BCR, DPO and judicial data

1. Can you please explain a bit if having BCRs in place we will be compliant with the GDPR?

Binding Corporate Rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. So, they are only useful when it comes to performing intragroup data transfers.

2. Are any specific requirements on how to process data about the health of our contractors?

Health data is special category data and you can only process it in your case if you have a legal obligation dictated by the health and safety maritime laws. For example, you can ask the staff you employ as sailors to bring proof that their health condition allows them to perform specific tasks.

3. How about judicial data? We are required to ask for the criminal record of the crew before hiring them.

The same rules apply to judicial data as well. However, you should only ask for a criminal record but not for documents pertaining to the specific offenses that a person committed.

4. Do we need to have a data protection officer?

Depending on the size of the company and also if you are your core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offenses) you may need a DPO. Since I know that your company is not so big and your core business does not consist in processing sensitive data would say you don`t need a DPO.

5. Do we need to register as processing health and judicial data?

This is dependent on where your company is registered. As far as I know, Greece does not require companies that process personal data to register to the Data Protection Authority.