Skip to navigationSKip to content

Privacy Policy

1. Purpose

1.1 The purpose of the Privacy Policy is to outline the obligations of Dragonfly Shipping Inc. (the “Company”) to ensure compliance with applicable privacy laws and requirements. This Policy should be read in conjunction with the Company’s Privacy Procedures.

1.2 This policy applies to all officers, employees, independent delivery contractors and contractors of the Company. It is the responsibility of all to comply with this policy.

2. Privacy policy requirements

2.1 The Privacy Policy sets out the minimum rules (Data Privacy Principles) that apply whenever and wherever the Company collects and processes personal data. The Data Privacy Application Principles reflect the benchmark for processing personal data across the Company, where:

  • personal data means all information relating to any identifiable individual.
  • process and processing covers everything we might do with personal data.

2.2 The lawful and correct handling of personal data is critical. At its simplest, people need to be able to trust the Company to respect their privacy and how we handle their personal data when working with us or doing business with us.


2.3
In addition, we need to comply with privacy and data protection laws where we operate. Applying the Data Privacy Application Principles in this Policy will help us to do this. Failure to comply with these principles could lead to financial and reputational damage to the Company, as well as resulting in a loss of trust from the individuals we employ, engage or do business with.

2.4
We must comply with the Data Privacy Application Principles and also with local laws that apply to the processing of personal data.

3. Data privacy application principles

The following Data Privacy Principles reflect the minimum rules that apply to the processing of personal data at the Company.

3.1
Our processing of personal data is lawful, fair and transparent.

3.2 Lawful basis for processing. We will only process personal data:

  • for the legitimate business purpose we collected it for, as explained in a privacy statement;
  • for other purposes that the data subject (the person that the data relates to) consents to;
  • where necessary for the performance of a contract with the data subject;
  • if the processing is required in order to comply with our legal obligations; or
  • if the processing is expressly permitted under local data privacy laws and the relevant personal data originates in that jurisdiction.

3.3 Notification of processing. We will notify data subjects that we’re collecting their personal data, by providing a privacy statement at or before the time we collect personal data from them.

3.4 We limit our personal data processing.

3.5 Purpose limitation. Our personal data processing must be for specific and limited purposes, as notified to the data subject. If we process personal data for a different purpose than that notified, we need to inform the relevant data subject(s) of that new purpose (in accordance with Data Privacy Application Principle 3.1).

3.6 Data minimization. We must process only that amount of personal data that we need for the relevant processing purpose. Our personal data processing must be adequate, relevant and not excessive.

3.7 We maintain data quality. When we process personal data, we take reasonable steps to ensure that the personal data is accurate and where necessary, is kept up to date.

3.8 We are careful with sensitive information. Sensitive information is a type of personal data that is of a particularly private nature and includes (among other things) personal data about a person’s race, ethnic origins, trade union membership and health information. We must ensure that sensitive information is processed only when necessary and only if:

  • the data subject consents; or
  • if processing is:
    • required in order to comply with our legal obligations,
    • is expressly permitted under local data privacy laws and the relevant personal data
    • originates in that jurisdiction; or
    • necessary to prevent or lessen a serious and imminent threat to the life, health or safety of any person.

3.9 We protect our disclosures of personal data. We protect disclosures of personal data (including but not limited to when it is transferred across national borders) as follows:

  • Disclosures outside the Company: If we need to disclose personal data outside the Company (for example, to an external service provider or to a third party who is authorized to receive the personal data), we must ensure that:
    • the disclosure is protected by contractual data privacy clauses approved by Legal. This must include an assessment of whether any transfers across national borders comply with applicable data privacy laws;
    • the relevant data subjects have consented to the disclosure; or
    • the disclosure is otherwise required by law or is or is expressly permitted under local data privacy laws and the relevant personal data originates in that jurisdiction.
  • Disclosures within the Company are protected by the Data Migration Procedure if it is necessary to share personal data outside of the jurisdiction where the personal data was first collected.

3.10 We must secure personal data. General data security obligations: Personal data must be kept secure and protected against accidental, unauthorized or unlawful processing, including against loss and unauthorized access, destruction, misuse, modification or disclosure. This means ensuring that the Company has appropriate technical and organizational measures in place. Data security obligations apply whether personal data is stored in hard copy form (for e.g. paper) or in electronic form (for e.g. in databases). The key rules are:

  • access to personal data about other people should be on a “need to know” basis only;
  • each department must implement the Data Privacy Policy and Procedures and adhere to the Acceptable Use Policy to ensure that appropriate physical, technical and organizational security measures are in place at all stages of the personal data ‘life cycle’; and

3.10 We must secure personal data. General data security obligations: Personal data must be kept secure and protected against accidental, unauthorized or unlawful processing, including against loss and unauthorized access, destruction, misuse, modification or disclosure. This means ensuring that the Company has appropriate technical and organizational measures in place. Data security obligations apply whether personal data is stored in hard copy form (for e.g. paper) or in electronic form (for e.g. in databases). The key rules are:

3.11 Internal reporting of data privacy incidents. Data Privacy Incidents are Company reportable incidents under the Data Privacy Procedure. Each Data Privacy Incident must be immediately to the Privacy Officer and the data privacy breach may be required to be reported to the relevant regulator.

3.12 We limit retention of personal data. Personal data must be kept only for as long as necessary for the lawful purpose for which it is processed (as notified to the relevant individuals), or for the time required or permitted under local laws (whichever is the shorter). After such time, records containing personal data must be securely destroyed (in the case of physical records) or permanently deleted (in the case of electronic records) in accordance with the Company’s Records Retention Procedure or applicable local laws (whichever imposes the strictest obligations).

3.13 We respect data subject rights. Data subjects have the right to:

  • seek access to personal data that the Company holds about them;
  • seek correction of inaccurate, incomplete or out of date personal data;
  • seek erasure of their personal data;
  • be provided with information about how their personal data is processed;
  • ask for processing of their personal data to cease (particularly if the processing is likely to cause damage or distress, or if the processing is for direct marketing purposes);
  • be notified if the Company business has made a decision about the data subject that is based on automated data processing alone (so that the data subject can ask for a review of the decision, if necessary);
  • complain about the processing of their personal data; or
  • withdraw previously given consent regarding the Company’s processing of their personal data

There are legal exceptions to the exercise of these rights, and the Company will review each request on a case-by-case basis, by referring to the laws of the country where the data subject is located.

Requests from data subjects to access their rights should be referred to the Privacy Officer.

3.14 We limit retention of personal data. Personal data must be kept only for as long as necessary for the lawful purpose for which it is processed (as notified to the relevant individuals), or for the time required or permitted under local laws (whichever is the shorter). After such time, records containing personal data must be securely destroyed (in the case of physical records) or permanently deleted (in the case of electronic records) in accordance with the Company’s Records Retention Procedure or applicable local laws (whichever imposes the strictest obligations).

3.15 We apply Privacy by Design. We must:

  • integrate data privacy compliance measures into our personal data processing activities; and
  • consider individual privacy rights from the outset of each new personal data processing activity.

3.16 We will undertake a Privacy Impact Assessment when we introduce a new personal data processing technology, or whenever new personal data processing or changes to existing personal data processing is likely to result in a risk to the rights of data subjects.

3.17 We don’t spam. We must limit our use of personal data to send marketing communications. All marketing communications (however distributed) must:

  • clearly identify the relevant Company business or Company as the sender, and how it can be contacted;
  • be sent with the consent of the recipient/data subject (which may be able to be implied from an existing business relationship or shareholding); and
  • contain an unsubscribe or opt out facility. Opt outs must be acted upon and records amended accordingly.

4. Questions and contact

4.1 For any questions about this Policy or any request regarding your data, you can contact our Privacy Officer by email at the following address contact@dragonflyshipping.us. We will make every effort to process your request quickly.

Definitions

Consent of a data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

Data Privacy Incident means a known or suspected breach of the data security obligations in Data Privacy Application Principle 3.10; or any of the other Data Privacy Application Principles in this Data Privacy Policy.

Data Privacy Application Principles: the principles in the Data Privacy Policy that the Company and staff and contractors must apply when processing personal data.

Data subject: the individual to whom personal data relates.

Company business: includes all subsidiaries, corporate offices and operations in the Company.

Legitimate business purpose: a purpose that is directed at the Company achieving its business objectives and that complies with all relevant laws and regulations.

Marketing communications: means communications and publications that have a purpose of marketing or promoting the Company or its products, but does not include communications from Company to its employees that relate to the administration of the employment relationship.

Personal data: all information relating to any identifiable individual.

Privacy Impact Assessment means an assessment of the impact of proposed processing operations on the rights and freedoms of data subjects, and the protection of personal data.

Privacy Statement: a notice that needs to be provided to data subjects when we collect their personal data.

Processing: all actions taken in relation to personal data including collecting, using, disclosing, recording, organizing, storing, transferring, amending, deleting, destroying, retrieving, accessing, hosting or otherwise handling.

Sensitive information: personal data (including information or an opinion) about an individual’s racial or ethnic origin, political opinions and memberships, religious or philosophical beliefs or associations, trade union membership, criminal record, health or the health services they have received or details of sexual life.