Personal Data Policy
OEE data policy guidelines
Who is responsible for data processing
The Communication & Events Director, currently Amy Parsons, is the GDPR representative at Ocean Energy Europe (OEE) and takes responsibility for data protection issues.
The GDPR representative is responsible for data processing within the organisation is done in accordance with the law. Furthermore, she/he is responsible for updating the data processing rules and making sure everybody stays informed.
The GDPR representative is the contact point for data protection regulatory authorities.
A dedicated email address is used for all correspondence relating to data protection issues: firstname.lastname@example.org
Due to the nature of Ocean Energy Europe’s work, personal data is handled at all levels of the organisation, by all members of the secretariat.
What data is processed by Ocean Energy Europe
Ocean Energy Europe handles the following data on stakeholders in the ocean energy sector, which is needed for its day-to-day business.
- First and last name
- Job title
- Phone number
- Member of OEE
- OEE Membership Category
- Organisation type
- Area of business
- Preferred language
- Political party
- Member of OEE working group
- Member of European Parliament Committee or Working Group
- Member of OEE Board of Directors
Ocean Energy Europe also tracks the following information on emails sent to contacts:
- How many times and when an email was opened
- How many times and when links were clicked on in the email
- Whether a contact wishes to receive or does not wish to receive further correspondence
Ocean Energy Europe handles the following information on its staff:
- First and Last names
- Job titles
- Personal email
- Phone numbers
- Home address
- Bank account details
- Work history / CVs
- Work contracts
- Personal Identification Cards or Passports
- Holiday details
Ocean Energy Europe handles the following information on its Board of Directors:
- First and last name
- Job title
- Position at OEE
- Professional email
- Phone numbers
- Home address
- Personal identification cards
Why Ocean Energy Europe handles this personal data
Ocean Energy Europe is actively promoting ocean energy in Europe and worldwide. It coordinates international policy, communications, research and analysis. Ocean Energy Europe analyses, formulates and establishes policy positions for the ocean energy industry on key strategic sectoral issues, cooperating with industry and research institutions on a number of market development and technology research projects, some of which are funded by the EU.
Additionally, the lobbying activities undertaken by Ocean Energy Europe help create a legal framework within which members can develop their businesses. Ocean Energy Europe produces information tools and manages campaigns aimed at raising awareness about the benefits of ocean energy and enhancing social acceptance, dispelling myths about ocean energy and providing access to credible information. Ocean Energy Europe organises numerous events, such as conferences, exhibitions, launches, seminars and workshops.
Ocean Energy Europe handles data on external contacts for these purposes of performing these tasks. This data is held as Ocean Energy Europe has a legitimate interest in it.
Ocean Energy Europe handles data for members of staff in order to conduct human resources services, pay salaries, provide non-salary benefits such as insurance, Cheque repas payments, expense payments, etc.
Ocean Energy Europe handles data for its Board of Directors so that it can meet its legal obligations under Belgian law, and register the Board members on the Moniteur Belge.
Where Ocean Energy Europe stores data
Ocean Energy Europe holds data on external contacts in the following places:
- Internal contact database: Held on a secure sever, located on Ocean Energy Europe’s permissions.
- Mailchimp mailing system: Secure, cloud based platform used for sending emails to OEE members and other stakeholders. Mailchimps servers are located in the USA. Because MailChimp certifies to the Privacy Shield framework, they can lawfully receive EU data.
- Secretariat computers: Contact information stored in MS Outlook, on secure staff computers
- OEE website: The back-end of the OEE website stores information on members, in order to allow them to access the secure area of the OEE website.
Ocean Energy Europe holds data on staff and the Board of Directors in password protected areas of its secure server. This server is located on OEE’s premises.
Until when does Ocean Energy Europe hold personal data
Ocean Energy Europe holds information on contacts for a period of up to two years. Every two years a full audit of external contacts is then performed in order to assess whether OEE still has a legitimate interest in holding this personal information. Personal data which is no longer required is removed from OEE’s records.
External contacts can request that their information be removed from OEE’s records at any time. An email address has been created to facilitate this.
Ocean Energy Europe holds personal data on staff and directors during their tenure and up to six years after they have left the organisation. At this point, all information will be removed from OEE’s records.
How does OEE protect personal data
Internal contact database
Personal data held in Ocean Energy Europe’s contact database is accessible only by the OEE secretariat. Furthermore, it is protected by password. The server where this information is held is located in a secure location within Ocean Energy Europe’s premises.
In addition, sensitive information such as passports are held in secure, password protected areas of the OEE server, which are accessibly by a limited number of OEE staff, currently three members.
Mailchimp contact system
Basic information for mailing purposes is held on the Mailchimp platform. This system is password protected, and accessible only by a limited number of the OEE staff, currently three members.
Furthermore, Ocean Energy Europe has secured a data processing agreement with Mailchimp. Because MailChimp certifies to the Privacy Shield framework, they can lawfully receive EU data.
Consent for inclusion in OEE’s Macilchimp system is given via a double-opt in process when possible. Users are free to opt-out of the system when they so wish.
Ocean Energy Europe holds data in a secure area of its website, in order to allow people access the online OEE members area. This information is protected by password, and is only accessible to 2 members of the OEE secretariat. Password information is not accessible by the OEE secretariat.
Guidelines for personal computers
Information on computers, used for day to day work, is password protected and accessible only by the member of staff responsible for that computer. If computers containing personal data are lost or stolen, the member of staff responsible for that computer MUST report this to the Data Protection Representative within 24 hours.
Guidelines for a data breach
If a data beach occurs, for example computers containing personal data are lost or stolen, or unauthorised person gain access to secured areas of the OEE server, the member of staff responsible for that computer MUST report this to the Data Protection Representative within 24 hours. The Data Protection Representative will then alert the Data Protection Authorities about this data breach.
Furthermore, following a data breach, a report will be produced investigating the data breach and providing recommendations on how to improve security measures in the future.
Guidelines for hard copies of personal data
- Ask, if you don’t know who needs to handle personal data in your possession.
- Shred, if in doubt over whether the data you have copied constitutes personal data before binning it.
Protection against identity theft
The risk of identity theft or people’s personal information being divulged increases when files and documents are disposed of. To minimise the risk of personal data being gathered without authorisation or unlawfully, OEE staff must
- Shred paper or other hard copy documents before binning them.
- Store electronic files and documents on the protected part of OEE’s server.
- Refrain from making unnecessary copies, forwarding, or otherwise disseminating personal data to third parties or people within the organisation that do not need handle the data.
Personal information pertaining to employees or Board members must be stored in the secure part of the server. Not all OEE staff have access to the secure part of the server. In this case, staff handling personal data must seek their line manager’s advice.
Hard copies that MUST BE SHREDDED or electronic copies that MUST BE STORED IN SECURE SERVER and removed from non-secure locations include but are not limited to:
- Copies of IDs/passports
- Documents with bank account information
- Documents with national identification number, mutuelle number, other insurance information
- Home address and personal phone numbers or e-mail addresses
- Work contracts and draft work contracts, other correspondence related to a person’s state of employment
- Documents containing salary/wage information
- Documents with Chèque Repas card number
- Documents with marital status or information about family and dependents