Personal Data Protection policy

1 Applicability and scope

This policy description is applicable to employees in Wilh. Wilhelmsen Holding ASA (WWH) and all subsidiaries in the Wilhelmsen group where WWH has control directly (more than 50%) or via its subsidiaries.

This policy description shall be included and implemented in the strategies and business goals of WWH and the subsidiaries, advocated when representing Wilhelmsen on external boards and used as requirements in M&A and investment decisions.

Customers, suppliers, agents, representatives and other business partners of the Wilhelmsen group are expected to comply with this or a comparable policy to the extent they process personal data on behalf of the Wilhelmsen group.

2 Purpose

The purpose of this Personal Data Protection policy description is to ensure lawful protection of personal data which relates to Wilhelmsen group employees, as well at third party individuals.

This Personal Data Protection policy description summarizes the standards, requirements and procedures to which all persons working for the Wilhelmsen group must adhere to in order to comply with applicable laws and regulations relating to data protection. Ref. Processing Personal Data procedure.

Managers must ensure that activities in their area of responsibility are performed in accordance with the procedures described in this Personal Data Protection policy description. Managers are responsible for communicating these requirements and for providing advice with respect to their application.

The Wilhelmsen group employees and personnel are required to report immediately any suspected violations of the Wilhelmsen group's Personal Data Protection policy description.

3 Applicable data protection laws for Wilhelmsen group

3.1 Applicable data protection laws
The Wilhelmsen group’s Personal Data Protection policy description is based on European standards, including the Norwegian personal data act. Where applicable law sets forth additional requirements, applicable law shall apply in addition to this Personal Data Protection policy description.

3.2 Personal data
• General definition of personal data: Any information relating to an identified or identifiable natural person, such as name, age, contact information, CV information or information about behaviour, is personal data.
• Sensitive personal data: Certain data are categorized as sensitive personal data and especially strict requirements apply to the processing of these data. Sensitive personal data are data about racial or ethnic origin, or political opinions, health, sex life, trade-union membership, philosophical or religious beliefs, or whether a person has been suspected or, charged with, indicted for or convicted of a criminal act.

All data that are not sensitive personal data are ordinary personal data, although the Wilhelmsen group shall always take into account that the degree of sensitivity may vary even if personal data are not as such defined as sensitive personal data.

3.3 Processing of personal data
The requirements in this policy description apply to electronic processing of personal data, other processing wholly or partly by automated means, irrespective of the method of processing, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

3.4 Sanctions
The Wilhelmsen group can incur severe administrative, civil and criminal penalties if it is found to have breached applicable data protection laws. Such breaches may also result in severe reputational damage for the Wilhelmsen group.
Moreover, employees / personnel of the Wilhelmsen group who are found to have breached applicable data protection legislation, may be subject to disciplinary action (up to and including dismissal) in accordance with applicable laws and the Wilhelmsen group’s policies and procedures.

4 Requirements for processing of personal data

4.1 Introduction
Processing of personal data shall always take place in a lawful, fair and transparent manner in relation to the persons concerned and otherwise in accordance with the processing personal data procedure.

4.2 Notification and license
The Wilhelmsen group shall comply with all applicable notification and / or license requirements.
Before new / changed processing of personal data occurs, it shall be ensured that notification and / or license is submitted / applied for if this is required in accordance with applicable law. Processing of personal data shall not occur until required notification is submitted and / or required license is granted.
Information about any notification that is submitted and / or license that is applied for and granted, shall be given to the Group personal data protection administrator (PDPA).

4.3 Deletion of data
Personal data shall be deleted or destructed when there is no longer a legitimate purpose to continue the processing.
As an alternative to deletion, data can be anonymised. If data are anonymised instead of deleted, it must be ensured that it is no longer possible to link the anonymised data to the person to whom the data originally related.
Certain data shall be kept in accordance with bookkeeping and other applicable legislation. Such data shall not be deleted until the retention requirement has expired.

Deletion upon request:
Requests for deletion shall be filed in writing / electronically to line manager. Line manager shall instruct IT to delete data without undue delay if data can no longer be stored in accordance with the provisions in this Section 4.3 and revert to the person who requested deletion.

4.4 Information about processing
The Wilhelmsen group shall give information about the processing of personal data to the persons concerned. As a main rule, information shall be given before new / changed processing of personal data occurs.

4.5 Access to data
Individual persons contacting the Wilhelmsen group has the right to obtain without expense:
(i) Confirmation as to whether or not personal data relating to him / her are being processed and information about the purpose of the processing, the categories of personal data concerned and the recipients or categories of recipients to whom the personal data are disclosed (if any); and
(ii) Information about the personal data that are processed and available information about the source of such personal data.
Requests for access shall be directed to Group personal data protection administrator (PDPA).

4.6 Quality and proportionality
Personal data shall be adequate, relevant and not excessive, and be kept up-to-date as reasonably required to meet the purposes for which they are used by the Wilhelmsen group. The information security measures following from Section 5 shall ensure that these requirements are met.

4.7 Use of data processors
From time to time the Wilhelmsen group engages third parties to assist with certain tasks which may involve that the relevant parties receive access to personal data; data processors.
A data processor agreement extending the requirements of this Personal Data Protection policy description onto the data processor shall always be entered into before access to personal data is provided.
The Wilhelmsen group’s data processor agreement template is found in https://gimsportal.wilhelmsen.com/Documents/Forms/WWG%202.04%20Template.aspx
If the standard template cannot be used and another template / wording is to be used, prior approval of the specific template / wording from Global personal data protection administrator (PDPA) is required.

4.8 Exchange of personal data to recipients outside the EU/EEA
The Wilhelmsen group shall comply with applicable law requirements regarding exchange of personal data to recipients outside the EU/EEA.

In order to rely on consent, the Wilhelmsen group must inform the relevant persons in accordance with the provisions set forth in Section 7 in the processing personal data procedure.

5 Requirements to information security

5.1 Technical and organizational measures - responsibilities and organizational structure
The Wilhelmsen group has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the Wilhelmsen group’s processing of personal data.
Responsibilities and organizational structure relating to information security is established in the Cyber Security policy.

5.2 Security objectives and strategies
The Wilhelmsen group has implemented security objectives and security strategies which constitute the framework for data security to be complied with by the Wilhelmsen group in relation to the processing of personal data.
The high-level security objectives of the Wilhelmsen group are referred to in section 2.3. in Processing Personal Data procedure.
In order to achieve the security objectives, the Wilhelmsen group has implemented the security strategies set forth in the Cyber Security policy.
Further, the Wilhelmsen group has implemented appropriate security measures in accordance with the Cyber Security policy.

5.3 Security measures, user security and logging
Security measures are implemented in accordance with Cyber Security policy.
User security in particular is implemented in accordance with the Cyber Security policy.
The Wilhelmsen group shall log authorized use as well as attempts to unauthorized use of the systems where personal data are processed.

6 Risk assessments and data protection impact assessments

In order to maintain necessary security as specified in Section 5 and generally to prevent processing in breach of this Personal Data Protection policy description and applicable law requirements, the Wilhelmsen group regularly assesses its exposure to potential risks inherent to the processing, and implements measures to mitigate the risks in accordance with the provisions in the Processing Personal Data procedure section 2.1 and the Risk policy and policy description.

7 Monitoring and internal audit

The Wilhelmsen group shall regularly monitor compliance with this Personal Data Protection policy description.