CONSENT FORM

DATA PROTECTION ACT: EMPLOYEE CONSENT FORM

PERMISSION TO STORE AND PROCESS YOUR DATA

To comply with the European General Data Protection Regulation Company as Employer must ask for your
permission to store and process your personal and sensitive data for this purpose.
I give my consent to MSC Shipmanagement Limited recording sensitive personal information about me

Name

Signature Date

European General Data Protection Regulation Employee Information Sheet

What is personal and sensitive data?
Personal data is data which can be used to identify you. This may include your name, date of birth, address,
telephone number etc. Sensitive personal data is information related to any of the following: racial or ethnic
origin, political opinions, religious beliefs, trade union membership, health, sexuality or sex life, offences and/or
convictions.
Where will you store my data?
The record of your data will be stored in an electronic database system accessed by authorized employees of
MSC Shipmanagement Limited. Paper copies of your data may also be stored securely and accessed by authorized
employees only.
How will company use your data?
Your data will primarily be used for the purpose of:
 Recruitment, promotion, training, redeployment and/or career development
 Administration and payment of wages
 Calculation of certain benefits including pensions
 Disciplinary or performance management purposes
 Performance review
 Recording of communication with employees and their representatives
 Compliance with legislations
 Provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist
future potential employers
 Staffing levels and career planning
 Training which means classroom, e-learning or any other means
 Marketing or company's promotion purposes only after obtaining your specific consent for such activity
What is a Data Controller?
A Data Controller is someone who is responsible for your data and who must make sure that your data is
processed according to the law. For example they are responsible for making sure that the information held about
you is accurate and that it is kept secure.
Why might you share my personal and sensitive personal data? Who will you share it with?
We will only ever share your information with your permission, for the purposes we have stated (unless required
to do so by law).
Obtaining the information we hold about you
You have a right to ask for a copy of your information and to correct any inaccuracies. Under the EU General
Data Protection Regulation, MSC Shipmanagement Limited is required to respond to your request within 30 days.
If you would like a copy of the information we hold about you, please write to the D.P.O officer at
[email protected]

CONSENT FORM Page 1 of 1

 employee's national insurance number is given to).  Where the processing is based on consent or performance of a
An employee has the right to access information kept about him/her contract
by the organization, including personnel files, sickness records,  When processing is carried out by automated means
disciplinary or training records, appraisal or performance review notes, RIGHT TO OBJECT TO
emails in which the employee is the focus of the email and documents Individuals have the right to object to:
that are about the employee.
 Processing based on legitimate interest or performance of a task
The data protection officer (D.P.O.) is responsible for dealing with data in the public interest/exercise of official authority (including
subject access requests. profiling)
MSCSMCY may not charge for allowing employees access to  Direct marketing (including profiling)
information about them however reserves the right to review this if  Processing for the purposes of scientific/historical research and
there are repeated requests. The organization will respond to any data statistics
subject access request within 30 calendar days.
CORRECTION, UPDATING AND DELETION OF DATA
MSCSMCY will allow the employee access to hard copies of any
MSCSMCY has a system in place that enables employees to check their
personal information. However, if this involves a disproportionate effort
on the part of the organization, the employee shall be invited to view personal information on a regular basis so that they can correct, delete
the information on-screen or inspect the original documentation at a or update any data. If an employee becomes aware that the
place and time to be agreed by the organization. organization holds any inaccurate, irrelevant or out-of-date information
MSCSMCY may reserve its right to withhold the employee's right to about him/her, he/she must notify the data protection officer
access data where any statutory exemptions apply. immediately and provide any necessary corrections and/or updates to
Where a request is received by staff covering any of the GDPR Data the information.
Subject Rights the request must be passed to the Data Protection MONITORING
Officer immediately. MSCSMCY may monitor employees and premises visitors by various
The request must be forwarded to [email protected]. If the request means including, but not limited to, recording activities on CCTV,
was made over the phone then as much information as possible checking emails, checking business laptops/computers, listening to
regarding what was requested must be typed into an email and sent to voicemails and monitoring telephone conversations. If this is the case,
the Data Protection Officer immediately. If the request is received in a the organization will inform the employee that monitoring is taking
postal letter, this can either be scanned and sent to the Data Protection place, how data is being collected, how the data will be securely
Officer by email, or the hardcopy taken to the Data Protection officer processed and the purpose for which the data will be used. The
immediately. employee will usually be entitled to be given any data that has been
collected about him/her. MSCSMCY will not retain such data for any
RIGHTS OF DATA SUBJECT longer than is absolutely necessary.
RIGHT TO ERASURE
In exceptional circumstances, the organization may use monitoring
This Right is also known as the ‘Right to be Forgotten'. It enables Data covertly. This may be appropriate where there is, or could potentially
Subjects to request the deletion or removal of personal data where be, damage caused to the organization by the activity being monitored
there is no compelling reason for its continued processing by the Data and where the information cannot be obtained effectively by any non-
Controller. The Right to Erasure applies in the following circumstances: intrusive means (for example, where an employee is suspected of
 The personal data is no longer necessary in relation to the stealing property belonging to the organization). Covert monitoring will
purpose for which it was originally collected take place only with the approval of the data protection officer (D.P.O)
 The processing was based on consent, and the Data Subject has if permissible under law.
now withdrawn their consent REVIEW OF PROCEDURES AND TRAINING
 The Data Subject objects to processing and there is no overriding MSCSMCY will provide training to all employees on data protection
legitimate interest of the Data Controller matters on induction and on a regular basis thereafter. If an employee
 The data was being unlawfully processed considers that he/she would benefit from refresher training, he/she
 The data must be erased to comply with a legal obligation should contact the data protection coordinator (D.P.C.)
RIGHT TO RESTRICT PROCESSING The organization will review and ensure compliance with this policy at
When this Right is exercised MSCSMCY is permitted to store the regular intervals.
personal data but not further process it. Restricted information about CONSEQUENCES OF NON-COMPLIANCE
the individual may be retained to ensure that the restriction is All employees are under an obligation to ensure that they have regard
respected in the future. to the data protection principles when accessing, using or disposing of
The Right to Restrict Processing applies in the following circumstances: personal information. Failure to observe the data protection principles
When a Data Subject contests the accuracy of their personal data, then within this policy may result in an employee incurring personal criminal
processing should be restricted to storage only until accuracy is verified liability. It may also result in disciplinary action up to and including
When a Data Subject objects to processing which is being carried out dismissal. For example, if an employee accesses another employee's
for the reason of performance of a task in the public interest, or for the employment records without the requisite authority, the organization
legitimate interests of the Data Controller, then the Data Controller will treat this as gross misconduct and instigate its disciplinary
must restrict processing to storage only whilst they consider whether procedures. Such gross misconduct will also constitute a criminal
their legitimate grounds override the Rights and freedoms of the offence.
individual.
When processing is unlawful and a Data Subject opposes erasure and
requests restriction to storage instead.
When the Data Controller no longer needs the personal data but the
Data Subject requires it for the purpose of a legal claim.
SIGNED
RIGHT TO PORTABILITY
This Right allows individuals to obtain and reuse their personal data for
their own purposes across different services. It allows the individual to
move, copy or transfer personal data easily from one IT environment to
another in a safe and secure way in a common data format, for
PRINTED NAME
example, Excel or CSV file.
The Right to Data Portability applies in the following circumstances:
 When the personal data was provided to the controller directly
by the Data Subject
DATE

PERSONAL DATA PRIVACY POLICY Page 4 of 4

 PRIVACY NOTICE on file, we will hold your data on file or a further 6 (six) months for
As part of any recruitment process, MSCSMCY (hereafter the consideration for future employment opportunities. At the end of that
“MSCSMCY”) collects and processes personal data relating to job period, or once you withdraw your consent, your data is deleted or
applicants. The organisation is committed to being transparent about destroyed. You will be asked when you submit your CV whether you give
how it collects and uses that data and to meeting its data protection us consent to hold your details for the full 12 months in order to be
obligations considered for other positions or not.
WHAT INFORMATION DO WE COLLECT? If your application for employment is successful, personal data gathered
during the recruitment process will be transferred to your Human
MSCSMCY collects a range of information about you. This includes:
Resources file (electronic and paper based) and retained during your
 your name, address and contact details, including email address and
employment. The periods for which your data will be held will be
telephone number;
provided to you in a new privacy notice.
 details of your qualifications, skills, experience and employment
history; YOUR RIGHTS
 information about your current level of remuneration, including As a data subject, you have a number of rights. You can:
benefit entitlements;  access and obtain a copy of your data on request;
 whether or not you have a disability for which the organisation needs  require the organisation to change incorrect or incomplete data;
to make reasonable adjustments during the recruitment process;  require the organisation to delete or stop processing your data, for
 information about your entitlement to work in the Cyprus. example where the data is no longer necessary for the purposes of
MSCSMCY may collect this information in a variety of ways. For processing;
example, data might be contained in application forms, CVs or resumes,  and object to the processing of your data where MSCSMCY is relying
obtained from your passport or other identity documents, or collected on its legitimate interests as the legal ground for processing.
through interviews or other forms of assessment.  If you would like to exercise any of these rights, please contact
We may also collect personal data about you from third parties, such as [email protected].
references supplied by former employers. We will seek information from  MSCSMCY is committed, as data controller, to protect your personal
third parties only once a job offer to you has been made and will inform data when using/accessing files and software applications.
you that we are doing so.  Your personal data will be collected and processed for specific
Data will be stored in a range of different places, including on your reasons by the authorized people listed below:
application record, in HR management systems and on other IT systems  HR DEPARTMENT
(including email).  PERSONNEL DEPARTMENT
WHY DOES MSCSMCY PROCESS PERSONAL DATA?  ACCOUNTS DEPARTMENT
We need to process data to take steps at your request prior to entering  GROUP LEARNING & ORGANISATIONAL DEVELOPEMENT,
into a contract with you. We may also need to process your data to enter SUSTAINABILITY & SUPPORT SERVICES
into a contract with you.  TRAVEL
In some cases, we need to process data to ensure that we are  FLEET PERFORMANCE
complying with its legal obligations. The data concerned are:
MSCSMCY has a legitimate interest in processing personal data during  Biographical information or current living situation, including dates of
the recruitment process and for keeping records of the process. birth, Social Security numbers, phone numbers and email addresses.
Processing data from job applicants allows us to manage the recruitment  Looks, appearance and behaviour, including eye colour, weight and
process, assess and confirm a candidate's suitability for employment and character traits.
decide to whom to offer a job. We may also need to process data from  Workplace data and information about education, including salary,
job applicants to respond to and defend against legal claims. tax information and tax/social insurance numbers.
MSCSMCY may process special categories of data, such as information  Private and subjective data, including religion, political opinions and
about ethnic origin, sexual orientation or religion or belief, to monitor geo-tracking data.
recruitment statistics. We may also collect information about whether or  Health, sickness and genetics, including medical history, genetic data
not applicants are disabled to make reasonable adjustments for and information about sick leave.
candidates who have a disability. We process such information to carry CONSENT
out its obligations and exercise specific rights in relation to employment. By consenting to this privacy notice you are giving us the permission to
If your application is unsuccessful, MSCSMCY may keep your personal process your personal date specifically for the purposes identified.
data on file in case there are future employment opportunities for which Consent is required for MSCSMCY to process both types of personal data,
you may be suited. We will ask for your consent before it keeps your data but must it must be explicitly given. Where we are asking you for sensitive
for this purpose and you are free to withdraw your consent at any time. personal data we will always tell you why and how the information will be
WHO HAS ACCESS TO DATA? used.
Your information may be shared internally for the purposes of the You may withdraw consent at any time.
recruitment exercise. This includes members of the HR and recruitment
team, interviewers involved in the recruitment process, managers in the
business area with a vacancy and IT staff if access to the data is necessary
for the performance of their roles.
We will not share your data with third parties, unless your application
for employment is successful and we make you an offer of employment.
We will then share your data with former employers to obtain references
for you, employment background check providers to obtain necessary
background checks. SIGNED
HOW DOES MSCSMCY PROTECT DATA?
We take the security of your data seriously. We have internal policies
and controls in place to ensure that your data is not lost, accidentally
destroyed, misused or disclosed, and is not accessed except by our PRINTED NAME
employees in the proper performance of their duties.
FOR HOW LONG DOES MSCSMCY KEEP DATA?
If your application for employment is unsuccessful, the organisation will
hold your data on file for 6 (six) months after the end of the relevant DATE
recruitment process. If you agree to allow us to keep your personal data

PRIVACY NOTICE Page 1 of 1

establishing Social Media accounts) and do not use work email addresses. the terms of use of all Social Media sites they use and ensure their use
No Employee should post anonymously to Social Media sites when their post complies with these terms.
could be connected to MSCSMCY or its business (including customers). RESPECT FOR OTHERS AND PROFESSIONALISM
Anonymous posts can be traced back to the original sender's email address. When using MSCSMCY Social Media, in addition to complying with
If an Employee discloses their work relationship with MSCSMCY (including MSCSMCY's Code of Business Conduct, Employees should not post, or express
through pictures), the Employee must include a disclaimer that their views do a viewpoint on another's post, such as by "liking" a Facebook post, anything
not represent those of MSC. For example, that MSCSMCY or MSCSMCY's business partners would find offensive,
"the opinions expressed in postings from this account are a reflection of my including racism, ethnic slurs, sexist comments, discriminatory comments,
own personal views”. profanity, abusive language or obscenity, or statements that are maliciously
false.
Usually, these statements can be included in a permanent section of the
profile, for example, “about” or “intro” section at “details about you” of As a global shipping line, MSCSMCY has a variety of business partners and
Facebook; “summary” section on LinkedIn; “bio” section in Twitter; and so on. Employees around the world. Naturally, different cultural and political stances
will be observed by these individuals. MSCSMCY insists that all Employees
Even if a disclaimer is included, anything said by an Employee can reflect on
respect one another through their communication activity.
MSCSMCY. Employees should always strive to be accurate in their
communications about MSCSMCY and remember that their statements have Each Employee must be respectful towards others' rights regarding data
the potential to result in liability for themselves and MSCSMCY. protection and privacy, and should not post photographs of their colleagues
without prior authorisation.
RESPECT INTELLECTUAL PROPERTY & CONFIDENTIAL INFORMATION
The MSCSMCY Code of Business Conduct restricts Employees' use and CONSEQUENCES OF ANY BREACH OF THIS POLICY
disclosure of MSCSMCY's trade secrets, confidential information and Breach of this Policy may result in disciplinary action up to and including
intellectual property, save as permitted by applicable laws. termination of employment. An Employee suspected of committing a breach
of this Policy will be requested to cooperate with MSCSMCY in any
Publishing commercially sensitive information on MSCSMCY Social Media,
investigation. The Employee's cooperation may be taken into account in a
including, but not limited to, trade secrets, confidential business results or
case where disciplinary action is considered to be appropriate.
business plans, can also constitute a breach of competition laws.
An Employee may be requested to remove any MSCSMCY Social Media
Breaches of competition laws are strictly penalised, including, in many
content that MSCSMCY considers to constitute a breach of this Policy. Failure
countries, by criminal sanctions for individuals. Employees are invited to
to comply with such a request may result in disciplinary action.
attend MSCSMCY Code of Conduct training and MSCSMCY Competition
training in order to further understand the subject. PERSONNEL RESPONSIBLE FOR IMPLEMENTING THIS POLICY
Each Employee is responsible for the success of this Policy and should take
Beyond the mandatory restrictions and legal obligations, each Employee
time to read and understand it.
should treat MSCSMCY's trade secrets, intellectual property and other
proprietary information, other than information that is already public, about Please act responsibly and professionally in your use of MSCSMCY Social
MSCSMCY's customers, terminals, facilities, railways, road transport, business, Media, and your Social Media when MSCSMCY computers and handheld
vessels and services as strictly confidential and not do anything to jeopardise devices are used.
or unwittingly disclose such information through their use of MSCSMCY Social If you see any misuse of MSCSMCY Social Media or of MSCSMCY computers
Media. and handheld devices
In addition, Employees should avoid misappropriating or infringing upon the it should be reported to MSCSMCY (which can be contacted at
intellectual property of other companies and individuals, which can create [email protected]).
liability for Employees as well as for MSCSMCY. CONFLICT OF LAWS
Please note that nearly all contracts that MSCSMCY enters into with suppliers The Policy does not replace the local laws which must always be applied.
and customers contain confidentiality clauses and sometimes these These laws may have different requirements to this Policy.
confidentiality clauses can be very broad. For example, some large well- If anyone has reason to believe that the local applicable laws will prevent it
known companies do not want the various shipping lines that they use to from implementing this Policy, it shall immediately report this conflict to the
know which other shipping lines they are doing business with, and MSCSMCY (which can be contacted at [email protected] ). In such
consequently, the fact we are ‘doing business with them' is required to event, MSCSMCY will collaborate with the Affiliate in order to reach a
remain confidential. business like solution consistent with the Policy.
For these reasons, care must be exercised in all communication, and In case of absence of local law, the Policy shall constitute the legal framework
MSCSMCY requests that you do not refer to MSCSMCY's customers and for the concerned Affiliate.
suppliers by name and that you restrict your references to that of MSCSMCY
only.
Exceptions can apply where MSCSMCY is informed and grants permission.
In order to protect themselves and MSCSMCY against liability for copyright or
trademark infringement, where appropriate, each Employee shall refer to the
source of particular information posted or uploaded, and shall cite them
accurately.
This requirement is also applicable where an Employee copies pieces of MSC
Group Cargo's magazine Together or MSCSMCY Magazine MSC SMT. You
should be reminded that the main purpose of Together is as an INTERNAL
publication, so if you should wish to replicate content, we politely request you
seek the permission of the MSCSMCY.
SIGNED
Note that republishing part of any publication - or broadcast content - can be
a breach against that media outlet, or a breach of a specific subscription
contract which MSCSMCY has with the publisher. The publisher obtains its
income through the sale of the publication, and so the subscription contract
always contains restrictions on distribution and publishing.
If republishing part of a publication or broadcast has value for your business PRINTED NAME
use of MSCSMCY Social Media, please check with the MSCSMCY first, who will
be able to advise you whether this use is permitted.
If an Employee has any doubts or questions about whether a particular post
or upload might breach any copyright or trademark of any person or
MSCSMCY, the Employee should ask the MSCSMCY by using DATE
[email protected] before making the communication.
RESPECT & COMPLY WITH TERMS OF USE OF ALL VISITED SITES
No Employee should expose themselves or MSCSMCY to a legal risk by using a
Social Media site in breach of its terms of use. Each Employee should review
SOCIAL MEDIA POLICY Page 2 of 2