The Security and Access control Privacy Statement explains: who we are, what information we collect, why we collect it, how we use that information, who has access to your data and the privacy choices we offer to you.
Who we are
Vopak Facility Services operates the Access control and Registration procedure, on our office and sites (including third parties on site). These procedures apply to the terminals and offices of Vopak in the Netherlands. The Facility Services department is responsible for your personal data and has made agreements with the external parties involved in Security and Access Control.
Anything you are not clear about
Your privacy matters at Vopak and if you are not familiar with terms, please do take your time to get to know our practices and check, on request, our Binding Corporate Rules designed for both Vopak employee as for customer, suppliers, and Vopak business partners.
If there is anything you are unclear about, please do contact your local contact person or the facility department, who shall be happy to answer any queries you may have concerning this Statement or the way in which we process your personal data.
Information we collect and process and the lawfulness of processing
For the realization of the Access control and Request procedure, the security and reception will collect data from employees, contractors, and visitors on behalf of the Facility Services Department. In this respect, we collect the following categories of personal data:
- For the employees: staff number, name, passport or drivers photograph, license plate (if applicable), function, company e-mail address;
- For the contractors and subcontractors: ID number and the type of ID, name, passport or drivers photograph, company where the data subject’s works for, license plate (if applicable) nationality, work permit (if applicable) , type and end date of the training requirements (e.g VCA, BHV, first aid , (PIT) port instruction training);
- For the visitors: ID number and type, name, passport or drivers photograph, company representing the person, license plate( if applicable).
- For the sea vessel’s staff: name, rank, place of birth, ID number, the type of ID, date of birth of the staff member;
- For the inland barges staff: only the name of the captain;
In terms of the collection and use of information and other activities that requires processing of personal data, the Access control and request Procedure is lawful and in compliance with Article 6. 1 c-f GDPR (compliance with law, ensuring the vital interest of the data subject, performance of the task carried out in the public interest and for the legitimate interest of the data controller)and Article 9.2 b),c) GDPR (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, processing is necessary for the vital interest of the data subjects).
What are the purposes for the use of your data?
The purposes are strictly related to the abovementioned legal grounds for processing activities. Nevertheless, in order to be more specific, we are collecting/processing your personal for the following reasons:
- monitoring the safety of the employees and third party;
- monitoring the properties of Vopak NL, its employees or third parties;
- monitoring of the products managed by Vopak in the Netherlands;
- monitoring accesses of offices and access on the landside of the terminals;
- attendance registration of the people on the sites (e.g. in case of calamities);
- Presence control of all persons registered in the access system afterward, in order to check if the presence of the persons is in line with the staff information in regards to the absence and presence systems;
- Compliance with law- meet the requirements of the ISPS;
- Compliance with law- meet the AEO requirements;
- Compliance with law- meet the requirements Working Conditions, related to informing people about the danger at the site (gate instruction);
- Compliance with law - requirements of the chapter 1.10 of the ADR/RID/ADN.
How do we obtain your data and who has access to your data?
The Security and Access control procedure is fully configured according to the Vopak Privacy Code/GDPR and to the strict rules of authorized access of the personal data that are collected. Data is entered by your self/colleagues via the registration service or the security and reception employee directly in the access system. The recipients of the collected data are only authorized employees. In specific cases, information is shared according to a procedure with the HR department.
In addition, for sea going vessels, data may be provided by ships agents which enters the data in the common systems (Dirkzwager’s Ship2Report or Tram4u) and for the inland barges the ship responsible will enter the data in UAB system or provides the Security with a crew list.
AISLive Ship Tracking Services is only used for planning purposes and is not used for other purposes.
Further Processing and third parties
Following to the aforementioned purposes and the closely related purposes, the information will be shared with Vopak departments. The information we collect is shared, in special conditions, via reporting system of the registration portal to SHEQ or HR department.
We will not share data with third parties, unless
i) sharing is necessary to comply with law’s requirement, regulation, enforceable governmental request, legal defense;
ii) sharing is necessary for protecting your vital interest;
iii) Sharing is necessary for the Vopak legitimate interest unless those interests are not overridden by the interests of fundamental rights and freedoms of Vopak employees.
For ship personal the data is not shared with third parties and only used for verification purposes on the legitimacy of the visit.
Your data subject’s rights
Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We thought it would be helpful to set out your following privacy rights as they are defined in your Vopak Privacy Code/ GDPR :
- right to access your personal data that we process;
- right to have rectified your inaccuracies in personal data that we hold about you;
- right to object to certain processing of your personal data by us;
- right to be forgotten, which means that your details might be removed from systems that we use to process your personal data. except if Vopak has to keep information from legislation or other legitimate interests
- right of data portability (known as the right to request the transmission of your data to another controller);
- the right to lodge a complaint to your supervisory authority.
For a further understanding of your rights and procedure please take a look either to Vopak Privacy Code for employees and/or the Vopak Privacy Code for the customers/suppliers and business partners or contact your Local Contact person.
The security of your personal information is important for us. Vopak has implemented high security IT standards and a framework based on proactively embedding privacy into the design and the operation of Security and Access control procedure. These security rules will be upheld unconditionally and include Process Security and Access control in Vopak Document Management System
While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
Furthermore, a data breach procedure has been created within the Vopak Privacy Code.
Protocols, such as security protocols, crisis management, and data breach resolution plans exist for management, prevention, and solution of these risks.
Transfer of the data to third country
There will be no transfer of data to a (government) authority and/or commercial parties to third countries.
Vopak manages the relevant personal data and the access registration in the automated access registration system. According to the Article 5(1) (e) GDPR, data will be stored only for the purposes for which the personal data are processed unless exception mentioned under this article applies.
The personal master data included in the registration system is stored for a period of 24 months after the right of access has expired, unless the person is on a blacklist. In that case, master data will remain in the system until the period for which the access is denied has expired. The access records included in the access registration system are kept for a maximum 24 months, after that the registrations are destroyed.
In addition, the data of the crewmembers is no longer stored and destroyed after the departure of the vessel.
This Privacy Statement is effective as of, 1th of July 2018 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately communicated to you.
Concerns and contact details
If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this notice, please contact your local contact person at Vopak or
Tel: +31 10 4002740
For vessels please contact your local Portal Facility Security Officer (PFSO).
Chief Privacy Officer
Att. Global Director HR
3016 CK ROTTERDAM