Data Processing Agreement
IDWAL DATA PROCESSING AGREEMENT
Last updated: 12th January 2026
This Data Processing Agreement (“DPA”) sets out the terms under which Idwal Marine Services Limited (“Idwal”, "Processor", “we”, “us”, or “our”) processes personal data as a data processor on behalf of our customers (“Customer” or “Data Controller”).
This DPA supplements and forms part of the Agreement between Idwal and Customer (being the Terms of Service, together with any Service Order where applicable, as defined in the Terms of Service). This DPA applies automatically when:
- Customer executes a Service Order, Terms of Service, or other service agreement with Idwal that references or incorporates this DPA; or
- Customer uses Idwal's services where Idwal processes personal data on Customer's behalf in connection with maritime vessel inspection services, platform services, or related services; or
- The parties execute a specific Data Processing Agreement incorporating these terms.
By using Idwal's services or executing an agreement that incorporates this DPA, Customer acknowledges having read, understood, and agreed to be bound by the terms of this Data Processing Agreement.
DEFINITIONS AND INTERPRETATION
1.1 Definitions
In this Agreement, the following terms have the meanings set out below:
“Customer Personal Data” means any Personal Data processed by the Processor on behalf of the Customer pursuant to or in connection with the Agreement.
“Data Protection Law” means all applicable laws relating to data protection, privacy, and security, including but not limited to: - The UK General Data Protection Regulation (UK GDPR) as retained in UK law following the UK’s withdrawal from the European Union - The Data Protection Act 2018 - The Privacy and Electronic Communications Regulations 2003 - Any successor or replacement legislation - Any applicable guidance, codes of practice, or approved codes of conduct issued by supervisory authorities
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by the Processor.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed by the Processor on behalf of the Customer.
“DPA” means this Data Processing Agreement.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Data Protection Law.
“Processing” has the meaning given to it in Data Protection Law and “process”, “processes”, and “processed” shall be construed accordingly.
“Security Incident” means any event that compromises the security, confidentiality, integrity, or availability of Customer Personal Data or the systems on which it is stored, processed, or transmitted, including but not limited to unauthorized access, Data Breaches, ransomware attacks, denial of service attacks, and insider threats.
“Agreement” means the Terms of Service, Service Order, or other contract between the Customer and the Processor pursuant to which the Processor provides services to the Customer.
“Services” means the maritime vessel inspection services, platform services, and related services provided by the Processor to the Customer pursuant to the Agreement.
“Sub-processor” means any third party engaged by the Processor to process Customer Personal Data on behalf of the Customer.
“Sub-processor List” means the current list of Sub-processors approved by Customer, as maintained and updated by Processor at https://www.idwalmarine.com/terms-and-conditions/subprocessors.
“Supervisory Authority” means the UK Information Commissioner’s Office (ICO) or any other competent data protection authority with jurisdiction over the processing of Customer Personal Data.
1.2 Interpretation
1.2.1 References to “writing” or “written” include email unless otherwise specified.
1.2.2 Headings are for convenience only and do not affect interpretation.
1.2.3 References to statutory provisions include those provisions as amended, extended, or re-enacted from time to time.
1.2.4 Words in the singular include the plural and vice versa.
1.2.5 The Schedules form part of this DPA and shall have effect as if set out in full in the body of this DPA.
SCOPE AND APPLICATION
Application and Hybrid Processing Model
2.1 This DPA applies to the processing of Personal Data by Processor in connection with the Services. However, the nature of Processor's role varies depending on the type of data and processing activity:
2.1.1 Inspection Reports and Documentation - When Processor conducts vessel inspections and compiles inspection reports, these reports contain primarily vessel technical information (not personal data) but may include documents and photographs obtained during inspections that contain incidental personal data (crew certificates, training records, photographs showing individuals). For inspection reports and associated documentation, Processor acts in a dual capacity:
(a) As Processor - when conducting inspections commissioned by Customer and compiling reports according to Customer's instructions;
(b) As Controller - when retaining inspection reports on the platform for Processor's legitimate business interests (analytics, benchmarking, platform operation, historical reference).
The obligations in this DPA apply to the Processor role in (a). Section 12 (Return and Deletion) is modified to reflect the dual purpose and ongoing retention of inspection reports.
2.1.2 Customer-Added Data - Where Customer adds supplementary data to the platform (deficiency management notes, internal comments, annotations) or creates platform user accounts for its employees, Processor acts solely as Processor, processing this data only on Customer's instructions. Traditional Processor obligations apply to this data.
2.1.3 Customer Contact Data - Contact information of Customer's employees that Processor collects for its own business purposes (customer relationship management, marketing, sales) is processed by Processor as Controller and is governed by Processor's Privacy Policy, not this DPA.
2.2 This DPA applies only to Customers who have entered into an Agreement (Terms of Service) with Processor. This DPA does not apply to users accessing the platform solely under the Terms of Use.
2.3 For purposes of this DPA, "Customer Personal Data" means:
2.3.1 Personal data appearing in inspection reports commissioned by Customer (including incidental personal data in documents and photographs obtained during inspections); and
2.3.2 Personal data in Customer-added supplementary information (deficiency notes, annotations, comments); and
2.3.3 Personal data in platform user accounts Customer creates for its employees.
Post-Termination Treatment
2.4 Customer acknowledges and agrees that:
2.4.1 Upon termination, inspection reports commissioned by Customer remain accessible on Processor's platform for both Customer's reference and Processor's legitimate business interests;
2.4.2 Customer-added supplementary data (deficiency notes, user accounts) is deleted as specified in Section 12; and
2.4.3 This dual treatment reflects Processor's hybrid role as described in Section 2.1.1.
Relationship to Agreement
2.5 This DPA supplements and forms part of the Agreement. The Customer and Processor agree to comply with the terms of this DPA in addition to their respective obligations under the Agreement.
Precedence
2.6 In the event of any inconsistency or conflict between the provisions of this DPA and the Agreement with respect to the processing of Customer Personal Data, the provisions of this DPA shall take precedence.
Processing Details
2.7 The subject matter, nature, purpose, duration, and types of Personal Data and categories of Data Subjects covered by this DPA are set out in Section 16 (Processing Details).
DATA CONTROLLER AND PROCESSOR RELATIONSHIP
Roles and Responsibilities
3.1 The parties acknowledge and agree that with respect to the processing of Customer Personal Data:
3.1.1 the Customer is the Data Controller; and
3.1.2 the Processor is the Data Processor.
3.2 The Customer shall:
3.2.1 comply with all applicable Data Protection Law;
3.2.2 have all necessary rights and lawful bases to collect and process Customer Personal Data;
3.2.3 provide lawful, clear, and adequate instructions to the Processor regarding the processing of Customer Personal Data;
3.2.4 ensure that processing by the Processor will not violate any Data Protection Law; and
3.2.5 be responsible for responding to Data Subject requests, except to the extent the Processor is required to assist under Section 8.
3.3 The Processor shall:
3.3.1 process Customer Personal Data only on documented instructions from the Customer, except where required by law;
3.3.2 comply with all obligations imposed on processors under Data Protection Law;
3.3.3 not process Customer Personal Data for any purpose other than as instructed by the Customer; and
3.3.4 assist the Customer in meeting its obligations under Data Protection Law.
Instructions
3.4 The Customer instructs the Processor to process Customer Personal Data:
3.4.1 for the purposes of providing the Services as described in the Agreement;
3.4.2 as further specified in Section 16 (Processing Details); and
3.4.3 as otherwise documented in writing by the Customer from time to time.
3.5 The Processor shall immediately inform the Customer if, in the Processor’s opinion, any instruction violates Data Protection Law.
3.6 If the Processor is required by applicable law to process Customer Personal Data for purposes other than those instructed by the Customer, the Processor shall, to the extent permitted by law:
3.6.1 inform the Customer of such legal requirement before processing; and
3.6.2 process only to the minimum extent necessary to comply with the legal obligation.
Compliance with Law
3.7 Each party shall comply with its respective obligations under Data Protection Law with respect to the processing of Customer Personal Data.
PROCESSING INSTRUCTIONS
Scope of Processing
4.1 The Processor shall process Customer Personal Data only:
4.1.1 in accordance with the Customer’s documented instructions as set out in this DPA and Section 16 (Processing Details);
4.1.2 for the purposes of providing the Services under the Agreement;
4.1.3 as necessary to comply with applicable law (subject to Section 3.6); or
4.1.4 as otherwise agreed in writing between the parties.
Unauthorized Processing
4.2 The Processor shall not:
4.2.1 process Customer Personal Data for any purpose not instructed by the Customer;
4.2.2 disclose Customer Personal Data to any third party except as authorized by the Customer or required by law;
4.2.3 transfer Customer Personal Data outside the scope of the Customer’s instructions; or
4.2.4 retain Customer Personal Data beyond the period instructed by the Customer or required by this DPA.
Changes to Instructions
4.3 The Customer may issue additional processing instructions by providing written notice to the Processor.
4.4 If such additional instructions require changes to the Services or additional work by the Processor, the parties shall discuss in good faith any associated costs and implementation timeline.
4.5 The Processor shall not be obliged to comply with instructions that:
4.5.1 violate Data Protection Law;
4.5.2 are technically impossible or unreasonably impractical; or
4.5.3 require material changes to the Services without reasonable compensation.
Objection to Instructions
4.6 If the Processor believes an instruction violates Data Protection Law or is technically impossible, the Processor shall:
4.6.1 immediately notify the Customer in writing;
4.6.2 explain the basis for the objection;
4.6.3 suspend processing pending resolution (unless immediate processing is required by law); and
4.6.4 cooperate with the Customer to find an alternative lawful approach.
DATA SECURITY
Security Measures
5.1 The Processor shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against Security Incidents, including:
5.1.1 Access Controls;
(a) Role-based access control (RBAC) limiting access to authorized personnel only
(b) Multi-factor authentication for privileged accounts
(c) Regular access reviews and removal of unnecessary permissions
(d) Unique user accounts (no shared credentials)
(e) Automatic session timeouts
5.1.2 Encryption;
(a) Encryption of Customer Personal Data at rest using industry-standard
(b) Encryption of Customer Personal Data in transit using TLS 1.2 or higher
(c) Secure key management practices
5.1.3 Network Security;
(a) Firewalls and intrusion detection/prevention systems
(b) Network segmentation to isolate sensitive data
(c) Regular vulnerability scanning and penetration testing
(d) DDoS protection and mitigation
5.1.4 System Security;
(a) Regular security patching and updates
(b) Anti-malware and anti-virus protection
(c) Secure system configurations following industry best practices
(d) Security monitoring and logging
5.1.5 Physical Security;
(a) Physical access controls to data centers and facilities
(b) Video surveillance and access logs
(c) Secure disposal of physical media containing Customer Personal Data
5.1.6 Data Integrity and Availability;
(a) Regular backups with secure storage
(b) Disaster recovery and business continuity plans
(c) Redundancy and failover capabilities
(d) Data integrity verification mechanisms
Security Standards
5.2 The Processor maintains security measures that meet or exceed recognized industry standards, including:
5.2.1 compliance with applicable Data Protection Law security requirements;
5.2.2 implementation of security frameworks and best practices appropriate to the nature of the data and risks;
5.2.3 regular security assessments, audits, and testing; and
5.2.4 Maintenance of relevant security certifications where applicable.
Data Classification
5.3 The Processor maintains a data classification policy that classifies Personal Data based on sensitivity and applies security measures appropriate to each classification level.
Changes to Security Measures
5.4 The Processor may update or modify its security measures from time to time, provided that:
5.4.1 such changes do not result in the degradation of the overall security of Customer Personal Data;
5.4.2 the updated measures continue to comply with Data Protection Law; and
5.4.3 the updated measures meet or exceed the requirements of this DPA.
Security Incident Response
5.5 The Processor maintains documented security incident response procedures, including:
5.5.1 incident detection and analysis capabilities;
5.5.2 formal incident response team with defined roles and responsibilities;
5.5.3 procedures for containing, eradicating, and recovering from Security Incidents;
5.5.4 communication and escalation protocols; and
5.5.5 post-incident review and lessons learned processes.
Customer Responsibilities
5.6 The Customer acknowledges and agrees that:
5.6.1 The security of Customer Personal Data depends in part on the Customer’s own security practices, including;
(a) maintaining strong passwords and credentials;
(b) properly configuring user permissions and access controls;
(c) protecting account credentials from unauthorized disclosure; and
(d) promptly notifying the Processor of suspected security issues.
5.6.2 The Customer is responsible for its own security measures for data before upload to the Services and after download from the Services.
PERSONNEL AND CONFIDENTIALITY
Personnel Authorization
6.1 The Processor shall ensure that access to Customer Personal Data is limited to personnel who require such access to perform their duties in connection with the Services.
6.2 The Processor shall verify that all personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract, professional obligation, or statute.
Confidentiality Obligations
6.3 The Processor shall ensure that all personnel with access to Customer Personal Data:
6.3.1 are informed of the confidential nature of Customer Personal Data;
6.3.2 have received appropriate training on their data protection obligations;
6.3.3 understand the procedures to follow if they become aware of any actual or suspected Data Breach; and
6.3.4 are bound by contractual or statutory confidentiality obligations that survive termination of their employment or engagement.
Training
6.4 The Processor shall:
6.4.1 provide regular data protection and security training to personnel who process Customer Personal Data;
6.4.2 ensure personnel are aware of relevant Data Protection Law requirements;
6.4.3 conduct refresher training at least annually; and
6.4.4 maintain records of training completion.
Background Checks
6.5 The Processor shall conduct appropriate background checks on personnel with access to Customer Personal Data to the extent permitted by applicable law and in accordance with industry standards.
DATA BREACH NOTIFICATION
Notification to Customer
7.1 Upon becoming aware of a Data Breach affecting Customer Personal Data, the Processor shall notify the Customer without undue delay and in any event:
7.1.1 within 24 hours for High-Risk Data Breaches; or
7.1.2 within 72 hours for all other Data Breaches.
7.2 For the purposes of this clause, a “High-Risk Data Breach” means a Data Breach that is likely to result in a high risk to the rights and freedoms of Data Subjects, including but not limited to breaches involving:
7.2.1 special category data (health, biometric, racial or ethnic origin, etc.);
7.2.2 large numbers of Data Subjects (more than 100 individuals);
7.2.3 data that may result in identity theft or fraud;
7.2.4 data that may result in significant financial loss; and
7.2.5 data that may cause significant damage to reputation or other significant adverse effects.
7.3 Where the full details of the Data Breach are not available within the required timeframes, the Processor may provide a preliminary notification containing available information, with complete details to follow as soon as reasonably practicable.
Content of Notification
7.4 The Processor’s Data Breach notification to the Customer shall include, to the extent known at the time:
7.4.1 nature of the Data Breach, including the date and time when the breach occurred (if known) and when it was discovered;
7.4.2 categories and approximate number of Data Subjects affected;
7.4.3 categories and approximate number of Personal Data records affected;
7.4.4 likely consequences of the Data Breach for Data Subjects;
7.4.5 measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects;
7.4.6 name and contact details of the Processor’s Data Protection Officer or other contact point for further information; and
7.4.7 an indication of whether the Processor believes notification to the Supervisory Authority or Data Subjects may be required under Data Protection Law.
Method of Notification
7.5 Data Breach notifications shall be sent to:
7.5.1 the Customer’s designated security or privacy contact (if specified in the Agreement or provided to the Processor in writing); or
7.5.2 if no designated contact is specified, the primary account holder or contract signatory;
A copy of all Data Breach notifications shall be sent to: GDPR@idwalmarine.com for record-keeping.
Customer Responsibilities
7.6 The Customer, as Data Controller, is responsible for determining:
7.6.1 whether notification to the Supervisory Authority is required;
7.6.2 whether notification to Data Subjects is required;
7.6.3 the content and timing of any such notifications; and
7.6.4 whether to take any additional remedial measures.
7.7 The Processor shall not notify the Supervisory Authority or Data Subjects directly unless:
7.7.1 requested or instructed by the Customer in writing; or
7.7.2 legally required to do so, in which case the Processor shall inform the Customer before making such notification (to the extent legally permitted).
Processor Assistance
7.8 The Processor shall provide reasonable assistance to the Customer in:
7.8.1 investigating the Data Breach;
7.8.2 assessing the impact and risks to Data Subjects;
7.8.3 preparing notifications to the Supervisory Authority and/or Data Subjects (if required);
7.8.4 responding to inquiries from the Supervisory Authority; and
7.8.5 implementing remediation measures.
Remediation
7.9 Following a Data Breach, the Processor shall:
7.9.1 take immediate steps to contain and mitigate the breach;
7.9.2 conduct a root cause analysis;
7.9.3 implement corrective measures to prevent recurrence; and
7.9.4 provide the Customer with a post-incident report documenting:
(a) detailed timeline of events;
(b) root cause analysis;
(c) remediation measures implemented; and
(d) preventative measures for the future.
Record Keeping
7.10 The Processor shall maintain detailed records of all Data Breaches, including:
7.10.1 date and time of discovery and occurrence;
7.10.2 facts relating to the Data Breach;
7.10.3 effects of the Data Breach;
7.10.4 remedial action taken;
7.10.5 notifications made to Customer, Supervisory Authority (if any), and Data Subjects (if any); and
7.10.6 documentation and evidence related to the Data Breach.
Records shall be retained for seven (7) years from the date of the Data Breach and made available to the Customer or Supervisory Authority upon reasonable request
Minor Security Incidents
7.11 For Security Incidents that do not meet the threshold for Data Breach notification (minor security incidents that do not result in unauthorized access, loss, alteration, or disclosure of Customer Personal Data), the Processor shall:
7.11.1 document the incident; and
7.11.2 include the incident in quarterly security reports provided to the Customer (where the Customer has requested or where specified in the Agreement).
7.12 Quarterly security reports shall be provided within 15 business days of quarter end and shall include:
7.12.1 summary of minor security incidents;
7.12.2 any Data Breaches (with reference to detailed notifications already sent);
7.12.3 security measures implemented or updated during the quarter;
7.12.4 risks identified and mitigated; and
7.12.5 compliance status.
DATA SUBJECT RIGHTS
Data Subject Requests to Processor
8.1 Where the Processor receives a data subject request (access, rectification, erasure, restriction, portability, objection, or withdrawal of consent) relating to Customer Personal Data, the Processor shall:
8.1.1 forward the request to the Customer without undue delay and in any event within three (3) business days of receipt;
8.1.2 not respond to the data subject directly without the Customer’s prior written authorization, except to:
(a) acknowledge receipt and confirm identity verification;
(b) inform the data subject that the Customer is the Data Controller; and
(c) provide the data subject with the Customer’s contact details;
8.1.3 verify identity of the data subject using reasonable means (government-issued photo identification) before forwarding the request; and
8.1.4 clearly inform the data subject in writing that:
(a) the Customer is the Data Controller for the requested Personal Data;
(b) the request has been forwarded to the Customer for response;
(c) the Customer is responsible for responding within the timeframe required by Data Protection Law (typically 30 calendar days); and
(d) the data subject should direct any follow-up inquiries to the Customer.
Processor Assistance with Data Subject Requests
8.2 Upon the Customer’s reasonable request, the Processor shall assist the Customer in responding to data subject requests by:
8.2.1 providing relevant Personal Data in the Processor’s possession or control within ten (10) business days of the Customer’s request, in a commonly used electronic format (CSV, PDF, JSON, or as reasonably requested by the Customer);
8.2.2 implementing technical and organizational measures to facilitate:
(a) access to Personal Data;
(b) rectification or erasure of Personal Data;
(c) restriction of processing; and
(d) Data portability (where technically feasible);
8.2.3 providing information about processing activities, systems, data sources, and procedures as reasonably requested by the Customer to enable the Customer to respond to the data subject;
8.2.4 cooperating with the Customer to enable the Customer to meet its obligations to data subjects under Data Protection Law, including providing search summaries, data dictionaries, and technical documentation where relevant; and
8.2.5 notifying the Customer of any direct communication from the data subject to the Processor regarding their request.
Format and Delivery
8.3 Personal Data provided under Section 8.2 shall be delivered to the Customer:
8.3.1 in a commonly used, structured electronic format (CSV for structured data, PDF for documents, JSON for metadata, or as reasonably agreed);
8.3.2 via secure means (encrypted email, secure file transfer, or secure link); and
8.3.3 with accompanying documentation including:
(a) summary of systems searched;
(b) date range of data;
(c) data dictionary explaining fields and codes (where applicable); and
(d) any limitations or caveats.
Timeframes
8.4 The Processor shall comply with the following timeframes for data subject rights assistance:
|
Action |
Timeframe |
|
Forward data subject request to Customer |
3 business days from receipt |
|
Notify data subject of forwarding |
3 business days from receipt |
|
Acknowledge Customer assistance request |
1 business day from request |
|
Provide assistance to Customer |
10 business days from complete assistance request |
For the purposes of this Section, “business days” means Monday to Friday, excluding UK public holidays.
Fees
8.5 Assistance under Section 8.2 is included in the fees under the Agreement for up to two (2) data subject requests per Customer per calendar year, provided such requests:
8.5.1 relate to data in the Processor’s active systems (not archived or offline systems);
8.5.2 require fewer than ten (10) hours of work to complete; and
8.5.3 can be delivered in standard electronic formats.
8.6 For the third and subsequent data subject requests per calendar year, the Processor may charge a reasonable administrative fee of $200 per request to cover the cost of data extraction, review, and delivery. Such fees must be agreed in advance with the Customer.
8.7 Where a data subject request requires significant effort beyond standard assistance, including:
8.7.1 data from archived systems or offline backups more than six (6) months old;
8.7.2 extensive data reconstruction, analysis, or transformation;
8.7.3 custom data formats or complex cross-system correlation; or
8.7.4 work exceeding ten (10) hours;
the Processor may charge its standard professional services rate of $100 per hour, provided that:
8.7.5 the Processor provides a reasonable effort estimate to the Customer before commencing work;
8.7.6 the Customer approves the estimate and fee in writing before work begins; and
8.7.7 the Processor provides a detailed timesheet upon completion.
8.8 Where a Customer’s assistance request is manifestly unfounded or excessive (e.g., repetitive identical requests, deliberately disruptive requests), the Processor may charge a higher reasonable fee or refuse to comply, provided the Processor notifies the Customer in writing with justification.
8.9 The Processor may waive fees at its discretion for regulatory investigations, urgent data protection issues, or other exceptional circumstances.
Processor Obligations
8.10 The Processor acknowledges and agrees that:
8.10.1 the Customer, as Data Controller, is solely responsible for:
(a) determining whether to comply with a data subject request;
(b) verifying the validity of the request;
(c) applying exemptions under Data Protection Law;
(d) responding to the data subject within required timeframes; and
(e) making decisions about erasure, rectification, restriction, or objection;
8.10.2 the Processor shall not:
(a) unilaterally erase, rectify, restrict, or modify Customer Personal Data without the Customer’s written instruction, except as required by Data Protection Law;
(b) make representations to data subjects about the Customer’s processing activities or compliance; or
(c) Disclose Personal Data to data subjects without the Customer’s authorization (except as permitted under Section 8.1.2;
8.10.3 the Processor’s assistance under Section 8.2 is limited to:
(a) providing access to Personal Data in the Processor’s systems;
(b) implementing technical measures to facilitate data subject rights;
(c) providing information about the Processor’s processing activities; and
(d) does not extend to making legal determinations, providing legal advice, or making decisions on behalf of the Customer.
Contact Point
8.11 All data subject requests forwarded under this Section, and all Customer assistance requests, shall be directed to:
|
|
GDPR@idwalmarine.com |
|
Phone |
+44 (0)29 2044 6633 |
|
Contact |
Data Protection Officer |
The Processor shall ensure this contact point is monitored during business hours and that requests are acknowledged within one (1) business day.
INTERNATIONAL DATA TRANSFERS
Acknowledgment of Transfers
9.1 The parties acknowledge that the processing of Customer Personal Data under this DPA may involve transfer of Personal Data to countries outside the United Kingdom, including countries that have not been subject to an adequacy decision by the UK authorities.
Primary Transfer Destinations
9.2 The Processor’s primary international data transfer destinations include:
9.2.1 United Kingdom: Primary location for platform infrastructure and processing systems;
9.2.2 European Economic Area: Backup and redundancy locations (benefits from UK adequacy decision); and
9.2.3 United States of America: Certain third-party services and Sub-processors are located in the United States.
Specific details of Sub-processor locations are set out in Sub-processor List.
Transfer Mechanisms
9.3 Where the Processor transfers Customer Personal Data to a country that has not been subject to an adequacy decision, the Processor shall ensure that appropriate safeguards are in place, including:
9.3.1 the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner’s Office; or
9.3.2 the UK Addendum to the EU Standard Contractual Clauses; or
9.3.3 other transfer mechanisms approved under UK Data Protection Law.
The Processor warrants that it has entered into appropriate data transfer agreements with all Sub-processors located in countries without adequacy decisions.
Additional Safeguards
9.4 In addition to the transfer mechanisms specified in Section 9.3, the Processor shall:
9.4.1 ensure that Sub-processors implement appropriate technical and organizational measures to protect Customer Personal Data;
9.4.2 conduct Transfer Impact Assessments where required to assess the laws and practices of the destination country;
9.4.3 implement supplementary measures where necessary to ensure an equivalent level of protection to that guaranteed in the UK;
9.4.4 monitor changes in the laws of destination countries that may affect the level of protection; and
9.4.5 notify the Customer without undue delay if the Processor becomes aware of any changes that materially affect its ability to comply with this DPA.
Government Access Requests
9.5 If the Processor or any Sub-processor receives:
9.5.1 a legally binding request from a government authority or law enforcement agency for access to Customer Personal Data;
9.5.2 a court order requiring disclosure of Customer Personal Data; or
9.5.3 any indication that a government authority intends to access Customer Personal Data;
the Processor shall, to the extent legally permitted:
9.5.4 notify the Customer without undue delay (and in any event within 48 hours);
9.5.5 provide the Customer with sufficient information to enable the Customer to challenge the request, if appropriate;
9.5.6 not disclose Customer Personal Data until legally required to do so;
9.5.7 seek legal advice regarding the validity of the request;
9.5.8 challenge any request that appears unlawful, overbroad, or procedurally defective;
9.5.9 minimize the data disclosed to the extent legally possible.
Where the Processor is prohibited by law from notifying the Customer, the Processor shall use all lawful efforts to obtain the right to waive such prohibition and document its efforts to do so.
Suspension of Transfers
9.6 If at any time:
9.6.1 an adequacy decision is withdrawn or invalidated;
9.6.2 standard Contractual Clauses or the UK IDTA are invalidated or suspended;
9.6.3 the Processor becomes unable to comply with its data transfer obligations; or
9.6.4 the Customer reasonably believes that transfers no longer provide adequate protection;
the Customer may, by written notice to the Processor:
9.6.5 suspend transfers to affected Sub-processors or locations;
9.6.6 require the Processor to implement alternative transfer mechanisms or supplementary measures;
9.6.7 require the Processor to migrate data to alternative locations within a reasonable timeframe; or
9.6.8 terminate this DPA if adequate alternative arrangements cannot be made (subject to Section 14).
9.7 During any suspension, the Processor shall continue to process Customer Personal Data within the UK or other approved locations to the extent feasible.
Transparency
9.8 The Processor maintains an up-to-date International Data Transfer Policy that documents:
9.8.1 countries to which Customer Personal Data may be transferred;
9.8.2 transfer mechanisms in place;
9.8.3 transfer Impact Assessment procedures; and
9.8.4 monitoring and review processes.
9.9 The International Data Transfer Policy is available to the Customer upon reasonable request.
SUB-PROCESSORS
10.1 The Customer provides general authorization for the Processor to engage Sub-processors to process Customer Personal Data, subject to the terms of this Section.
10.2 The Processor’s current Sub-processors are listed in Sub-processor List, which specifies for each Sub-processor:
10.2.1 name and legal entity;
10.2.2 service provided;
10.2.3 location of data processing; and
10.2.4 transfer mechanism (if applicable).
10.3 The Customer acknowledges and approves the current Sub-processors listed in Sub-processor List.
Sub-Processor Obligations
10.4 The Processor shall:
10.4.1 enter into a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those imposed on the Processor under this DPA;
10.4.2 ensure that each Sub-processor implements appropriate technical and organizational measures to protect Customer Personal Data;
10.4.3 ensure that each Sub-processor processes Customer Personal Data only on documented instructions from the Processor (or the Customer); and
10.4.4 remain fully liable to the Customer for the performance of any Sub-processor’s obligations as if they were the Processor’s own obligations under this DPA.
10.5 Before engaging any new Sub-processor or replacing an existing Sub-processor, the Processor shall:
10.5.1 notify the Customer of the intended change at least fourteen (14) days in advance;
10.5.2 provide the Customer with an opportunity to object to the change; and
10.5.3 not proceed with the change if the Customer objects on reasonable data protection grounds within fourteen (14) days of notification.
10.6 The Processor shall notify the Customer of planned Sub-processor changes via email to the Customer’s designated contact or update to the Sub-processor List made accessible to the Customer.
Customer Objection to Sub-Processor
10.7 If the Customer objects to a new or replacement Sub-processor on reasonable data protection grounds, the parties shall discuss in good faith to resolve the objection for up to thirty (30) days, including considering;
10.7.1 alternative Sub-processors;
10.7.2 additional safeguards or contractual terms; and
10.7.3 technical or organizational measures;
10.8 If no resolution can be reached within thirty (30) days, the Customer may:
10.8.1 suspend use of the affected service(s) until an alternative solution is implemented; or
10.8.2 terminate the affected service(s) with sixty (60) days written notice; or
10.8.3 terminate this entire Agreement with ninety (90) days written notice;
in accordance with the termination provisions in Clause 13 of the Agreement.
10.9 “Reasonable data protection grounds” includes but is not limited to:
10.9.1 Sub-processor is located in a country without adequate data protection;
10.9.2 Sub-processor has a history of data breaches or poor security practices;
10.9.3 Sub-processor’s terms are inconsistent with this DPA or Data Protection Law;
10.9.4 Sub-processor would cause the Customer to violate applicable law;
10.9.5 lack of adequate transfer mechanism for international transfers; or
10.9.6 insufficient security certifications or audit reports.
Sub-Processor List Maintenance
10.10 The Processor shall:
10.10.1 maintain an up-to-date Sub-processor List;
10.10.2 make the Sub-processor List available to the Customer;
10.10.3 update the Sub-processor List within five (5) business days of any change; and
10.10.4 maintain a historical record of Sub-processor changes for audit purposes.
10.11 The Processor acknowledges that:
10.11.1 Sub-processors may be added, removed, or replaced during the term of this DPA;
10.11.2 all additions or replacements are subject to the notification and objection procedures in Sections 10.5 and 10.7;
10.11.3 the Processor shall not make changes to Sub-processors that materially degrade the security or privacy protections for Customer Personal Data; and
10.11.4 removals of Sub-processors do not require Customer approval but shall be communicated to the Customer for transparency.
Sub-Processor Audits
10.12 The Customer has the right to:
10.12.1 upon reasonable notice (minimum fourteen (14) days), audit the Processor’s Sub-processor agreements to verify compliance with this Section; or
10.12.2 receive copies of audit reports or certifications (e.g., SOC 2, ISO 27001) for Sub-processors, subject to confidentiality obligations.
10.13 Audit costs shall be borne by the Customer unless an audit reveals material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs of the audit.
AUDIT RIGHTS
Demonstration of Compliance
11.1 Processor demonstrates compliance with this DPA by providing documentation and evidence of security measures, which may include:
11.1.1 security certifications (when held) including ISO 27001 Information Security Management certification, Cyber Essentials Plus certification and other relevant security certifications.
11.1.2 annual external security assessments or audit reports;
11.1.3 completed security questionnaires and due diligence responses (maximum one per year);
11.1.4 appropriate policies and procedures;
11.1.5 records demonstrating staff security training and awareness programs; and
11.1.6 summary of any security incidents and remediation measures;
11.2 Processor shall provide the above documentation upon reasonable request, and Customer may also request specific evidence or attestations regarding particular security controls. If Customer accepts the documentation and evidence provided, no on-site audit shall be required.
On-Site Audit Rights
11.3 Where Customer requires verification beyond the documentation in Section 11.1, Customer may conduct an on-site audit subject to:
11.3.1 Customer demonstrating reasonable grounds why documentation is insufficient and on-site audit is required, such as recent security incident affecting Customer's data or material concerns about compliance based on available evidence;
11.3.2 maximum once every twelve (12) months with sixty (60) days written notice;
11.3.3 maximum two (2) business days during normal business hours (9:00 AM - 5:00 PM UK time);
11.3.4 maximum two (2) persons conducting audit with appropriate security credentials (and Processor may object to competitor auditors or auditors with conflicts of interest);
11.3.5 limited to verification of DPA compliance and security measures, with no access to commercial or proprietary business information unrelated to DPA, or other customers' data or systems;
11.3.6 all auditors must sign Processor's standard confidentiality agreement before commencing audit and all findings are confidential between parties;
11.4 Customer pays all audit-related costs including:
11.4.1 auditor professional fees and expenses;
11.4.2 travel and accommodation costs;
11.4.3 processor staff time at $200 per hour; and
11.4.4 any third-party specialist costs incurred.
11.5 Processor may decline or postpone an audit on reasonable grounds including:
11.5.1 proposed timing conflicts with critical business operations or scheduled maintenance;
11.5.2 customer is in material breach of Agreement or has outstanding unpaid invoices;
11.5.3 insufficient advance notice or incomplete audit request, or
11.5.4 proposed audit would impose unreasonable burden on resources
11.6 Where Processor declines or requests postponement, the parties shall discuss alternative arrangements in good faith within fourteen (14) days.
Audit Findings and Remediation
11.7 Customer shall provide Processor with written audit findings within thirty (30) days of audit completion.
11.8 Where findings identify non-compliance or security gaps:
11.8.1 Processor may dispute findings if believed inaccurate, providing evidence to support position;
11.8.2 Parties shall discuss findings and agree remediation plan within thirty (30) days;
11.8.3 remediation plan shall specify actions, responsibilities, and timelines;
11.8.4 Processor shall implement agreed remediation promptly; and
11.8.5 critical issues affecting data security shall be addressed immediately.
DATA RETENTION AND RETURN
Data Retention
12.1 Upon termination or expiry of the Agreement, the Processor shall, at the Customer's election:
12.1.1 return Customer Personal Data to the Customer in a commonly used, machine-readable format;
12.1.2 delete Customer Personal Data from the Processor's systems and provide written certification of deletion to the Customer; or
12.1.3 retain Customer Personal Data in accordance with Section 2.1.1(b) (Inspection Reports - indefinite platform access) and Section 16.6.2 (Customer-added data - up to three years for re-subscription).
If the Customer does not make an election within thirty (30) days of termination, the Processor shall retain data in accordance with 12.1.3.
Data Subject Deletion Requests
12.2 Where a Data Subject requests deletion of their personal data appearing in platform records (inspection reports, documents, or annotations):
12.2.1 Customer shall forward the request to Processor promptly;
12.2.2 Processor shall assess whether deletion or redaction is feasible without compromising record integrity or violating Processor's legal obligations; and
12.2.3 the Processor shall delete the data as soon as the legal retention obligation expires; and
12.2.4 Processor shall notify Customer of the outcome within ten (10) business days.
12.3 Customer personal data may remain in the Processor’s backup systems for a limited period following deletion from production systems, in accordance with the Processor’s backup retention policies.
Legal Retention
12.4 Processor retains platform data based on its legitimate business interests, legal obligations, and Terms of Service. Retention periods are determined by Processor as data controller for platform operation.
Inactive Account Retention
12.5 Following termination of the Agreement, the Processor may retain Customer-added data (user accounts, notes, comments) for up to three (3) years to facilitate potential re-subscription.
12.6 The Customer may request deletion of retained data at any time by contacting GDPR@idwalmarine.com.
12.7 After three (3) years of inactivity (no active subscription), the Processor shall:
12.7.1 email the Customer asking if they wish to retain data or request deletion;
12.7.2 if no response within thirty (30) days, securely delete the Customer-added data; and
12.7.3 continue to retain Inspection Reports in accordance with Section 2.1.1(b) (indefinite platform access if Customer returns).
12.8 This retention is based on the Processor's legitimate interest in facilitating customer service continuity and re-subscription.
Backup and Archived Data
12.9 Customer Personal Data may remain in the Processor's backup systems for a limited period following deletion from production systems, in accordance with the Processor's backup retention policies.
12.10 The Processor shall:
12.10.1 delete Customer Personal Data from backup systems in accordance with its regular backup rotation schedule (typically within ninety (90) days);
12.10.2 ensure that Customer Personal Data in backup systems is subject to the same security measures as production data;
12.10.3 not restore Customer Personal Data from backups except as required by law or for disaster recovery purposes; and
12.10.4 not restore Customer Personal Data from backups for Customer's benefit after termination unless a separate data recovery agreement is executed.
Certification of Deletion
12.11 Upon completion of deletion under Section 12.1.2, the Processor shall provide the Customer with written certification confirming:
12.11.1 date deletion was completed;
12.11.2 systems from which data was deleted;
12.11.3 method of deletion used (e.g., secure erasure, cryptographic deletion);
12.11.4 any data retained pursuant to legal obligations under Section 12.4 (if applicable);
12.11.5 expected date of backup deletion under Section 12.9(if applicable); and
12.11.6 confirmation that deletion complies with applicable Data Protection Law.
Certification shall be provided within thirty (30) days of deletion completion.
Return Format
12.12 If the Customer elects to have Customer Personal Data returned under Section 12.1.1:
12.12.1 The Processor shall return the data in commonly used electronic formats, including:
(a) CSV or Excel for structured data;
(b) PDF for documents and reports;
(c) JSON or XML for metadata;
(d) original file formats for uploaded documents and media.
12.12.2 The Processor shall provide the data via secure means, such as:
(a) encrypted file transfer via secure FTP or equivalent;
(b) secure download link with authentication; or
(c) secure physical media (USB drive, encrypted hard drive) if requested and agreed.
12.12.3 Data return shall be completed within sixty (60) days of the Customer's election under Section 12.1.1, unless a different timeframe is agreed in writing.
Data Return Fees
12.13 Standard data return in formats specified in Section 12.12.1 via electronic delivery is included in the termination process at no additional charge.
12.14 The Processor may charge reasonable fees for:
12.14.1 data return in custom formats requiring development or transformation;
12.14.2 data return from archived or backup systems older than six (6) months;
12.14.3 expedited data return (faster than the standard sixty-day timeframe);
12.14.4 physical media delivery including shipping and handling;
12.14.5 data return requiring more than ten (10) hours of Processor staff time.
12.15 Fees under Section 12.14 shall be:
12.15.1 based on Processor's standard professional services rates (currently $100 per hour for technical staff time);
12.15.2 estimated in writing before work commences;
12.15.3 approved by Customer in writing before work begins; and
12.15.4 invoiced with detailed timesheet or cost breakdown.
12.16 Processor may waive fees at its discretion for regulatory investigations, data protection authority requests, or other exceptional circumstances.
Timeframe for Return or Deletion
12.17 The sixty (60) day timeframe in Section 12.12.3 may be extended where:
12.17.1 Customer requests a longer period in writing;
12.17.2 a longer period is required by applicable law;
12.17.3 the volume or complexity of data requires additional time, provided Processor notifies Customer and provides a revised timeframe within fifteen (15) days of the Customer's election; or
12.17.4 the parties agree to a different timeframe in writing.
In all cases, Processor shall use reasonable efforts to complete return or deletion as promptly as reasonably practicable.
LIABILITY AND INDEMNIFICATION
13.1 The limitation of liability provisions in Clause 10 of the Agreement apply to this DPA, including liability caps, exclusions of consequential damages, and exceptions that cannot be limited by law.
Sub-Processor Liability
13.2 Processor is fully liable for the acts and omissions of Sub-processors as if they were Processor's own acts and omissions.
Data Protection Indemnification
13.3 Processor shall indemnify Customer for losses arising from:
13.3.1 material breach of this DPA by Processor;
13.3.2 processor's GDPR violations in processing Customer Personal Data;
13.3.3 Data Subject claims arising from Processor's breach of this DPA; and
13.3.4 regulatory fines imposed on Customer as direct result of Processor's material breach.
This indemnification is additional to any indemnification provisions in the Agreement.
13.4 Customer shall indemnify Processor for losses arising from:
13.4.1 Customer's material breach of this DPA;
13.4.2 Customer's instructions that violate Data Protection Law, and
13.4.3 Claims arising from Customer Personal Data itself (excluding Processor's breach of DPA obligations).
This indemnification is additional to any indemnification provisions in the Terms of Use.
13.5 Indemnification under this Section requires:
13.5.1 prompt notification of claim;
13.5.2 reasonable cooperation in defense; and
13.5.3 sole control of defense and settlement by indemnifying party (provided settlement does not impose obligations on other party)
Allocation of Regulatory Fines
13.6 Where regulatory fines are imposed jointly on both parties for the same processing operation:
13.6.1 each party is liable for the portion attributable to its own breach or violation;
13.6.2 parties shall cooperate to demonstrate respective responsibilities to the Supervisory Authority;
13.6.3 if allocation cannot be determined, the fine shall be allocated proportionally based on degree of responsibility; and
13.6.4 a party paying more than its allocated share may recover the excess from the other party.
Insurance
13.7 Processor maintains cyber liability insurance and professional indemnity insurance to cover potential data protection liabilities. Evidence of such insurance shall be provided to Customer upon reasonable request.
Precedence
13.8 For matters arising from data protection and this DPA, this Section 13 prevails over Clause 10 of the Agreement to the extent of any conflict. For all other matters, Clause 10 of the Agreement applies.
TERM AND TERMINATION
14.1 This DPA commences on the Effective Date and continues for as long as Processor processes Customer Personal Data under the Agreement.
14.2 This DPA terminates automatically upon:
14.2.1 termination of the Agreement under Clause 13 of the Agreement (whether by expiry, non-renewal, or termination for cause); or
14.2.2 cessation of all processing of Customer Personal Data by Processor.
However, as set out in Section 2 of this DPA, certain data processing activities continue after termination in respect of inspection reports where Customer retains platform access.
14.3 In addition to termination rights under Clause 13.2 of the Agreement, Customer may terminate this DPA immediately upon written notice if:
14.3.1 Processor suffers a Data Breach caused by Processor's gross negligence or willful misconduct;
14.3.2 Processor becomes unable to comply with its Data Protection Law obligations;
14.3.3 a Supervisory Authority orders Customer to cease using Processor's services;
14.3.4 Customer objects to a Sub-processor under Section 10.7 and the parties cannot reach resolution within the timeframe specified; or
14.3.5 international data transfers are suspended under Section 9.6 and no alternative arrangements can be made within ninety (90) days.
Processor may terminate this DPA immediately if continuation would violate applicable law.
Effect of Termination
14.4 Upon termination of this DPA:
14.4.1 For Customer-added data, Processor ceases processing and handles in accordance with Section 12.1; and
14.4.2 For inspection reports and associated data, Processing continues as described in Sections 2.1.1(b).
Survival
14.5 The following provisions survive termination of this DPA:
|
Section 6 (Confidentiality) |
Indefinitely |
|
Section 11 (Audit Rights) |
Twelve (12) months after termination |
|
Section 12 (Data Handling Upon Termination) |
Applies ongoing where inspection reports remain accessible |
|
Section 13 (Liability and Indemnification) |
Indefinitely |
|
Section 15 (Governing Law and Dispute Resolution) |
Indefinitely |
These survivals are in addition to provisions surviving under Clause 23.1 of the Agreement.
Transition Assistance
14.6 Upon Customer's reasonable request and at Customer's expense, Processor shall provide reasonable transition assistance at Processor's standard professional services rates, including:
14.6.1 providing Customer-added data (covered by Section 12.1.2) in commonly used formats;
14.6.2 reasonable technical cooperation during transition; and
14.6.3 information about data structures and processing activities.
14.7 Transition assistance applies to data covered by Section 12.1.2, not to inspection reports which remain accessible under the Agreement.
GENERAL PROVISIONS
15.1 Relationship to Agreement
15.1.1 This DPA supplements and forms an integral part of the Agreement.
15.1.2 The order of precedence between this DPA and other agreement documents is governed by Clause 1.2 of the Agreement.
15.1.3 Terms used in this DPA that are defined in the Agreement shall have the same meaning unless otherwise specified.
15.2 Notices
15.2.1 All notices under this DPA shall be in writing and delivered in accordance with Clause 30 (Notices) of the Agreement.
15.2.2 For Data Breach notifications and urgent data protection matters under this DPA, notices should be sent via email to ensure speed, with follow-up via other methods as appropriate.
15.2.3 Notices shall be deemed received as specified in Clause 30 of the Agreement.
15.3 Amendment
15.3.1 Processor may amend this DPA by providing at least thirty (30) days' prior written notice to Customer. Notice may be provided via:
(a) email to Customer's registered contact;
(b) prominent notice on Processor's website; or
(c) notice within the Platform
15.3.2 Processor may make non-material changes to this DPA (including updates to Schedules for administrative changes, contact information, or Sub-processor details) without prior notice, provided such changes:
(a) do not reduce Customer's data protection rights;
(b) do not increase Customer's obligations; and
(c) do not conflict with Data Protection Law.
15.3.3 Changes to Sub-processors are governed by Section 10.5 and 10.7, which provide for notification and objection rights.
15.3.4 Notwithstanding the above, Processor may make amendments required by applicable law or Data Protection Law with immediate effect by providing notice to Customer.
15.4 Severability
15.4.1 The severability provisions in Clause 22 (Severance) of the Agreement apply to this DPA.
15.5 Governing Law and Jurisdiction
15.5.1 This DPA shall be governed by and construed in accordance with Clause 32 (Governing law and jurisdiction) of the Agreement.
15.6 Waiver
15.6.1 The waiver provisions in Clause 20 (Waiver) of the Agreement apply to this DPA.
15.7 Assignment
15.7.1 Neither party may assign, transfer, or delegate its rights or obligations under this DPA without the prior written consent of the other party.
15.7.2 Notwithstanding Section 15.7.1:
(a) either party may assign this DPA to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA; and
(b) Processor may engage Sub-processors in accordance with Section 10 without such engagement constituting an assignment.
15.7.3 This Section 15.7 prevails over Clause 25 (Assignment) of the Agreement with respect to the assignment of this DPA and data processing obligations.
15.8 Third Party Rights
15.8.1 Except as expressly provided in this DPA, no third party shall have any right to enforce any provision of this DPA.
15.8.2 Data Subjects are third-party beneficiaries of Sections 5 (Data Security), 7 (Data Breach Notification), and 8 (Data Subject Rights) and may enforce those provisions directly against Processor in accordance with Data Protection Law.
15.8.3 Section 15.8.2 prevails over Clause 27 (Third party rights) of the Agreement to the extent necessary to give Data Subjects enforcement rights as required by GDPR Article 82(6).
PROCESSING DETAILS
This Section describes the scope of personal data processing by Processor on behalf of Customer under this DPA. The details below are general in nature and may vary based on Customer's specific use of the Services.
16.1 Subject Matter and Duration
16.1.1 Subject Matter: Provision of maritime vessel inspection services, inspection reporting, and platform access services.
16.1.2 Duration: Processing continues for the duration of the Agreement and, in respect of inspection reports, for so long as Customer retains access to the Platform in accordance with Section 2.1.1(b).
16.2 Nature and Purpose of Processing
16.2.1 Nature of Processing:
(a) Collection of personal data from Customer and third parties;
(b) Storage and hosting of personal data on cloud infrastructure;
(c) Analysis and compilation of inspection related data;
(d) Generation and delivery of inspection related reports;
(e) Provision of online platform access to reports and data;
(f) Communication with Customer personnel; and
(g) Payment processing.
16.2.2 Purpose of Processing:
(a) Conduct maritime vessel inspections;
(b) Compile and deliver inspection reports to Customer;
(c) Provide platform access for viewing and managing inspection related data;
(d) Enable Customer to order and receive inspection related services;
(e) Process payments for services;
(f) Manage customer relationships and service delivery;
(g) Comply with legal and regulatory obligations; and
(h) Provide customer support.
16.3 Categories of Data Subjects
16.3.1 Personal data processed under this DPA may relate to the following categories of individuals:
(a) Vessel crew members and officers;
(b) Vessel owners, operators, and managers;
(c) Customer employees and authorized users;
(d) Inspection personnel and surveyors;
(e) Port agents and facility personnel;
(f) Technical representatives; and
(g) Individuals incidentally captured in inspection photographs or videos.
16.4 Categories of Personal Data
16.4.1 The personal data processed may include:
(a) Identity data, such as names, job titles and roles, identification documents (where required for vessel access);
(b) Contact data, such as email addresses, telephone numbers and business addresses;
(c) Professional data, such as employment details, company affiliations, and certification and license information;
(d) Platform data, such as user account credentials, login information and access logs, platform usage data, and user preferences and settings;
(e) Inspection Data, such as photographs and videos (may incidentally include individuals), and comments and notes added by users;
(f) Payment data, such as billing contact information, payment card information (processed by payment provider), and invoice and transaction records; and
(g) Communication data, such as email correspondence, support ticket content and platform messages.
16.5 Special Categories of Personal Data
16.5.1 Processor does not intentionally collect or process special categories of personal data (as defined in Article 9 GDPR). However, photographs or videos taken during vessel inspections may incidentally capture information that could be considered sensitive (e.g., health information visible in medical facilities on vessels). Such data is processed solely for the purpose of documenting vessel conditions and is not used for any other purpose.
16.6 Data Retention
16.6.1 Inspection reports and related data is retained indefinitely while Customer maintains Platform access, in accordance with Section 2.1.1(b) of this DPA. This enables Customer to access historical inspection reports and vessel condition data.
16.6.2 Customer added data such as user accounts, deficiency notes, comments, and other Customer-added data are retained for the duration of the Agreement and, following termination, for up to three (3) years to facilitate potential re-subscription, unless Customer requests earlier deletion. Customer may request deletion of this data at any time by contacting GDPR@idwalmarine.com.
16.6.3 Payment data is retained for the duration required for payment processing and as required by applicable tax and accounting regulations (typically 7 years in the UK).
16.6.4 Platform usage logs are retained for 3 years for security and troubleshooting purposes.
Stay up to date
The latest from Idwal
Fully-Compliant Fire Systems May Fall Short Against Modern Risks
Inspection reports across much of the commercial fleet paint a reassuring picture. Fire detection systems are operationa...
Idwal December Update
It's the last LinkedIn update of the year! Even with Christmas and the New Year just around the corner, things are still...
Idwal November Update
As we move quickly toward the festive season, our latest LinkedIn update brings a mix of news from across the Idwal team...