personal Data is processed by Susesea for its legitimate business interests, including without limitation:

(i) administration and management of its employees;

(ii) administration of employee benefits and entitlements;

(iii) recruitment and determining suitability for employment or promotion;

(iv) conducting employee appraisals and performance evaluations;

(v) administering payroll services and other benefits, including pay, allowances, pension, health and life insurance, and other benefits, taxation, and other deductions from pay;

(vi) ensuring employee health and safety, monitoring attendance, and determining physical and/or mental fitness to work;

(vii) disciplining and investigating suspected misconduct or non-performance of duties;

(viii) responding to grievances and terminating employment;

(ix) training;

(x) ensuring legal and regulatory compliance, including monitoring compliance with internal rules and policies;

(xi) data backup, data archive and document retention; and

(xii) risk management, legal, accounting, and audit functions.

(c) Susesea may disclose and/or transfer Employee Personal Data and Seafarer Personal Data within Susesea or to third parties for the purposes set out above. The parties to whom Susesea may disclose or otherwise transfer Employee Personal Data and Seafarer Personal Data include:

(i) Susesea's affiliates for purposes consistent with their legitimate business practices and this Policy;

(ii) business associates and other professional advisors;

(iii) third party service providers or processors performing services on Susesea's behalf or providing products, such as:

(A) human resources functions and other business processes, including without limitation

recruitment, payroll, employee benefits, and insurance;

(B) operation and maintenance and hosting of information systems;

(C) risk management, compliance, legal and audit functions, and/or support services;

(D) data backup and archive; and/or

(E) insurers;

(iv) to an investigative body in the case of a breach of an agreement or a contravention of law;

(v) as otherwise necessary, required or permitted by law or due to a request from a competent court, regulator or other authority; and

(vi) any prospective third party purchaser of the shares or assets of Susesea.

(d) Susesea may also hold and process the following types of Sensitive Personal Data in relation to employees and seafarers:

(i) racial or ethnic origin only where required for the purposes of compliance with anti-discrimination laws;

(ii) religious beliefs, sexual life, sexual orientation and gender reassignment where required by law;

(iii) health data where required by law and/or relating to benefits, accommodation of disabilities, leave entitlement, statutory sick pay, and/or health and safety at work;

(iv) trade union memberships data where required by law if applicable; and

(v) criminal background data where such checks are required by law.

(e) Susesea will only process such Sensitive Personal Data when permitted or required to comply with its legal obligations or where the employee or seafarer's explicit consent has been obtained for the processing of such data (where such consent may be required by local law) or where necessary to protect the individual's vital interests.

4.3 Contractor Personal Data

(a) Susesea may hold and process the following types of Contractor Personal Data:

(i) personal details, such as information which may identify contractor: name, address of work place, work contact information;

(ii) details, such as information relating to the use of a contractor: job title/function and area of expertise;

(iii) financial details, such as any financial information required for the performance of a contract with any contractors who may be individuals: bank account details for purposes of invoicing, payments and the performance of the contract;

(iv) medical and fitness details;

(v) goods or services provided, including any information relating to goods and services that have been supplied by any contractors; and

(vi) photographs of individuals.

(b) The processing of Contractor Personal Data enables Susesea to carry out its legal obligations in connection with the performance of its agreement with contractors. Without this information it would not be possible for Susesea to perform its contractual obligations. Certain Contractor Personal Data is processed by Susesea for its legitimate business interests, including without limitation:

(i) keeping records relating to the business and activities carried out between Susesea and any contractors, including records of:

(A) accounts and business records;

(B) risk management, compliance, legal and audit functions; and/or

(C) financial reporting;

(ii) carrying out background checks for anti-money laundering compliance or for the purposes of financial sanctions screening where required by law; and

(iii) general processing relating to any goods and/or services provided and the performance of contracts with any contractors.

(c) Susesea may disclose and/or transfer Contractor Personal Data within Susesea or to third parties only for the business-related purposes set out above. The parties to whom Susesea may disclose or otherwise transfer Contractor Personal Data include:

(i) Susesea and its affiliates for purposes consistent with their legitimate business practices and this

Policy;

(ii) employees and business associates;

(iii) third party processors utilised for risk management, compliance, legal and audit functions;

(iv) legal and other professional advisers, consultants and experts;

(v) financial organisations and advisers;

(vi) insurers;

(vii) persons making an enquiry or complaint, where required by law and/or with consent;

(viii) to an investigative body in the case of a breach of an agreement or a contravention of law;

(ix) as otherwise necessary or required or permitted by law or due to a request from a competent

court, regulator or other authority; and

(x) any prospective third party purchaser of the shares or assets of Susesea.

(d) Susesea may also hold and process the following types of Sensitive Personal Data in relation to contractors:

(i) criminal background data only in relation to compliance with anti-corruption and/or anti-bribery where such checks are required by law.

(e) Susesea will only process such Sensitive Personal Data when permitted or required to comply with its legal obligations or where the contractor's explicit consent has been obtained for the processing of such data, where such consent may be required by local law.

4.4 Client Personal Data

(a) Susesea may hold and process the following types of Client Personal Data:

(i) personal details: client name, client business postal address, client business email address, client business telephone number, client personal mobile number;

(ii) financial details: any financial information required for the performance of a contract with clients, in particular, bank account details for purposes of invoicing, payments and the performance of the client contract;

(iii) goods or services provided by the Susesea to the client;

(iv) records of telephone conversations; and

(v) photographs of individuals.

(b) The processing of Client Personal Data enables Susesea to perform its role as service provider, including carrying out its obligations in connection with the performance of its client contracts. Without this information it would not be possible for Susesea to perform a client contract. Certain Client Personal Data is processed by Susesea for its legitimate business interests, including without limitation:

(i) keeping records relating to the business and activities carried out by the Susesea with its clients, including records of:

(A) general processing relating to the performance of contracts with, and provision of services

and/or products to, clients; and

(B) client relationship management, including advertising, marketing and public relations;

(ii) carrying out background checks for anti-corruption/anti-bribery compliance or for anti-money laundering compliance or financial sanctions screening where required by law and credit worthiness; and

(iii) financial records and audits related to client contracts and relationships.

(c) Susesea may disclose and/or transfer Client Personal Data within Susesea or to third parties only for the business-related purposes set out above. The parties to whom Susesea may disclose or otherwise transfer Client Personal Data include:

(i) Susesea and its affiliates for purposes consistent with their legitimate business practices

and this Policy;

(ii) employees and business associates;

(iii) third party processors utilised for risk management, compliance, legal and audit functions;

(iv) legal and other professional advisers, consultants and experts;

(v) financial organisations and advisers;

(vi) insurers;

(vii) persons making an enquiry or complaint, where required by law and/or with consent;

(viii) to an investigative body in the case of a breach of an agreement or a contravention of

law;

(ix) as otherwise necessary or required or permitted by law or due to a request from a competent court, regulator or other authority; and

(x) any prospective third party purchaser of the shares or assets of Susesea.

(d) Susesea may also hold and process the following types of Sensitive Personal Data in relation to clients:

(i) criminal background data only in relation to compliance with anti-corruption and/or anti-

bribery where such checks are required by law.

(e) Susesea will only process such Sensitive Personal Data when permitted or required to comply with its legal obligations or where the client's explicit consent has been obtained for the processing of such data, where such consent may be required by local law.

4.5 Supplier Personal Data

(a) Susesea may hold and process the following types of Supplier Personal Data:

(i) personal details: name/contact;

(ii) employment details: work address, work contact information, job title or function;

(iii) financial details, such as any financial information required for the performance of a contract with suppliers who may be individuals: bank account details for purposes of payment or expense reimbursement, invoices for services rendered, payment for goods supplied;

(iv) goods or services provided, including any information relating to goods and services that have been supplied by suppliers; and

(v) photographs of individuals.

(b) The processing of Supplier Personal Data enables V Susesea to perform its obligations in connection with the performance of its contracts with suppliers. Without this information it would not be possible for Susesea to perform a supplier contract. Certain Supplier Personal Data is processed by Susesea for its legitimate business interests, including without limitation:

(i) keeping records relating to the business and activities carried out between the Susesea

and any suppliers, including records of:

(A) accounts and business records;

(B) risk management, compliance, legal and audit functions; and

(C) financial reporting;

(ii) carrying out background checks for anti-money laundering compliance or for the

purposes of

financial sanctions screening where required by law; and

(iii) general processing relating to any goods and/or services provided and the performance of contracts with any suppliers.

(c) Susesea may disclose and/or transfer Supplier Personal Data within Susesea or to third parties only for the business-related purposes set out above. The parties to whom Susesea may disclose or otherwise transfer Supplier Personal Data include:

(i) Susesea and its affiliates for purposes consistent with their legitimate business practices and this Policy;

(ii) employees and business associates;

(iii) third party processors utilised for risk management, compliance, legal and audit

functions;

(iv) legal and other professional advisers, consultants and experts;

(v) financial organisations and advisers;

(vi) insurers;

(vii) persons making an enquiry or complaint, where required by law and/or with consent;

(viii) to an investigative body in the case of a breach of an agreement or a contravention of

law;

(ix) as otherwise necessary or required or permitted by law or due to a request from a competent court, regulator or other authority; and

(x) any prospective third party purchaser of the shares or assets of Susesea.

(d) Susesea may also hold and process the following types of Sensitive Personal Data in relation to suppliers:

(i) criminal background data only in relation to compliance with anti-corruption and/or anti-bribery where such checks are required by law.

(e) Susesea will only process such Sensitive Personal Data when permitted or required to comply with its legal obligations or where the supplier's explicit consent has been obtained for the processing of such data, where such consent may be required by local law.

4.6 User Personal Data

Susesea will hold and process User Personal Data in accordance with and as set out in the Privacy Policy.

5 PROCESSING OF PERSONAL DATA

Susesea handles all Personal Data such that it is:

(a) processed lawfully, fairly and in a transparent manner in relation to the Data Subjects;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate, where necessary, kept up to date and every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay;

(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate measures;

(f) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate measures; and

(g) only disclosed to third parties or transferred outside a country's or region's borders in accordance with Data Protection Laws and ensuring adequate levels of data protection.

6 RIGHTS OF DATA SUBJECTS

Susesea will respond to requests made by Data Subjects to exercise their legal rights in relation to Personal Data that Susesea holds about them. Subject to applicable exemptions, Data Subjects have the following rights;

(i) to lodge a complaint with the Philippine National Privacy Commission for violations of applicable Philippines data privacy laws; and

(ii) to be indemnified for any damages sustained due to use of inaccurate, incomplete, outdated, false, or unlawfully obtained Personal Data, or due to unauthorised use of Personal Data.

(a) Right to be informed

Right to be informed about any Personal Data held about them by Susesea.

(b) Right of access

Right to request access to their Personal Data and be provided information in relation to that data (including the purposes for which the data is processed, how long it will be stored for, the right to lodge a complaint with a supervisory authority).

(c) Right to rectification

Right to have their inaccurate Personal Data amended.

(d) Right to erasure

Right to have their inaccurate Personal Data erased.

(e) Right to restrict processing

Right to restrict processing of their Personal Data.

(f) Right to data portability

Right to receive a copy of their Personal Data in a machine-readable format or to have their Personal Data sent to another entity.

(g) Right to object

Right to object to the processing of their Personal Data.

(h) Right in relation to automated decision making and profiling

Right not to be subject to a decision which is based on automated processing or profiling that could result in a significant effect on the Data Subject, such as discriminatory effects.

7 SUBJECT ACCESS REQUESTS

7.1 If making a request to access your Personal Data please send requestion e-mail to hr@susesea.com

7.2 If you receive a request from a third party requesting access to their Personal Data or any of the other rights set out in Section 6, please contact hr@susesea.com immediately, because Susesea must respond to the request within prescribed time limits. You must not provide any requested information to a third party.

7.3 Susesea shall handle subject access requests as follows:

(a) Susesea shall identify the data subject;

(b) Susesea shall provide the requested information within one month of receipt of request; this period may be extended by two further months where necessary, taking into account the complexity and number of the requests; Susesea shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay;

(c) where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject;

(d) where the request concerns a large quantity of information, Susesea reserves the right to ask the data subject to specify the information the request relates to;

(e) if Susesea does not take action on the request of the data subject, Susesea shall inform the data subject within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy; and

(f) Susesea reserves the right to charge a reasonable fee for access or not to act on the request, where permitted by law.

8 APPOINTING DATA PROCESSORS

When appointing third parties to carry out processing of Personal Data on Susesea's behalf, Susesea shall impose contractual obligations dealing with the protection and security of that information such that these third parties are contractually required to, amongst other obligations, act in a manner consistent with Susesea's instructions when processing Personal Data and that they have in place appropriate technical and organisational security measures to safeguard such Personal Data.

9 RECORD KEEPING

Susesea maintains various records including the following:

(a) processing activities carried out by Susesea;

(b) consents provided by Data Subjects (where applicable); and

(c) data protection related policies and procedures.

10 BREACH NOTIFICATION

Susesea has in place the Personal Data Incident Notification Policy to be followed in the event of an incident and/or breach in relation to Personal Data.

11 INTRA-GROUP DATA TRANSFERS

Personal Data may be transferred between companies in Susesea in accordance with Data Protection Laws and this Policy.

12 INTERNATIONAL TRANSFERS OF PERSONAL DATA

Given the international nature of Susesea's operations, Personal Data collected in the EEA may be transferred to countries outside the EEA which may not have laws offering the same level of protection for Personal Data as those inside the EEA. Susesea will take steps to prevent the transfer of Personal Data without adequate safeguards being put in place and will ensure that Personal Data collected in the EEA and transferred internationally is afforded the same level of protection as it would be inside the EEA. For further information on the adequate safeguards adopted by Susesea for the international transfer of Personal Data, please see the Data Transfers Policy.

13 DATA RETENTION

Susesea has in place the Data Retention & Destruction Policy to be followed in respect of the retention of Personal Data.

14 BREACHES OF THIS POLICY

Any actual or suspected breach of this Policy should be immediately notified to the Data Protection Officer by contacting hr@susesea.com

15 DOCUMENT CONTROL

15.1 The DPO is the owner of this Policy and is responsible for ensuring that this procedure is reviewed in line with the relevant review requirements.

Schedule 1

Susesea **data controllers **

Company

  1. SUSESEA SHIP MANAGEMENT PTE. LTD.

Schedule 2

Susesea DPO

| DPO | Ali Doğan | hr@susesea.com |SUSESEA SHIP MANAGEMENT PTE. LTD. 70 SHENTON WAY #11-11 EON SHENTON SINGAPORE 079118| +90 534 957 04 08 |

Personal Data Usage Confirmations

  • I confirm I have obtained the referees’ consent to me for disclosing their personal data to your organisation for the purpose of obtaining the relevant type of reference.

  • I hereby consent to Susesea Ship Management Pte. Ltd. collecting, using and disclosing to other members of the Susesea Group of Companies the personal data in this Application Form for the purpose of deciding whether or not to hire me for the position listed below.

  • If my application is unsuccessful, I consent to Susesea Ship Management Pte. Ltd. retaining my personal data for up to 12 months and disclosing it to other members of the Susesea Group of Companies for the purpose of considering me for other roles.