GENERAL PRIVACY NOTICE

Nordic Medical Clinic will comply with data protection law and principles, which means that your data will be:

• • • Used lawfully, fairly and in a transparent way.
    • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
    • Relevant to the purposes we have told you about and limited only to those purposes.
    • Accurate and kept up to date.
    • Kept only as long as necessary for the purposes we have told you about.
    • Kept securely.

Nordic Medical Clinic collects, stores, and processes personal data from its current and past patients and any other referrals from our customers endorsed to go through any of our medical and holistic health services. The kind of information we hold about you includes:

• • • Contact information, such as name, addresses, telephone numbers, email addresses, and other contact details.
    • Personal information, such as date and place of birth, nationality, immigration status, religion, civil status, government-issued IDS, etc.
    • Photographic and biometric data, such as photos, fingerprints, and signature specimens.
    • Sensitive information such as your health information and medical record.

Collection of your personal information starts upon endorsement from your manning agency. Further information is collected upon completing the appointment forms and as you go through the medical procedures necessary.

The collected personal data is used solely for the following purposes:

• • • Evaluation of your pre-employment medical exam
    • As basis for medical findings and recommendation
    • For status monitoring of the manning agency who endorsed you to take the medical service from NMC
    • Compliance to legal and/or regulatory requirements (e.g. MARINA, Flagstate requirements)
    • As means to communicate with you as part of our holistic health approach (e.g. Feedback Call)

For the purpose of statistical reporting requirement, your personal information is highly anonymized.

Sensitive data such as your medical data is used to consider whether you are fit for a specific role on-board a ship. It is required by law that all our seafarers are in adequate physical health, and it is our responsibility to ensure you meet the standards. For shore staff, we may use medical data to consider if you are eligible for a role which involves frequent travelling and to determine if you are fit to visit our managed vessels.

Why might we share your personal information with third parties?

We will only share your personal information with the following third parties for the purposes of communicating your “fit-to-work” status as part of their endorsement of pre-employment medical exam to complete your recruitment process:

• • • Internal customers being other companies in the OSM-Thome Group
    • External customers availing our medical services
    • Regulatory authorities, accrediting bodies and government agencies as support by applicable laws and permitted by our Privacy Policy.
    • Clinic Management System staff that performs system update

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. Details of these measures may be obtained by contacting us at DPO@nordicmedical.no.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Should third parties need access to your personal data, we require a non-disclosure agreement and/or a data sharing agreement with them, in compliance with the DPA and the DPA-IRR.

Your paper and digital files are securely stored: employing physical security to safeguard the paper files and technical security to protect the digital files.

How long will we use your information for?

We keep your paper and digital files only for as long as necessary.

Your photographic data stored in our CCTV cameras will be stored until it is saved in the memory but not longer than 2 years. Some cameras have memory for a month of CCTV videos, and older ones for less. The cameras run continuously on a rolling basis, where older videos are overwritten as the memory fills up.

Your personal data, including medical records, shall be stored for fifteen (15) years in compliance with the Health Privacy Code of Joint Administrative Order No. 2016-0002.

When your personal data is no longer needed, we take reasonable steps to securely destroy such information or permanently de-identify it. Paper files are securely shredded; and electronic information is deleted. Once deleted, it will no longer be recoverable nor reproducible.

Your rights in connection with personal information Under certain circumstances, by law you have the right to:

• • • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
    • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
    • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
    • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
    • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
    • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact NMC’s Data Protection Office through the following channels:

Email to DPO@nordicmedical.no

Write to:

The Data Protection Officer Nordic Medical Clinic Unit 1B, Maria Daniel building

470 San Andres Street Corner M.H. Del Pilar Street

Malate, Manila

Where processing of your personal data is based on your consent, such as when you give permission to us to keep your data in our database, you have the right to withdraw your consent for processing at any time by contacting us at the above e-mail. Once we have received notification that you have withdrawn your consent, we will no longer process your data and, subject to our retention policy, we will dispose of your personal data securely.

If personal information of children is gathered this requires consent of the parent or guardian.

If you are under 18 years old (or a different age to reflect local legal requirement of your country), please do not send us your personal information, for example, your name, address, and email address. Availing any of NMC medical services will require you to submit your personal information, please get your parent or guardian to do so on your behalf.

Except in cases where NMC organizes corporate social responsibility programs specifically designed for children, we may collect personal information as applicable and reasonably accepted by law.

If you have any questions about this privacy notice or how we handle your personal information, please contact our privacy officer at privacyofficer@osm.no. You have the right to make a complaint at any time to the concerned supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.

This Privacy Notice may be changed over time. You are advised to regularly review this Privacy Notice for possible changes. This Privacy Notice was last updated in June 2023.

Link to Online Privacy Notice