IMCA is a data controller. It can be contacted as follows:
Mail: IMCA, 52 Grosvenor Gardens, London SW1W 0AU, UK
Data protection contact: Adam Hugo
Registered with the UK Information Commission’s Office.
IMCA is a trade association representing and providing services to member companies, with the goal of improving performance in the marine contracting industry. Data is generally collected and processed to fulfil contractual obligations of membership, or for the purposes of publication supply, event participation and/or other relevant activities. We consider that we have a legitimate interest in collecting and processing data for these purposes in order to advance the goal set out above.
2 Your rights and your privacy
Under relevant laws, such as the EU General Data Protection Regulation (GDPR), data subjects have the following rights:
- The right to be informed – when we collect your data, we will tell you what data, why we are collecting it, how we will use it and how long we will store it for
- The right to access – you have the right to access any personal data we hold about you and relevant supplementary information, so that you can verify the lawfulness of our processing
- The right to rectification – making sure that the data we hold about you is accurate and as complete as necessary for the purposes we hold it
- The right to erasure – you can ask us to erase any personal data that we hold about you. This is not an absolute right, applying only in certain circumstances, but we will review any such requests and communicate with you openly about your rights and our actions
- The right to restrict processing – you can permit us to store your data but ask us not to use it further (although again this applies only certain circumstances)
- The right to data portability – you can request from us any data that you have provided directly that you then wish to use for your own purposes across different services
- The right to object – you can object to processing of your personal data and we must comply unless there are compelling legitimate grounds to the contrary.
3 Our responsibilities
IMCA abides by the six GDPR principles relating to the processing of personal data, i.e. that it should be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date
- retained only for as long as necessary
- processed in an appropriate manner to maintain security.
4 Data we collect
For most purposes, the data we collect will be limited to your name, the company you work for and your contact details (email address, telephone number and street address), which are needed for us to provide our services – e.g. to contact you, to deliver goods, to filter distribution lists so that you only receive relevant information. A failure to provide required data may mean that we are not able to provide such services to you.
The following is a non-exhaustive list of data we collect. Where other methods are used, an additional data protection/privacy statement will be provided at the collection point and/or this policy updated.
- Membership – IMCA is a membership organisation, with member companies that may provide personal data on those employees who are nominated to represent them. This data may additionally include a role or job title, to help verify the appropriateness of the nomination. We will notify such individuals of their nomination and our processing of their personal data on this basis. Data is used to provide a variety of member services. Names and company affiliations form part of a record of activity, such as minutes of committee meetings, proceedings of seminars and workshops, and as part of committee election materials. Business contact details may be shared with committee and workgroup members for the sole purpose of furthering IMCA’s published objectives and work programme. Such data is generally retained indefinitely, subject to the rights of data subjects to restrict processing.
- Publication sales – IMCA sells printed logbooks, electronic guidance documents and other publications. It collects only that data which is necessary to identify the customer, deliver their goods, apply appropriate taxes and complete required accounting records. This data is retained in accordance with accounting rules.
- Events – IMCA organises a range of seminars and workshops, to which its members and selected others are invited. As part of this activity, only that data is collected which is required for contacting delegates about event arrangements and providing reports on event outcomes. Such data is retained in accordance with accounting rules (as needed for paid events, but also for non-paid events for simplicity).
- Accreditation and certification – IMCA runs accreditation and certification schemes for certain positions in the offshore industry. As part of this, it collects and processes personal data relating to candidates and qualified personnel, which includes additional identity verification (such as passport or driving licence details), details of relevant certification and work history and a history of the application process, including examinations and resits. An online validation facility limits access to personal data to display of confirmatory details. An IMCA CPD app, available for certain positions, uses only that data necessary to enable login and tracking of user progress. Such data is generally retained permanently. This is required to ensure a robust system that ensures the competence of those working in highly safety critical positions in the offshore industry.
Approved training – IMCA approves or recognises a limited number of technical training courses in the offshore diving industry. As part of this, approved training establishments report the names and other identifying data (such as date or birth and/or passport number) and training history, which is used to verify the training history of IMCA certification candidates and as a back-up in case of provider closure. Data is kept for two years following expiry of a certificate’s validity. As contact details are not shared with IMCA, the training establishments are required to inform trainees of this processing.
- eCMID vessel inspection system – IMCA maintains an electronic database for the inspection of vessels. Companies can register and provide such limited personal data as is necessary for contacting them with regard to use of the system, such as notifying when reports are available for review or a request for data access has been made. Accreditation details for vessel inspectors are also recorded and their inspection history may be shared with the Marine Surveying Academy – the accrediting body. This data is generally held for two years after a user account becomes inactive, except where it forms part of a vessel inspection record and is therefore retained for legitimate verification purposes.
- CCTV and door entry systems – The IMCA secretariat offices use closed circuit television recording and door entry logs for security purposes, including deterrence and incident investigation. CCTV data is retained for two weeks, while door entry logs are retained for up to 7 years, as part of the IMCA HR record.
- Diving Medical Advisory Committee (DMAC) – DMAC holds professional contact details for its members, whose names are published on its website at www.dmac-diving.org. DMAC operates an approval system for training in diving medicine and holds business contact details for training providers, publishing on its website those contact details made available for such purposes by those providers. All DMAC-related data is available to DMAC members via a secure intranet.
- Offshore Mechanical Handling Equipment Committee (OMHEC) – OMHEC holds professional contact details for its members, which are published on its website at www.omhec.com. All OMHEC-related data is available to OMHEC members via a secure intranet.
- International Offshore Marine Operations Organisations Forum (IOMOOF) – IOMOOF holds professional contact details for its members, which are available to them with other IOMOOF-related data via a secure intranet.
- Other business records – IMCA maintains email, other electronic and physical records of business activities, which may contain personal data provided by individuals as part of normal business communications. This is processed in line with the six GDPR principles, with a document and data retention policy setting out retention periods appropriate to business needs and legal requirements.
5 How we protect your data
IMCA uses industry leading online services and a variety of security software and hardware to ensure personal and other data is suitably protected. A comprehensive cybersecurity review is undertaken regularly. Awareness programmes on data protection and security matters are operated for IMCA staff.
6 Provision of data to/processing by third parties
IMCA will comply with any legal requirements to provide data to national authorities.
For the purposes of providing services as per contractual agreements and other legitimate business interests, IMCA may provide personal data to courier and mailing companies to enable delivery of documents and other physical goods. IMCA reviews the capabilities and policies of such providers before using them.
Selected candidate data may be entered into a third-party system for the purposes of running examinations via a secure website. IMCA has verified that the provider of this system has appropriate policies and protections in place to maintain the security and privacy of candidates.
It is sometimes necessary for IMCA to process data outside the EU:
- IMCA staff may access data while travelling on IMCA business. Such access is controlled by appropriate cybersecurity controls.
- While IMCA data is generally stored within the EU and service providers provide EU-based support, advanced support may, from time to time, be provided from outside the EU and from countries not already verified by the EU as providing an adequate level of protection. Where this is the case, IMCA reviews the capabilities and policies of such service providers and uses any available restrictions to limit access to that required for the support case.
- For selected activities, IMCA may opt to use service providers which process data outside the EU. Where this is the case, IMCA reviews the capabilities and policies of such service providers and specifically advises individuals about such processing in advance.
7 Further information and contacts
You also have the right to lodge a complaint directly with a supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK (or any other EU supervisory authority you prefer).
The ICO has extensive guidance to your rights and our responsibilities on its website (ico.org.uk).