Privacy

IMCA abides by the six GDPR principles relating to the processing of personal data, i.e. that it should be:

1. Processed lawfully, fairly and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes.
3. Adequate, relevant and limited to what is necessary.
4. Accurate and, where necessary, kept up to date.
5. Retained only for as long as necessary.
6. Processed in an appropriate manner to maintain security.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity data may include your name, username or similar identifier, title, date of birth and gender.
• Contact data includes address, email address and telephone numbers.
• Financial data includes any bank details provided to us for supplier payment and customer refunds.
• Transaction data includes details about products and services you have purchased from us.
• Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our online services.
• Profile data includes your username, interests, preferences, feedback and survey responses.
• Usage data includes information about how you use our online services, products and services.
• Communications and marketing data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.

For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

Where it is not clear from a data collection form what data we are collecting, an additional notice will be provided, such as the website privacy notice on our website that sets details on our use of cookies and additional data collection via Google Analytics.

The following is a non-exhaustive list of data we collect and how we collect it. Where other methods are used, an additional data protection/privacy statement will normally be provided at the collection point and/or this policy updated.

• IMCA Account - online services may use a shared authentication system, which requires provision of names, email addresses and country for identity and authentication purposes. Additional data may then be provided via the online services as described below.
  
  
• Membership – IMCA is a membership organisation, with member companies that may provide personal data on those employees who are nominated to represent them. This data may additionally include a role or job title, to help verify the appropriateness of the nomination. We will notify such individuals of their nomination and our processing of their personal data on this basis.
  
  Data is used to provide a variety of member services. Names and company affiliations form part of a record of activity, such as minutes of committee meetings, proceedings of seminars and workshops, and as part of committee election materials. Business contact details may be shared with committee and workgroup members for the sole purpose of furthering IMCA’s published objectives and work programme. Such data is generally retained indefinitely, subject to the rights of data subjects to restrict processing.
  
  Additional information may be submitted by those seeking approval of training courses or data platforms. This data is processed in accordance with the terms and conditions of those approval schemes.
  
  
• Logbook sales – IMCA sells printed logbooks. We collect only that data which is necessary to identify the customer, deliver their goods, apply appropriate taxes and complete required accounting records. This data is retained in accordance with accounting rules.
  
  
• Events – IMCA organises a range of seminars, workshops and regional meetings, to which its members and selected others are invited. As part of this activity, only that data is collected which is required for contacting delegates about event arrangements and providing reports on event outcomes.
  
  Events may include photography and video recordings. Attendee details may be shared with venues and related service providers for security and registration services. Further details are set out in the event terms and conditions and on registration forms.
  
  Such data is retained in accordance with applicable laws and accounting rules (as needed for paid events, but also for non-paid events for simplicity).
  
  
• Certification and accreditation – IMCA runs certification and accreditation schemes for certain positions in the offshore industry. As part of this, we collect and process personal data relating to candidates and qualified personnel, which includes additional identity verification (such as passport or driving licence details), details of relevant certification and work history and a history of the application process, including examinations and resits. An online validation facility limits access to personal data to display of confirmatory details. IMCA CPD services, available for certain positions, use only that data necessary to enable login and tracking of user progress.
  
  Such data is generally retained permanently. This is required to ensure a robust system that ensures the competence of those working in highly safety critical positions in the offshore industry.
  
  
• Approved training – IMCA approves or recognises a limited number of technical training courses in the offshore industry. As part of this, approved training establishments report the names and other identifying data of participants (such as date or birth and/or passport number) and training history, which is used to verify the training history of IMCA certification candidates and as a back-up in case of provider closure. Data is kept for two years following expiry of a certificate’s validity. Training providers are required to inform participants of any such processing.
  
  
• CPD for Dynamic Positioning (DP) personnel – IMCA operators a dynamic positioning (DP) continuing professional development (CPD) system, in conjunction with The Nautical Institute (NI). A separate privacy policy for this joint initiative is available.
  
  
• eCMID vessel inspection system – IMCA maintains an electronic database for the inspection of vessels. Companies can register and provide such limited personal data as is necessary for contacting them with regard to use of the system, such as notifying when reports are available for review or a request for data access has been made. Accreditation details for vessel inspectors are also recorded and their inspection history may be shared with the Marine Surveying Academy – the accrediting body. This data is generally held for two years after a user account becomes inactive, except where it forms part of a vessel inspection record and is therefore retained for legitimate verification purposes.
  
  
• CCTV and door entry systems – The IMCA Secretariat offices use closed circuit television recording and door entry logs for security purposes, including deterrence and incident investigation. CCTV data is retained for two weeks, while door entry logs are retained for up to seven years, as part of the IMCA HR records.
  
  
• Services for external organisations – IMCA provides secretariat services to the organisations listed below. For the purposes of data protection, each listed organisation is the data controller, while IMCA processes data on their behalf. The separate privacy policies of each organisation make reference to the IMCA privacy policy. The ‘other business records’ point below applies equally to these organisations in respect of records of business activity and communications.
  
  
  • Diving Medical Advisory Committee – DMAC holds professional contact details for its members, whose names are published on its website at www.dmac-diving.org. DMAC operates an approval system for training in diving medicine and holds business contact details for training providers, publishing on its website those contact details made available for such purposes by those providers. All DMAC-related data is available to DMAC members via a secure intranet.
  • Offshore Mechanical Handling Equipment Committee – OMHEC holds professional contact details for its members, which are published on its website at www.omhec.com. All OMHEC-related data is available to OMHEC members via a secure intranet.
  • International Offshore Marine Operations Organisations Forum – IOMOOF holds professional contact details for its members, which are available to them with other IOMOOF-related data via a secure intranet.
    
    
• Other business records – IMCA maintains email, other electronic and physical records of business activities, which may contain personal data provided by individuals as part of normal business communications.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

IMCA uses industry leading online services and a variety of security software and hardware to ensure personal and other data is suitably protected by appropriate security measures.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

A comprehensive cybersecurity review is undertaken regularly. Awareness programmes on data protection and security matters are operated for IMCA staff.

We may share your personal data within the IMCA group, which may involve transferring your data outside the UK.

Certain of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

It is sometimes necessary for IMCA to process data outside the UK, including outside the EU:

• IMCA staff may access data while travelling on IMCA business. Such access is controlled by appropriate cybersecurity controls.
• While IMCA data is generally stored within the UK and service providers provide UK-based support, advanced support may, from time to time, be provided from outside the UK and from countries not already verified by the UK as providing an adequate level of protection.
• For selected activities, IMCA may opt to use service providers which process data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are available in our retention policy, which you can request from us by contacting us.

You have the following rights:

• The right to be informed – when we collect your data, we will tell you what data, why we are collecting it, how we will use it and how long we will store it for.
• The right to access – you have the right to access any personal data we hold about you and relevant supplementary information, so that you can verify the lawfulness of our processing (commonly known as a “data subject access request”).
• The right to rectification/correction – making sure that the data we hold about you is accurate and as complete as necessary for the purposes we hold it.
  The right to erasure – you can ask us to erase any personal data that we hold about you. This is not an absolute right, applying only in certain circumstances, but we will review any such requests and communicate with you openly about your rights and our actions.
• The right to restrict processing – you can permit us to store your data but ask us not to use it further (although again this applies only certain circumstances).
• The right to data portability – you can request from us any data that you have provided directly that you then wish to use for your own purposes across different services.
• The right to object – you can object to processing of your personal data and we must comply unless there are compelling legitimate grounds to the contrary.
  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

For further details on any aspect of our privacy policy and data processing, to exercise any of the rights set out in section 2 or to make a complaint, please use the contact details shown in section 1.

You also have the right to lodge a complaint directly with a supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK (or any other supervisory authority you prefer). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

The ICO has extensive guidance to your rights and our responsibilities on its website.

We keep our privacy policy under regular review. This version was last updated on 15 November 2024.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.