Data Protection and Privacy

Hydor Data Protection PolicyThis data protection policy applies to Hydor, which is based in Norway and operates globally. As an international company, it is Hydor's policy to fully comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA), the Norwegian Personal Data Act, and all other relevant data protection regulations in the jurisdictions in which we operate. We have implemented a robust data protection compliance framework to safeguard the personal information we control or process in connection with the services we provide.Who We AreHydor is a specialized Marine Underwriting Agent with its headquarters in Norway.Our clients typically include shipowners, ship operators, charterers of vessels, freight forwarders, and port operators. Hydor processes personal data to manage insurance policies and settle claims.Our contact details can be found at: https://hydor.no/contactSupervisory AuthoritiesThe Norwegian Data Protection Authority (Datatilsynet), NorwayThe UK Information Commissioner's Office (ICO), United KingdomThe European Data Protection Supervisor (EDPS)Definition of Personal Data‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or specific characteristics related to their physical, physiological, genetic, mental, economic, cultural, or social identity. Our Policies and StandardsHydor handles personal data with the highest level of care and only uses it for legitimate business purposes. We adhere to the following principles:Respect for the privacy rights of employees, customers, clients, business partners, and other individuals whose data we process.Implementation of appropriate technical and organizational measures to protect personal data.Obtaining personal data fairly and using it only for legitimate business purposes.Ensuring accountability by demonstrating compliance with applicable legal and regulatory requirements.Applying these principles across all Hydor AS entities worldwide, in line with internationally recognized privacy standards, GDPR, and UK/Norwegian data protection laws.Our Role as a Data ControllerWhat Kind of Personal Data Do We Process?We collect and process personal data only when necessary for business operations, regulatory compliance, or specific purposes provided by the individual. The types of data we may collect include:Personal Information: Name, age, gender, date of birth, nationality.Contact Information: Email, address, postcode, phone number.Online Information: Cookies, IP address (if you use our websites).Financial Information: Payment details related to insurance policies or claims.Contractual Information: Details regarding insurance policies and agreements.Additionally, we may process special category data under GDPR Article 9(2)(f), such as medical records, diagnoses, and injury/illness descriptions, when required for handling personal injury or illness claims. Such data is used strictly for the purposes for which it was provided.Why Do We Process This Data?Hydor AS processes personal data for various legitimate purposes, including:Compliance with financial crime and sanctions screeningUnderwriting risk assessment and service provisionAccounting, invoicing, and payment processingClaims investigation and fulfillmentLoss prevention assessmentsMarketing and promotion of servicesManagement of service providers, auditors, clients, and employeesRegulatory compliance and general business administrationWho Do We Share Personal Data With?Hydor ensures that only authorized employees access and process personal data on a need-to-know basis. We may also share personal data with the following third parties, ensuring compliance with cross-border data protection laws:Service providers and IT support companiesProfessional advisors, including auditors, reinsurers, medical agencies, and legal consultantsClients who have provided the data to usWhen necessary, we apply EU model contract clauses to ensure adequate safeguards are in place for data transfers outside the EU and UK.How Long Do We Keep Personal Data?We retain personal data only as long as necessary for business, regulatory, and compliance purposes. We follow GDPR’s data minimization and storage limitation principles, ensuring data is securely stored and only accessible to authorized personnel. When no longer required, personal data is securely deleted unless legal or regulatory obligations require its retention.Legal Basis for Data ProcessingWe only process personal data where a valid legal basis applies. These include:Consent – Processing based on explicit consent from the individual.Contractual Necessity – Processing required to fulfill a contractual obligation.Legal Obligation – Compliance with legal or regulatory requirements.Insurance Purpose – Processing required for claims handling.Legitimate Interests – Where processing is necessary and does not override an individual’s rights.Your Rights Under GDPR (EU) & UK Data Protection LawsUnder the GDPR and UK Data Protection Act, individuals have the following rights regarding their personal data:Right of Access – Obtain a copy of personal data.Right to Rectification – Request corrections to inaccurate data.Right to Data Portability – Receive data in a structured format.Right to Object – Object to processing for legitimate interest purposes.Right to Restrict Processing – Limit how data is used in certain cases.Right to Be Forgotten – Request deletion of personal data unless legal obligations require retention.Right to Object to Automated Decision-Making – Avoid decisions made solely by automated processes.To exercise these rights, requests must be made in writing to our Data Protection Officer.Contact InformationData Protection OfficerAllen HanEmail: [email protected] remains committed to protecting personal data and ensuring compliance with global data protection regulations. If you have concerns about how we handle your data, you have the right to contact the relevant data protection authorities or file a complaint with the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/board/members_en. 

Teresa Ho

Teresa is an experienced marine claims handler in various capacities. She worked as P&I correspondent and for a Shipowner which allows her to understand the practical aspects of P&I claims and the business needs of our Clients. She is familiar on matters pertaining to claims, defence and recovery. Teresa is committed to managing risks and solving problems for clients and applies her knowledge keenly in these areas.