123 Street, New York, USA
Mon - Fri / 10:00 AM - 05:00 PM
+47 4120 1768

Shipslog AS - Data Privacy Compliance Policy

1. Introduction

Shipslog AS, a Software-as-a-Service (SaaS) company based in Oslo, Norway, provides maritime fleet management and International Safety Management (ISM) system solutions. Operating from within Norway places Shipslog AS under the jurisdiction of both the European Union's General Data Protection Regulation (GDPR) and Norwegian national data protection legislation. This policy outlines Shipslog AS's commitment to safeguarding the personal data of its users and ensuring adherence to these critical legal frameworks. It is designed to serve as a comprehensive guide for the company's internal practices and to transparently inform users about their rights and how Shipslog AS manages their information.

As a member of the European Economic Area (EEA), Norway is obligated to incorporate EU regulations such as the GDPR into its national law. This has been achieved through the Law on the Processing of Personal Data (Personal Data Act). Consequently, Shipslog AS, as a Norwegian entity, is legally bound to comply with the requirements set forth by the GDPR. This obligation exists regardless of whether the company directly operates within the European Union, as its base of operations within the EEA brings it under this regulatory umbrella.

Beyond the legal mandate, this policy is intended to build and maintain trust with Shipslog AS's users. By clearly and accessibly explaining the company's data processing practices, Shipslog AS aims to empower users to make informed decisions regarding their personal data. Transparency is a fundamental tenet of the GDPR, and this document serves as a key mechanism for achieving it. The policy details what data is collected, how it is utilized, the purposes behind this processing, and the rights available to individuals concerning their personal information. Shipslog AS is dedicated to upholding these principles and maintaining a high standard of data privacy across all its operations.

2. Our Commitment to Data Privacy

Shipslog AS is resolutely committed to ensuring the security and protection of the personal information it handles. The company strives to maintain a consistent and fully compliant approach to data protection, recognizing the paramount importance of these responsibilities in today's digital landscape. This commitment extends to all aspects of its operations, from the design and development of its services to the ongoing management and security of user data.

Furthermore, Shipslog AS is dedicated to the principles of privacy by design and adopts a risk-based approach to data protection. Privacy by design means that considerations for data protection are integrated into the very fabric of Shipslog AS's services, starting from the initial stages of development. This proactive approach ensures that privacy is not merely an add-on but a fundamental element of how the company operates. Simultaneously, a risk-based approach involves a continuous process of identifying, assessing, and mitigating potential risks to personal data. By focusing on areas where data could be most vulnerable, Shipslog AS can implement targeted and effective safeguards.

By proactively embedding data protection into its development lifecycle and by focusing on mitigating identified risks, Shipslog AS demonstrates a responsible and forward-thinking approach to data privacy, which aligns with the GDPR's emphasis on accountability and preventative measures. This commitment ensures that data protection is not an afterthought but an integral part of the company's operational ethos. Shipslog AS also understands that the realm of data protection is constantly evolving. As legal requirements change, as technology advances, and as best practices are refined, the company pledges to regularly review and update its data protection program to meet these evolving demands. This dedication to continuous improvement ensures that Shipslog AS remains at the forefront of data privacy compliance.

3. GDPR and Norwegian Data Privacy Law Compliance

The European Union's General Data Protection Regulation (GDPR) holds direct legal force within Norway due to Norway's membership in the European Economic Area (EEA). This means that Shipslog AS, as a company established in Norway, is legally obligated to adhere to the GDPR's provisions. The GDPR has been further integrated into Norwegian national law through the enactment of the Law on the Processing of Personal Data (Personal Data Act) of 2018. This act works in conjunction with the GDPR, and Shipslog AS must ensure compliance with both the overarching principles of the GDPR and any specific nuances or interpretations provided under Norwegian law. For example, Norwegian legislation specifies the age of consent for the processing of personal data for information society services directly offered to a child as 13 years. Shipslog AS must be mindful of this specific requirement when dealing with data from individuals in this age group.

Furthermore, Shipslog AS must be aware of and comply with the updated Norwegian Electronic Communications Act (Ekomloven), which came into effect on January 1, 2025. This act harmonizes Norwegian regulations concerning electronic communications, particularly the use of cookies and similar tracking technologies, with the stringent consent requirements established by the GDPR. The Ekomloven mandates that for all cookies and tracking technologies that are not strictly necessary for the basic functionality of a website or service, explicit and informed consent must be obtained from the user. This signifies a move towards greater user control and transparency in how online tracking is conducted. Shipslog AS must ensure that its mechanisms for obtaining consent for cookies are robust, transparent, and provide users with the ability to make granular choices regarding their preferences. Clear information about the types of cookies used and their specific purposes must be readily available to users before they provide their consent.

The primary authority responsible for overseeing and enforcing compliance with the GDPR and the Norwegian Personal Data Act within Norway is the Norwegian Data Protection Authority (Datatilsynet). The Datatilsynet plays a crucial role in providing guidance on data protection issues and ensuring that organizations operating in Norway adhere to the legal requirements. Individuals who believe that their data protection rights have been infringed upon have the right to lodge complaints with the Datatilsynet. Shipslog AS acknowledges the authority of the Datatilsynet and is committed to cooperating fully with any inquiries or guidance provided by this regulatory body.

4. Key Principles of GDPR

Shipslog AS is dedicated to upholding the core principles of the General Data Protection Regulation (GDPR) in all its data processing activities. These principles form the foundation of responsible data handling and are integral to Shipslog AS's commitment to user privacy.

  • Lawfulness, Fairness, and Transparency: Shipslog AS will process personal data only when there is a valid legal basis for doing so, that the processing is fair and equitable to the individuals whose data is being processed, and that all processing activities are conducted with transparency. Transparency necessitates providing individuals with clear and easily understandable information about how their data is collected, used, and the purposes for which it is processed. This policy itself is a key component of fulfilling this transparency obligation.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those original purposes. Shipslog AS will clearly define the purposes for which it collects and processes personal data within this policy and will ensure that any subsequent processing aligns with these initial purposes.
  • Data Minimization: Shipslog AS will only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This means that Shipslog AS will regularly review its data collection practices to ensure that it is not collecting unnecessary information.
  • Accuracy: Shipslog AS takes all reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Shipslog AS will provide mechanisms for users to review and rectify their personal data to maintain its accuracy.
  • Storage Limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Shipslog AS has established data retention schedules that specify the periods for which different categories of personal data will be retained.
  • Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures. Shipslog AS has implemented a range of security measures, which are detailed in Section 7 of this policy.
  • Accountability: Shipslog AS is responsible for and able to demonstrate compliance with all the data protection principles outlined in the GDPR. This includes maintaining comprehensive records of its processing activities and implementing appropriate policies and procedures to ensure ongoing compliance.

5. Collection and Processing of Personal Data by Shipslog AS

Shipslog AS collects and processes various categories of personal data to effectively deliver its SaaS services and to enhance the user experience. The types of personal data collected may include:

  • User Account Information: This encompasses details provided by users during the registration process, such as their name, email address, phone number, company name, job title, chosen username, and password. This information is essential for creating and managing user accounts and for providing access to the Shipslog AS platform.
  • Usage Data: This category includes information about how users interact with the Shipslog AS platform. Examples include login times, the specific features and functionalities used, actions taken within the service, and the user's Internet Protocol (IP) address. This data helps Shipslog AS understand how the platform is being utilized and identify areas for improvement.
  • Billing and Payment Information: If applicable, for users who subscribe to paid services, Shipslog AS collects necessary billing and payment details. This may include billing addresses, payment card information (which is handled securely through certified payment processors), and records of transactions. This information is crucial for processing payments and managing subscriptions.
  • Communication Data: This includes records of any communication between users and Shipslog AS, such as support requests submitted through the platform, feedback provided by users, and email correspondence exchanged between the parties. This data helps Shipslog AS address user inquiries and improve its services.
  • Device and Browser Information: Shipslog AS may collect information about the user's device, including the type of device, the operating system it uses, the type and version of the web browser, and browser settings. This information helps optimize the platform's performance across different devices and browsers.

A comprehensive understanding of the categories of data collected ensures transparency and helps users understand what information Shipslog AS holds about them. This also enables Shipslog AS to adhere to the principle of data minimization by ensuring that only necessary data is collected for specific and legitimate purposes.

Shipslog AS employs various methods to collect personal data:

  • Directly from Users: The most common method is when users actively provide their information during the registration process, when they input data into the Shipslog AS platform while using its features, or when they directly communicate with Shipslog AS through support channels or other means.
  • Automatically: Shipslog AS also collects certain data automatically through the use of cookies and other tracking technologies when users access the Shipslog AS website and platform. These technologies help gather information about user behavior, device details, and browsing patterns.
  • Potentially from Third Parties: In some instances, if Shipslog AS integrates its services with other third-party platforms or services, data might be received from these external sources. Any such data collection would be subject to appropriate legal bases and would be conducted with transparency towards the users.

The personal data collected by Shipslog AS is processed for a variety of specific and legitimate purposes, including:

  • To provide, operate, and maintain the Shipslog AS SaaS service and all its associated functionalities.
  • To manage user accounts, verify user identities, and provide effective customer support.
  • To process payments and manage billing cycles for users who subscribe to paid features (if applicable).
  • To personalize the user experience by tailoring content and features based on individual usage patterns and preferences.
  • To monitor and analyze how the Shipslog AS platform is being used to identify areas for improvement in its performance, features, and overall user experience.
  • To send users important updates, service announcements, and essential administrative messages related to their accounts and the service.
  • Subject to obtaining explicit consent, to send marketing communications about related products, services, or promotional offers that may be of interest to users. Users have the right to withdraw their consent for such communications at any time.
  • To comply with applicable legal and regulatory obligations that Shipslog AS may be subject to.

For each of these processing purposes, Shipslog AS relies on specific lawful bases as outlined under the GDPR:

  • Consent: For certain processing activities, such as sending direct marketing communications or the use of non-essential cookies, Shipslog AS will obtain the user's freely given, specific, informed, and unambiguous consent. Users have the right to withdraw their consent at any point without affecting the lawfulness of processing based on consent before its withdrawal.
  • Performance of a Contract: Processing of personal data may be necessary for the performance of the contract between Shipslog AS and the user, particularly in the context of providing the core SaaS service and its features.
  • Legitimate Interests: Shipslog AS may process personal data when it has a legitimate interest in doing so, provided that these interests are not overridden by the rights and freedoms of the data subjects. Such legitimate interests could include improving the platform, ensuring network and information security, preventing fraud and abuse, and conducting business analytics. Shipslog AS will always conduct a careful balancing test to ensure that its legitimate interests are proportionate and do not unduly infringe upon users' rights.
  • Compliance with a Legal Obligation: In certain situations, Shipslog AS may be required to process personal data to comply with applicable laws, regulations, legal processes, or governmental requests.

Shipslog AS utilizes cookies and other tracking technologies to enhance the functionality and user experience of its website and platform. The use of these technologies is governed by the Norwegian Electronic Communications Act and the GDPR's requirements for consent. Shipslog AS employs different categories of cookies, including strictly necessary cookies that are essential for the basic operation of the website and platform and do not require user consent. Other categories may include performance or analytics cookies that help understand how users interact with the platform, functionality cookies that enhance user experience by remembering preferences, and advertising or marketing cookies that are used to deliver targeted advertisements. For all categories of cookies beyond those strictly necessary, Shipslog AS will obtain explicit and informed consent from users before they are placed on their devices, in strict accordance with the Norwegian Electronic Communications Act. This consent is typically obtained through a clear and user-friendly cookie consent banner that provides users with granular control over which categories of cookies they wish to accept or reject. Users are provided with comprehensive information about the types of cookies used and their specific purposes at the time of consent. Furthermore, Shipslog AS provides users with clear instructions on how they can manage their cookie preferences and withdraw their consent at any time through the website's settings or their browser configurations. The company is committed to ensuring full compliance with the updated Norwegian regulations regarding cookie consent, recognizing the importance of user privacy and control over their online tracking preferences.

6. Data Subject Rights

The General Data Protection Regulation (GDPR) grants individuals a range of rights concerning their personal data. Shipslog AS is committed to respecting and facilitating the exercise of these rights for all its users.

  • Right to be Informed: Individuals have the right to receive clear and comprehensive information about the collection and use of their personal data. This Data Privacy Compliance Policy serves as a primary means of providing this essential information.
  • Right of Access: Individuals can obtain confirmation as to whether or not personal data concerning them is being processed and to access that personal data along with certain supplementary information, such as the purposes of the processing and the categories of personal data concerned. Users of Shipslog AS can submit a data access request by contacting the company through the channels specified in Section 13 of this policy.
  • Right to Rectification: Individuals can have inaccurate personal data concerning them corrected and have incomplete personal data completed. Users can typically review and edit their account information directly through the Shipslog AS platform. For data that cannot be directly modified, users can submit a request for rectification.
  • Right to Erasure: Also known as the "right to be forgotten," this allows individuals to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or when they have withdrawn their consent. Shipslog AS will assess each erasure request on a case-by-case basis, considering the specific circumstances and any legal obligations that may require the retention of the data.
  • Right to Restriction of Processing: Individuals can request the limitation of the processing of their personal data in specific situations, such as when the accuracy of the data is contested, or when the processing is unlawful but the individual opposes erasure and instead requests restriction.
  • Right to Data Portability: Individuals can receive the personal data concerning them, which they have provided to Shipslog AS, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another data controller without hindrance from Shipslog AS, where the processing is based on consent or on a contract and is carried out by automated means.
  • Right to Object: Individuals have the right to object, on grounds relating to their particular situation, to the processing of their personal data, including profiling, where the processing is based on legitimate interests or the performance of a task carried out in the public interest. Users also have the right to object to the processing of their personal data for direct marketing purposes at any time.
  • Rights Related to Automated Decision-Making and Profiling: If Shipslog AS were to engage in such activities that produce legal effects concerning individuals or similarly significantly affect them, individuals would have the right not to be subject to a decision based solely on automated processing, including profiling, under certain conditions. Shipslog AS currently does not engage in such processing in a way that produces these types of effects.

To exercise any of these rights, individuals can contact Shipslog AS through the contact details provided in Section 13 of this policy. All requests will be handled in accordance with GDPR requirements, including verification of the requester's identity and a response provided within one month of receipt of the request. Shipslog AS is committed to ensuring that these rights are respected and that users can easily exercise their control over their personal data.

7. Information Security and Technical & Organizational Measures

Shipslog AS places the highest priority on the security and confidentiality of personal data. The company has implemented a comprehensive suite of technical and organizational measures designed to protect personal information from unauthorized access, alteration, disclosure, or destruction. These measures are continuously reviewed and updated to ensure they remain effective against evolving threats and in line with industry best practices.

The technical measures employed by Shipslog AS include:

  • Encryption: Sensitive personal data is encrypted both when it is transmitted between systems (in transit) using secure protocols such as HTTPS and when it is stored on Shipslog AS's servers (at rest). This ensures that even if unauthorized access were to occur, the data would be unreadable without the correct decryption key.
  • Access Controls: Shipslog AS employs robust access control mechanisms to limit access to personal data to only those personnel who have a legitimate business need to access it. This includes the use of strong, unique passwords, role-based access permissions, and, where appropriate, multi-factor authentication to provide an additional layer of security.
  • Firewalls and Intrusion Detection/Prevention Systems: The company utilizes firewalls to create a barrier between its internal network and the external internet, blocking unauthorized access attempts. Intrusion detection and prevention systems are also in place to monitor network traffic for suspicious activity and to automatically respond to potential threats.
  • Regular Security Audits and Vulnerability Assessments: Shipslog AS conducts periodic security audits and vulnerability assessments of its systems and infrastructure to identify and address any potential weaknesses that could be exploited. These assessments help ensure that the security measures in place remain effective.
  • Data Backups and Disaster Recovery: Regular backups of personal data are performed and stored securely to prevent data loss in the event of system failures or other incidents. A comprehensive disaster recovery plan is in place to ensure business continuity and the timely restoration of data and services if a significant disruption occurs.
  • Pseudonymization and Anonymization: Where appropriate, Shipslog AS may employ pseudonymization or anonymization techniques to reduce the identifiability of personal data for specific processing purposes such as analytics.

The organizational measures implemented by Shipslog AS include:

  • Data Protection Policies and Procedures: Comprehensive data protection policies and procedures have been established and are regularly reviewed and updated to reflect the latest legal requirements and best practices. These documents outline the company's commitment to data privacy and provide guidance to employees on how to handle personal data securely and in compliance with GDPR.
  • Employee Training and Awareness: All employees who handle personal data receive regular training on data protection principles, security best practices, and the importance of adhering to Shipslog AS's policies and procedures. This training helps foster a culture of privacy and security within the organization.
  • Restricted Access and Authorization: Access to personal data is granted on a need-to-know basis, and authorization levels are regularly reviewed to ensure that individuals only have access to the information necessary to perform their specific job duties.
  • Incident Response Plan: Shipslog AS has a well-defined incident response plan in place to effectively manage and mitigate any data breaches or security incidents. This plan outlines the steps to be taken to detect, contain, investigate, and recover from a data breach, as well as procedures for notifying the relevant authorities and affected individuals as required by GDPR.
  • Data Minimization Practices: Shipslog AS adheres to the principle of data minimization by ensuring that only the personal data that is strictly necessary for the specified purposes is collected and retained. Data retention policies are in place to ensure that data is not kept for longer than necessary.

In the event of a personal data breach, Shipslog AS has established clear procedures to promptly detect, investigate, and contain the breach. In accordance with GDPR requirements, the company will notify the Norwegian Data Protection Authority (Datatilsynet) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Affected individuals will also be notified if the breach is likely to result in a high risk to their rights and freedoms. Shipslog AS is committed to transparency and will take all necessary steps to mitigate the impact of any data breach and prevent future occurrences.

8. International Data Transfers

The General Data Protection Regulation (GDPR) sets forth specific requirements for the transfer of personal data outside the European Economic Area (EEA) to ensure that the level of data protection afforded to individuals within the EEA is not undermined. Shipslog AS adheres to these regulations when transferring personal data to third countries.

The fundamental principle governing international data transfers is that any transfer of personal data to a country outside the EEA can only take place if the conditions laid down in Chapter V of the GDPR are met. These conditions aim to guarantee that personal data transferred outside the EEA continues to benefit from a level of protection essentially equivalent to that guaranteed within the EEA.

One of the primary mechanisms for facilitating international data transfers is through an adequacy decision by the European Commission. If the Commission has determined that a particular third country ensures an adequate level of data protection, then personal data can be transferred to that country without the need for any further specific safeguards.

In the absence of an adequacy decision, Shipslog AS may transfer personal data to a third country only if it provides appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies are available for data subjects. The GDPR outlines several types of appropriate safeguards that can be used, including:

  • Standard Data Protection Clauses (SCCs): Shipslog AS may implement Standard Contractual Clauses adopted by the European Commission, which are pre-approved contractual terms that provide legal guarantees for the protection of personal data transferred to countries outside the EEA. These clauses impose specific obligations on both the data exporter (Shipslog AS) and the data importer (the recipient of the data in the third country).
  • Binding Corporate Rules (BCRs): Binding Corporate Rules are data protection policies established by multinational groups of undertakings for transfers of personal data outside the EEA within the group. While less likely to be applicable to a smaller SaaS company like Shipslog AS at its current stage, they represent another form of appropriate safeguard recognized by the GDPR.
  • Approved Codes of Conduct or Certification Mechanisms: Adherence to approved codes of conduct or certification mechanisms that have been recognized under the GDPR as providing appropriate safeguards for international data transfers.

In certain specific and limited situations, the GDPR provides for derogations that allow for the transfer of personal data to third countries even without an adequacy decision or appropriate safeguards. These derogations include instances where the data subject has explicitly consented to the proposed transfer after being informed of the risks, or where the transfer is necessary for the performance of a contract between the data subject and the controller, or for other reasons specified in Article 49 of the GDPR.

Shipslog AS acknowledges the ongoing complexities and scrutiny surrounding data transfers to the United States, particularly in light of the Norwegian Data Protection Authority's (Datatilsynet) warnings regarding the use of US-based analytics tools. If Shipslog AS utilizes US-based service providers for any aspect of its data processing, such as for analytics or hosting, the company will ensure that appropriate safeguards are in place to protect the personal data being transferred. This may involve the implementation of Standard Contractual Clauses with these providers. Shipslog AS remains vigilant regarding the evolving legal landscape in this area and will continue to monitor guidance from the Datatilsynet and the European Data Protection Board (EDPB) to ensure its data transfer mechanisms remain compliant and provide an adequate level of protection for users' personal data. Where feasible, Shipslog AS will prioritize the use of service providers located within the EEA or in countries that have been granted an adequacy decision by the European Commission.

To enhance transparency, the following table lists any third-party service providers located outside the EEA that process personal data on behalf of Shipslog AS, along with their location and the mechanism relied upon for the international data transfer:

Service Provider Location Transfer Mechanism
[Name of Provider 1] [Country] [Transfer Mechanism]
[Name of Provider 2] [Country] [Transfer Mechanism]

This information provides users with a clear understanding of where their data may be transferred internationally and the safeguards that are in place to protect it, thereby fulfilling the transparency principle of the GDPR and demonstrating Shipslog AS's commitment to accountability.

9. Data Processing Agreements (DPAs)

Under the General Data Protection Regulation (GDPR), it is crucial to understand the distinction between a data controller and a data processor. A data controller is the entity that determines the purposes and means of processing personal data, while a data processor is an entity that processes personal data on behalf of the controller. In the context of its SaaS offering, Shipslog AS likely acts in both capacities. When providing its services to customers, Shipslog AS typically acts as a data processor, handling the personal data of its customers' end-users according to the instructions provided by its customers (the data controllers). Conversely, when Shipslog AS collects and processes the personal data of its own users for purposes such as account management, billing, and direct marketing, it acts as a data controller.

When Shipslog AS acts as a data controller and engages third-party service providers (who then become sub-processors) to process personal data on its behalf, it is legally obligated to have written Data Processing Agreements (DPAs) in place with these processors. These DPAs are legally binding contracts that ensure that the third-party processors handle personal data in compliance with the requirements of the GDPR and under the specific instructions of Shipslog AS.

A GDPR-compliant Data Processing Agreement must include several key elements. It should clearly define the subject matter and duration of the processing, as well as the nature and purpose of the processing. The DPA must also specify the types of personal data that will be processed and the categories of data subjects whose data will be involved. Crucially, the agreement must outline the obligations and rights of both the controller (Shipslog AS) and the processor (the third-party service provider). This includes detailed instructions from Shipslog AS to the processor regarding how the personal data should be processed.

Furthermore, the DPA must include provisions regarding the confidentiality of the personal data and the security measures that the processor is required to implement to protect the data. If the processor intends to engage any sub-processors to assist in the processing activities, the DPA must specify the conditions under which this can occur, typically requiring prior written authorization from Shipslog AS. The agreement should also detail the processor's obligations to assist Shipslog AS in fulfilling its obligations under the GDPR, such as responding to requests from data subjects to exercise their rights and implementing appropriate security measures.

In the event of a data breach, the DPA must outline the procedures for the processor to promptly notify Shipslog AS. Additionally, the agreement should include provisions for audits and inspections that allow Shipslog AS to verify the processor's compliance with the terms of the DPA and the requirements of the GDPR. Finally, the DPA should specify the instructions for the return or secure deletion of the personal data at the end of the processing services.

Having robust DPAs in place with all third-party processors is essential for Shipslog AS to demonstrate its commitment to GDPR compliance and to ensure that personal data is handled securely and in accordance with legal requirements throughout the processing lifecycle. These agreements provide a clear framework of responsibilities and liabilities for both Shipslog AS and its processors.

10. Data Retention and Erasure

Shipslog AS has established clear data retention policies that outline the periods for which different categories of personal data will be stored. These retention periods are determined based on several factors, including the specific purposes for which the data was collected, any applicable legal and regulatory requirements that mandate data retention for certain periods, and legitimate business needs. Shipslog AS is committed to adhering to the GDPR principle of storage limitation, which means that personal data will not be kept for longer than is necessary to fulfill the purposes for which it was initially collected.

Once the applicable retention period for a particular category of personal data has expired, or when a valid request for erasure is received from a data subject (and there is no overriding legal obligation to retain the data), Shipslog AS has implemented procedures for the secure deletion or anonymization of that data. These procedures are designed to ensure that the data is effectively and permanently removed from Shipslog AS's systems and that it cannot be recovered or accessed by unauthorized individuals. The specific method of deletion or anonymization may vary depending on the nature of the data and the systems on which it is stored.

Establishing and consistently applying data retention and erasure policies is a fundamental aspect of GDPR compliance, aligning with the principle of storage limitation and facilitating the fulfillment of the right to erasure. By implementing these policies, Shipslog AS aims to minimize the amount of personal data it holds and the duration for which it is stored, thereby reducing the potential risks associated with data retention. These policies are regularly reviewed and updated to ensure they remain aligned with legal requirements and best practices.

11. Data Protection Officer (DPO)

Shipslog AS has carefully assessed whether it is legally required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. The GDPR mandates the appointment of a DPO in specific circumstances, which include:

  • When the processing is carried out by a public authority or body (which is not the case for Shipslog AS as a private company).
  • When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale.
  • When the core activities of the controller or the processor consist of processing on a large scale of special categories of data (sensitive personal data as defined in Article 9 of the GDPR) or personal data relating to criminal convictions and offences (as referred to in Article 10 of the GDPR).

Based on its current data processing activities, Shipslog AS has determined that it is not legally required to appoint a DPO. However, to ensure robust oversight of its data protection compliance efforts, Shipslog AS has appointed a Data Protection Officer (DPO). The contact information for the DPO is:

Name: [Name of DPO]
Email Address: [Email Address of DPO]

The DPO is responsible for a range of tasks, including informing and advising Shipslog AS and its employees about their obligations under the GDPR and other relevant data protection laws; monitoring compliance with these laws and the company's data protection policies; providing advice on data protection impact assessments; training staff on data protection matters; and acting as the primary point of contact for data subjects and the Norwegian Data Protection Authority (Datatilsynet).

While Shipslog AS is not currently legally obligated to appoint a Data Protection Officer, the company is committed to ensuring ongoing compliance with the GDPR and Norwegian data protection laws. Data protection responsibilities are assigned to designated personnel within the organization who possess the necessary expertise and knowledge to oversee data privacy matters. Shipslog AS will continue to monitor its data processing activities and will reassess the need for a DPO as its operations evolve.

Regardless of whether a DPO is formally appointed, Shipslog AS is dedicated to maintaining a high standard of data protection and has implemented robust policies and procedures to ensure compliance with all applicable regulations. The significant fine issued to Telenor by the Norwegian DPA for deficiencies in their DPO scheme underscores the importance of having adequate oversight of data protection, whether through a dedicated DPO or other assigned roles.

12. Updates to this Data Privacy Compliance Policy

Shipslog AS recognizes that this Data Privacy Compliance Policy will need to be reviewed and updated periodically to reflect changes in data protection laws, regulations, and the company's data processing practices. As legal requirements evolve or as Shipslog AS introduces new services or features that may impact data processing, this policy will be revised accordingly.

When significant changes are made to this policy, Shipslog AS will take appropriate measures to inform users. This may include posting a prominent notice on the Shipslog AS website or platform, sending an email notification to registered users, or other means designed to ensure that users are aware of the updates. The date of the last update will be clearly indicated at the beginning of the policy.

To help users track changes over time, each version of this policy will include a version number and the date on which it was last updated. Shipslog AS encourages users to review this policy periodically to stay informed about how their personal data is being protected. Continued use of the Shipslog AS services after any changes to this policy have been implemented will constitute acceptance of those changes.

13. Contact Information

If you have any questions, concerns, or requests regarding this Data Privacy Compliance Policy or the processing of your personal data by Shipslog AS, please do not hesitate to contact us using the following details:

Email Address for Privacy Inquiries: shipslog@shipslog.info

Shipslog AS is committed to addressing all inquiries and requests in a timely and appropriate manner. Your privacy is important to us, and we strive to ensure that your personal data is handled with the utmost care and in accordance with applicable data protection laws.

14. Works Cited

  1. Norway | Jurisdictions - DataGuidance, accessed April 21, 2025, https://www.dataguidance.com/jurisdictions/norway
  2. GDPR Legislation in Norway - Lawyers in Norway, accessed April 21, 2025, http://lawyersnorway.eu/gdpr-legislation-in-norway/
  3. Data Protected Norway | Insights - Linklaters, accessed April 21, 2025, https://www.linklaters.com/insights/data-protected/data-protected---norway
  4. GDPR - Personal data protection - Littler, accessed April 21, 2025, https://littler.no/en/areas-of-practice/item/gdpr-personal-data-protection
  5. Quick Guide to the Principles of Data Protection, accessed April 21, 2025, https://www.dataprotection.ie/sites/default/files/uploads/2019-11/Guidance%20on%20the%20Principles%20of%20Data%20Protection_Oct19.pdf
  6. SaaS Privacy Policy Template, accessed April 21, 2025, https://www.privacypolicygenerator.info/sample-saas-privacy-policy-template/
  7. Data Protection Laws and Regulations Report 2024-2025 Norway - ICLG.com, accessed April 21, 2025, https://iclg.com/practice-areas/data-protection-laws-and-regulations/norway
  8. A guide to the data protection principles | ICO, accessed April 21, 2025, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
  9. Data Protection Principles: Core Principles of the GDPR - Cloudian, accessed April 21, 2025, https://cloudian.com/guides/data-protection/data-protection-principles-7-core-principles-of-the-gdpr/
  10. Data Protection Principles: The 7 Principles Of GDPR Explained - CyberPilot, accessed April 21, 2025, https://www.cyberpilot.io/cyberpilot-blog/data-protection-principles-the-7-principles-of-gdpr-explained/
  11. Secure personal data | European Data Protection Board, accessed April 21, 2025, https://www.edpb.europa.eu/sme-data-protection-guide/secure-personal-data_en
  12. What Are GDPR Technical and Organisational Measures? - Know Your Compliance Limited, accessed April 21, 2025, https://www.knowyourcompliance.com/gdpr-technical-organisational-measures/
  13. National data protection authority in Norway, accessed April 21, 2025, https://www.dlapiperdataprotection.com/?t=authority&c=NO
  14. Understanding the 2025 Norwegian E-Com Act update: Interview with Jan Sandtrø, tech law expert - Cookie Information, accessed April 21, 2025, https://cookieinformation.com/resources/blog/2025-norwegian-e-com-act-tech-law-expert-interview/
  15. Art. 32 GDPR – Security of processing - General Data Protection Regulation (GDPR), accessed April 21, 2025, https://gdpr-info.eu/art-32-gdpr/
  16. How to Create a SaaS Privacy Policy: Steps and Template - PayPro Global, accessed April 21, 2025, https://payproglobal.com/how-to/create-saas-privacy-policy/
  17. SaaS Privacy Policy Template - TermsFeed, accessed April 21, 2025, https://www.termsfeed.com/blog/sample-saas-privacy-policy-template/
  18. Sample Template for SaaS privacy policy - Fuzen, accessed April 21, 2025, https://fuzen.io/sample-template-for-saas-privacy-policy/
  19. Your Rights under the GDPR - Data Protection Commission, accessed April 21, 2025, http://www.dataprotection.ie/en/individuals/rights-individuals-under-general-data-protection-regulation
  20. GDPR for SaaS - Privacy Policy Generator, accessed April 21, 2025, https://www.privacypolicygenerator.info/gdpr-saas/
  21. Respect individuals' rights | European Data Protection Board, accessed April 21, 2025, https://www.edpb.europa.eu/sme-data-protection-guide/respect-individuals-rights_en
  22. A guide to individual rights | ICO, accessed April 21, 2025, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/
  23. Technical and organizational measures & GDPR - heyData, accessed April 21, 2025, https://heydata.eu/en/magazine/technical-and-organizational-measures
  24. Technical organisational measures (TOMs) - Robin Data GmbH, accessed April 21, 2025, https://www.robin-data.io/en/data-protection-and-data-security-academy/wiki/technical-organisational-measures-gdpr-compliant-implementation
  25. International data transfers | European Data Protection Board, accessed April 21, 2025, https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en
  26. Art. 44 GDPR - General principle for transfers - GDPR.eu, accessed April 21, 2025, https://gdpr.eu/article-44-transfer-of-personal-data/
  27. Chapter 5 – Transfers of personal data to third countries or international organisations - General Data Protection Regulation (GDPR), accessed April 21, 2025, https://gdpr-info.eu/chapter-5/
  28. Norwegian DPA warns against EU-US data transfers – what it means for your website analytics, accessed April 21, 2025, https://piwik.pro/blog/norwegian-dpa-warns-against-eu-us-data-transfers/
  29. Data Controllers and Processors - GDPR, accessed April 21, 2025, https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
  30. Data controller or data processor | European Data Protection Board, accessed April 21, 2025, https://www.edpb.europa.eu/sme-data-protection-guide/data-controller-data-processor_en
  31. What is a data controller or a data processor? - European Commission, accessed April 21, 2025, https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en
  32. What is SaaS Legal and Compliance? DPA & GDPR Explained - PayPro Global, accessed April 21, 2025, https://payproglobal.com/answers/what-is-saas-legal-and-compliance/
  33. How Do You Make SAAS Agreements GDPR Compliant? - Gerrish Legal, accessed April 21, 2025, https://www.gerrishlegal.com/faqs/how-do-you-make-saas-agreements-gdpr-compliant
  34. Data Processing Agreement - Neurons, accessed April 21, 2025, https://www.neuronsinc.com/legal/data-processing-agreement
  35. Data Protection Officer - General Data Protection Regulation (GDPR), accessed April 21, 2025, https://gdpr-info.eu/issues/data-protection-officer/
  36. Data protection officers | ICO - Information Commissioner's Office, accessed April 21, 2025, https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/accountability-and-governance/data-protection-officers/
  37. Data Protection Officer (DPO), accessed April 21, 2025, https://www.edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en
  38. What are the responsibilities of a Data Protection Officer (DPO)? - European Commission, accessed April 21, 2025, https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/data-protection-officers/what-are-responsibilities-data-protection-officer-dpo_en
Contact info

Fjordveien 53 – 8522- Narvik -Norway

+47 41201768

shipslog@shipslog.info

Useful Links
About Us Contact Us
Privacy
Terms & Condition Privacy Policy
Newsletter

Dolor amet sit justo amet elitr clita ipsum elitr est.

Copyright 2024 Shipslog, All Right Reserved.