EuroFlag Services SARL (“EFS”), whose principal place of business is 25B Boulevard Royal, 6th Floor, Luxembourg, Luxembourg, is accredited by the Luxembourg Government (Ministry of the Economy) to act as maritime manager for Luxembourg shipping companies and vessels registered under the Luxembourg flag. EFS is a “data controller” within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). EFS controls how your personal data is collected and the purposes for which it is used.
Personal Data Collected
“Personal data” means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. We collect and process personal data to provide effective and professional ship registry and corporate services. The personal data categories detailed below are submitted to us by clients in the course of our daily business, and may be collected from publicly available sources including websites, search engines and social media profiles.
Names, contact details (home address, email, phone), date of birth, nationality, residence, birthplace, passport number, height, weight, distinguishing marks, gender, date of last physical, maritime status, licenses, emergency contact.
Public task: We process personal data to establish compliance with the requirements of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers (“STCW” 1978) and related International Maritime Organization (“IMO”) resolutions prior to issuing seafarer certificates. The personal data is also used to guard against fraud and other unlawful practices involving seafarer certificates and endorsements.
Vessel Mortgage and Registration
Names, contact details (home address, business address, employer, office and home phone numbers, work email) and identification details (date of birth, passport or Identity card number and job title).
Public task: We process personal data to establish compliance with the conditions fixed by Luxembourg for the grant of nationality to their ships, for the registration of ships in their territory and for the right to fly their respective flags, as provided for by the United Nations Convention on the Law of the Sea, 1982 (“UNCLOS”). We also process personal data for the registration and enforcement of mortgages in the Luxembourg public register in accordance with Luxembourg law.
Safety and Security
- Designated Person Ashore (DPA) names and contact details (phone number(s), work email and office address)
- Company Security Officer (CSO) names and contact details (work phone, cell phone, office fax, work email, telex numbers and after hours contact number)
- Privately Contracted Armed Security Personnel (PCASP) names, passport, date of birth, CV, licenses, training records, extracts of criminal record
- Public task: We process and maintains DPA records of vessels registered in the Luxembourg ship registries which fall within the scope of the ISM Code. This information enables direct and immediate contact at all times with the Flag State, in accordance with the ISM Code. DPA information is collected through the EFS Luxembourg Vessel Registration Application. DPA data is also used to schedule flag state inspections and regulatory verification measures described above.
- Public task: We process personal data to comply with special measures for enhancing maritime security provided for in SOLAS Chapter XI-2 and the ISPS Code. For Luxembourg registered vessels, Regulation (EC) N° 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security transposes SOLAS XI-2 and the ISPS Code into EU Member State law. Every ship to which the ISPS Code applies must, among other things, have a CSO. EFS processes CSO names and contact details of responsible CSO in its Luxembourg vessel registration application and all changes must be notified to us by email.
- Public task: We process PCASP requests from owners/operators of Luxembourg-flagged vessels. Request are accompanied by supporting personal data required by the Commissioner for maritime affairs in Luxembourg, including extracts of criminal record, pursuant to IMO MSC.1/Circ. 1405/Rev. 2 and MSC.1/Circ. 1443. EFS verifies requests in its capacity as Luxembourg government accredited maritime manager under the control of the Luxembourg Ministry of the Economy. Upon review, we transmit the complete file to the Luxembourg Government for the issuance of an Armed Guard authorization (Commission for maritime affairs in Luxembourg) and Weapon Certificate (Ministry of Justice). We do not record or maintain criminal offence data.
- Names, home address, date of birth, birthplace of birth; country of citizenship; nationality; passport number and related information; Identity card and driver’s license number and related information.
- Public task: We process personal data to ensure compliance with OECD Global Forum on Transparency and Exchange of Information for Tax Purposes (“the Global Forum”) tax transparency standards: (1) availability of information; (2) appropriate access to information; (3) existence of exchange of information mechanisms, as well as the Financial Action Task Force (FATF) Recommendations on International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation.
- Names, email, phone number, title, occasionally date of birth and previous employment.
- Legitimate interest: We process your personal data to personalize and improve your customer experience. Integrated marketing communication forms an integral part of our efforts to increase market share, raising industry awareness of new services and products which facilitate regulatory compliance. This is in keeping with our public task to improve safety, security and the protection of the marine environment. We may use your information to tailor our communications and manage our existing relationship with you. We may also use this information to obtain feedback on our products and services and to answer your inquiries and solicitation requests, including those submitted through our websites. We only reach out to you in your capacity as a corporate representative in keeping with reasonable expectations for the processing of your personal data. We also process your personal data based on the legitimate interest in running our daily business, being able to provide you with our services and performing public tasks. We may occasionally need to contact you by email or phone for administrative or operational reasons. For example, to update you on the status of your company, vessel, invoices, payment confirmation, product delivery, or provide notice of legislative and regulatory updates, operational and security changes and related developments. These communications are not made for marketing purposes.
- First and last name of payer (physical person), home address, date of birth; bank account information, accounting number, routing number, IBAN, credit card number and related payment information.
- Legitimate interest: We process your personal data to fulfill our administrative purposes, protect our business interests and fulfill your purchase and service orders. The business purposes for which we will use your information include, but are not limited to, accounting, billing and audit, credit or other payment card verification, fraud screening, safety, security and legal purposes. This includes collection and processing of registration fees, taxes and other fees related to the Luxembourg Ship Registry. We only handle personal data that is necessary to process payments submitted to us by our clients, or outgoing payments for parties we employ in our services.
Other Data Protection Rights
You benefit from certain legal rights under the GDPR which you can enforce against EFS. A summary of these rights is provided below. For more complete information, please see Sections 3-5 of the GDPR:
- Right to object to our processing your personal data on grounds relating to your specific situation. For example, you may object to receive our marketing material and we will delete you from our marketing database immediately;
- Right of access entitles you to confirmation that we process your personal data. If we do process your data, you are entitled to, among other things, be informed of the processing purpose, categories and the parties we have or will be sharing your personal data with, and for how long your data will be stored. You may also request access to your personal data to be aware of and verify the lawfulness of the processing;
- Right to rectification to correct inaccurate personal data collected about you;
- Right to erasure entitles you, in certain cases, to submit a request for us to delete your data, for example when such data is no longer needed for the purpose it was collected. The right to erasure does not apply for any personal data processed on the basis of public task, as outlined above, where processing is necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims.
- Right to restrict processing of your information where you have a particular reason. For example, you may contest or wish to verify the accuracy of your data;
- Right to data portability entitles you to receive personal data provided to us in a structure, commonly used and machine readable format. You can also request your personal data to be transferred to another controller. The right to data portability does not however apply to personal data processed on the basis of public task, as outlined above;
- Right to lodge a complaint with a supervisory authority where you believe your personal data has not been processed in accordance with the GDPR.
We employ technical and organizational security measures to ensure your data is processed securely, to guard against the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access, and to offer technical support if requested. Our internal databases are password protected and access is restricted to authorized and trained EFS personnel.
In instances where we disclose your personal data to third parties, we require such third parties to have appropriate technical and organization measures to ensure protection of your personal data.
Cross-Border Data Processing
As a multinational company headquartered in the United States, your data will be processed in the EU/EEA, the United States and in our global offices
Third-Party Data Sharing
We may also share your personal data with the following third parties:
- Authorities on whose behalf we exercise official authority or specific tasks in the public interests laid down in law. We may also disclose your personal data when required to do so by law or court order of any jurisdiction that we are subject to, except where expressly prohibited by Union or Member State law. This includes reporting obligations to the International Maritime Organization and International Labor Organization;
- Suppliers we use to provide day-to-day services. Where applicable, any personal data shared with third parties is limited to that required to assist us in provision of our services. Such providers include DHL, USPS, UPS, TNT and others.
- Third party providers we use to guarantee that all technical, legal and organizational measures have been taken to ensure that your data is processed securely, with adequate level of protection and mechanisms against accidental loss, destruction or damage to such data in place.
- Credit and debit card companies, banks with whom we share your personal data including information regarding payment methods and related accounting details as well payment processing service providers.
We do not process your information on automated basis.
Last updated: 12 July 2021