top of page


Partner Ship Design
Kai H.E. Bunge, Siegfried Schindler GbR
UST.-Nr. DE 118 372 933

State of the Art Cruise Ship Design GmbH
HR 112409 | AG Hamburg

20354 Hamburg

1. Purpose of the data protection policy 

These guidelines describe the company’s measures for implementing the requirements of the EU Basic Data Protection Regulation (DS-GVO) and apply throughout the company. All employees and external service providers directly or indirectly involved in processing personal data (processors) are required to comply with the statutory requirements under DS-GVO with regard to handling personal data. An exception is permitted only after documented approval from management.

2. Lawfulness, processing in good faith, and transparency

Personal data may be processed only if there is a legal basis pursuant to Art. 6 DS-GVO or the verifiable approval by the data subject pursuant to Art. 7 DS-GVO. Personal data, to the extent possible, are to be collected always directly from the data subject so that said data subject knows about the data stored about him. In this respect, the data subject will be fully notified pursuant to Art. 13 DS-GVO. With regard to collection and storage of personal data without the knowledge of the data subject, the notification duties pursuant to Art. 14 DS-GVO with regard to the data subject will be ensured. The right to information stated in Art. 15 DS-GVO will be observed. The principles of purpose specification, data minimization, accuracy, storage limitation, integrity, confidentiality, and availability will be considered.

3. Data processing

Compliance with the requirements of DS-GVO is the precondition and basis for processing personal data. To that end, the relevant data processing procedures will be recorded on the basis of the requirements of Art. 30 DS-GVO with the goal of creating transparency.

3.1 Technical and organizational measures

To ensure data protection, technical and organizational measures for data protection will be established based on the requirements of Art. 5, 25, and 32 DS-GVO. With regard to definition and implementation, the type and resulting need for protection of the processed personal data are considered.

3.2 Procedural protective measures

The procedural protective measures will be planned, implemented, and constantly monitored while considering the personal data to be processed, the location of the data processing, and the individuals involved in the data processing. In this regard, the latest technical standards and the need for protection of the data processing will be considered. The goal of only collecting, processing, and using personal data that are absolutely necessary for the processing procedure will be taken into account. For any data processing, a review will be conducted on the extent to which lawfulness,

  • processing in good faith,

  • transparency,

  • purpose specification,

  • data minimization,

  • accuracy,

  • storage limitation,

  • integrity, confidentiality and availability

are considered through existing or future risks in terms of data processing, the latest technical standards, and the implementation costs.

3.3 Data protection impact assessments

A procedure for data protection impact assessment will be initiated in so far as the planned processing procedure contains particular risks for the rights and freedoms of the data subjects. Remedies will be planned and implemented for the identified risks. They can include guarantees, security precautions and procedures that fully assure the protection of personal data. If the data protection impact assessment reveals a high risk to the personal data and the data subject that cannot be reduced through additional measures, we agree to consult with the competent authority.

4. Rights of data subjects

Any subject of the data processing has the right to correction, restriction, and deletion of his personal data. Correction, restriction, and deletion requests that are received will be documented, reviewed, and implemented by the body responsible for data protection of the company and by the controller. This will also take into account any processors and recipients of the subject’s personal data. The data subject will receive a response about this. Upon request, we will provide the data subject with the personal data provided to us in a structured, conventional, and computerized format. If technically possible, we will also provide the data directly to another controller.

5. Data protection violation and reporting duty

A documentation procedure for any and all violations of the protection of personal data has been established. All employees, processors, and service providers involved in the processing activities must report any violation of protection of personal data immediately to management. Management will decide in cooperation with the data protection officer on further actions and any associated reporting duty to regulators and any notifications of the data subjects.

bottom of page