Skip to main content

Data Protection and Privacy

Last revised on 6 February 2025

Hydor Data Protection Policy

This data protection policy applies to Hydor, which is based in Norway and operates globally. As an international company, it is Hydor's policy to fully comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA), the Norwegian Personal Data Act, and all other relevant data protection regulations in the jurisdictions in which we operate. We have implemented a robust data protection compliance framework to safeguard the personal information we control or process in connection with the services we provide.

Who We Are

Hydor is a specialized Marine Underwriting Agent with its headquarters in Norway.

Our clients typically include shipowners, ship operators, charterers of vessels, freight forwarders, and port operators. Hydor processes personal data to manage insurance policies and settle claims.

Our contact details can be found at: https://hydor.no/contact

Supervisory Authorities

  • The Norwegian Data Protection Authority (Datatilsynet), Norway
  • The UK Information Commissioner's Office (ICO), United Kingdom
  • The European Data Protection Supervisor (EDPS)

Definition of Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or specific characteristics related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
 

Our Policies and Standards

Hydor handles personal data with the highest level of care and only uses it for legitimate business purposes. We adhere to the following principles:

  • Respect for the privacy rights of employees, customers, clients, business partners, and other individuals whose data we process.
  • Implementation of appropriate technical and organizational measures to protect personal data.
  • Obtaining personal data fairly and using it only for legitimate business purposes.
  • Ensuring accountability by demonstrating compliance with applicable legal and regulatory requirements.
  • Applying these principles across all Hydor AS entities worldwide, in line with internationally recognized privacy standards, GDPR, and UK/Norwegian data protection laws.
  • Our Role as a Data Controller

What Kind of Personal Data Do We Process?

We collect and process personal data only when necessary for business operations, regulatory compliance, or specific purposes provided by the individual. The types of data we may collect include:

  • Personal Information: Name, age, gender, date of birth, nationality.
  • Contact Information: Email, address, postcode, phone number.
  • Online Information: Cookies, IP address (if you use our websites).
  • Financial Information: Payment details related to insurance policies or claims.
  • Contractual Information: Details regarding insurance policies and agreements.

Additionally, we may process special category data under GDPR Article 9(2)(f), such as medical records, diagnoses, and injury/illness descriptions, when required for handling personal injury or illness claims. Such data is used strictly for the purposes for which it was provided.

Why Do We Process This Data?

Hydor AS processes personal data for various legitimate purposes, including:

  • Compliance with financial crime and sanctions screening
  • Underwriting risk assessment and service provision
  • Accounting, invoicing, and payment processing
  • Claims investigation and fulfillment
  • Loss prevention assessments
  • Marketing and promotion of services
  • Management of service providers, auditors, clients, and employees
  • Regulatory compliance and general business administration

Who Do We Share Personal Data With?

Hydor ensures that only authorized employees access and process personal data on a need-to-know basis. We may also share personal data with the following third parties, ensuring compliance with cross-border data protection laws:

  • Service providers and IT support companies
  • Professional advisors, including auditors, reinsurers, medical agencies, and legal consultants
  • Clients who have provided the data to us

When necessary, we apply EU model contract clauses to ensure adequate safeguards are in place for data transfers outside the EU and UK.

How Long Do We Keep Personal Data?

We retain personal data only as long as necessary for business, regulatory, and compliance purposes. We follow GDPR’s data minimization and storage limitation principles, ensuring data is securely stored and only accessible to authorized personnel. When no longer required, personal data is securely deleted unless legal or regulatory obligations require its retention.

Legal Basis for Data Processing

We only process personal data where a valid legal basis applies. These include:

  • Consent – Processing based on explicit consent from the individual.
  • Contractual Necessity – Processing required to fulfill a contractual obligation.
  • Legal Obligation – Compliance with legal or regulatory requirements.
  • Insurance Purpose – Processing required for claims handling.
  • Legitimate Interests – Where processing is necessary and does not override an individual’s rights.

Your Rights Under GDPR (EU) & UK Data Protection Laws

Under the GDPR and UK Data Protection Act, individuals have the following rights regarding their personal data:

  • Right of Access – Obtain a copy of personal data.
  • Right to Rectification – Request corrections to inaccurate data.
  • Right to Data Portability – Receive data in a structured format.
  • Right to Object – Object to processing for legitimate interest purposes.
  • Right to Restrict Processing – Limit how data is used in certain cases.
  • Right to Be Forgotten – Request deletion of personal data unless legal obligations require retention.
  • Right to Object to Automated Decision-Making – Avoid decisions made solely by automated processes.

To exercise these rights, requests must be made in writing to our Data Protection Officer.

Contact Information

Data Protection Officer
Allen Han
Email: [email protected]

Hydor remains committed to protecting personal data and ensuring compliance with global data protection regulations. If you have concerns about how we handle your data, you have the right to contact the relevant data protection authorities or file a complaint with the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/board/members_en.
 

Logo ACPII

Hydor AS is a proud founding member of the The Association of Commercial P&I Insurers (ACPII)

Back to top