Privacy Policy

Protection of Personal Data Policy

Purpose:

MOL Maritime (India) Private Limited (“MOLMI” or "Company") recognizes the importance of safeguarding personal data and respecting individuals' privacy rights. This Personal Data Protection Policy outlines our commitment to protect personal data of employees, seafarers, customers, stakeholders and other interested parties in accordance with various Data Protection Laws and Regulations, which include, but not limited to:

  • The Digital Personal Data Protection Act, 2023 of India (“DPDP Act”) and rules framed thereunder
  • EU General Data Protection Regulation ("GDPR")
  • Data Protection Act 2018 in the United Kingdom ("UK GDPR")

This policy establishes the framework for collecting, processing, storing, managing and effacing personal data responsibly in compliance with these laws.

MOLMI operates and establishes common and minimum practices to properly process the personal data.

Scope:

This policy deals with handling of personal data of below parties who provide any amount of information:

  1. Employees
  2. Seafarers
  3. Customers
  4. Third Party

Definitions:

    1. Personal Data” refers to any information relating to data subject (the person to whom personal data is attributed) that can identify any individual directly or indirectly.
    2. Sensitive Personal Data refers to personal data that is specifically protected under the relevant laws and regulations as such, and if processed improperly, may significantly harm the rights and interests of the data subject. This includes but is not limited to, racial or ethnic background, political ideology, religious or philosophical beliefs, trade union membership, genetic, biological, medical or health data, gender identity data, and criminal history and it includes items defined by the Detailed Regulations or laws and regulations in India and other countries/regions.
    3. Processing refers to the collection, acquisition, recording, storage, correction, use, disclosure or/and transfer, etc., of personal data, whether by automatic means or not, and the performance of duties or a group of duties performed on personal data or a group of personal data, including the arrangement or/and combination, suspension, deletion, or/and disposal, etc. and it includes behaviors defined by the Detailed Regulations or laws and regulations in India and other countries/regions;
    4. Digital Personal Data refers to personal data in digital form.
    5. e. Data Subject (also referred to as Data Principal wherever applicable) refers to a specific individual who is or can be identified by personal data and is the holder of the personal data.
    6. “Data Fiduciary” (DF) OR “Data Controller” (DC) refers to any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The Managing Director will act as the Data Fiduciary.
    7. Data Protection Officer” (DPO) or Personal Data Management Administrator refers to an individual appointed by the DF to give effect to the applicable data protection legislation/s. General Manager will act as the Personal Data Management Administrator or Data Protection Officer.
    8. Consent Manager (CM) refers to an individual appointed by the Company, who acts as a single point of contact to enable a DS to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform. Senior Executive - HR will be Consent Manager of the Company.
    9. Data Processor (DPRO) - refers to any person who processes personal data on behalf of a DF.
    10. Sub-Processor refers to those who, with the permission of the data controller, process personal data on behalf of the data processor.
    11. Third Party refers to any individual or organization who is not the Company or the employees in the Company. Third Party refers to Data Processors/Vendors/Service Providers.
    12. Risk Assessment - a mechanism for evaluating the impact of the processing of personal data and considering countermeasures in cases where the processing of personal data may pose a high risk to the rights and freedoms of the data subject.
    13. Legal Basis - basis that the processing of personal data by the Company conform the personal data protection laws and regulations in countries/regions to comply with;
    14. Automated Decision Making - processing of personal data by technical means without human intervention and making decisions based on it ;
    15. Joint Controllership - controllership where two or more data controllers jointly determine the purposes and means of personal data processing; and
    16. Right to Data Portability - right to receive personal data provided by the data subject in a structured, commonly used and machine-readable format and transfer the data to other data controllers.

 Role and Responsibilities:

All employees of this Company are responsible for ensuring the proper handling of personal data in their day-to-day activities. They must adhere to this policy and report any data protection concerns to the DPO at the earliest opportunity.

The personal data can be processed only for the specific purpose(s), as set out in ANNEX I to this policy. If any employee in their course of carrying out official duties suspects that the processing of the personal data goes beyond the purpose(s) set out in the ANNEX I, or are processing any sensitive personal data, they must contact the DPO for obtaining consent from the DS.

Third parties engaged by the Company are also responsible for adhering to this policy and for ensuring the proper handling of personal data in their activities on behalf of the Company. They must comply with applicable Data Protection Laws and Regulations and report any data protection concerns to the DPO.

The Personal Data Management General Administrator is responsible for the matters listed in the following items as the person with company-wide responsibility for personal data protection management:

  1. establishment and formulation of a privacy policy to ensure the appropriate processing of personal data;
  2. revision of this policy periodically or when there is a reason to change processing procedures, security measures, etc.;
  3. periodic investigation of the status of processing and protection of personal data, and implementation of improvement measures and education for the appropriate processing and protection of personal data;
  4. response to inquiries, complaints, and other requests related to the processing of personal data, and supervision of the implementation of damage relief;
  5. supervision of the implementation of disposal of personal data for which the purpose of processing of personal data has been fulfilled or for which the retention period of personal data has expired;
  6. other matters defined by laws and regulations of each country/region listed in the Detailed Regulations.

The Personal Data Management Administrator or Data Protection Officer is responsible for the implementation of procedures, safety measures, education and training, and dissemination, etc. for personal data protection in each division and branch as necessary. When personal data processing operations are performed, the Personal Data Management Administrator must appoint a person responsible for the relevant operations as the Supervisor. The Supervisor shall bear the same responsibility as the Personal Data Management Administrator defined in the preceding Paragraph for the said operations.

Data Collection and Processing:

Lawful Processing

The Company will only collect and process personal data when it has a lawful basis to do so, including but not limited to:

  • The consent of the DS
  • Contractual necessity
  • Legal Obligation
  • Legitimate Interests

Transparency

Data Subject will be informed of the purposes for which their data is collected and processed, including the lawful basis for processing, at the point of data collection or before, and their rights in relation to their data.

Consent

Where consent is required for processing personal data, the Company will obtain explicit and freely given consent from Data Subject. Freely given consent will be obtained through clear and easily accessible means, and records of consent will be maintained.

Withdrawal of Data Consent

Data Subject shall have the right to withdraw his or her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.

Data Security Measures

Under the supervision of the Personal Data Management General Administrator, the Personal Data Management Administrator shall take appropriate security measures at each stage of the processing of personal data, taking into comprehensive consideration for the latest technology, examples of other companies regarding information security, costs required to implement the measures, the nature, scope, context and purpose of the processing, and the impact and risks on the rights and freedoms of individuals.

    • Company shall provide annual refresher training for employees and keep them updated on changes of data protection policy and company shall conduct annual Data Processing education and training for employees.
    • Company shall take necessary security measures such as locking and storage of paper documents, installation of monitoring cameras etc., and prevention of data leakage when carrying via electronic media, etc. are in place.
    • Company shall ensure upon expiry of retention period, personal data is deleted or archived and is not readily accessible, for paper documents it is shredded.

Reporting Obligations and Measures Against Violations

A person who discovers a fact or possibility of violation of this Regulation or related laws and regulations must report to that effect to the Personal Data Management Administrator of the Company.

When a breach or suspected breach of compliance is discovered by or reported to the Personal Data Management Administrator of the Company, he or she shall first report the matter to the Compliance Officer and then take quick corrective action.

The confidentiality of the person reporting or consulting about a breach or suspected breach of compliance shall be strictly protected.

Measures against violations shall be in accordance with the Compliance Regulations of India and other countries/region, MOL Compliance Regulations.

Personal Data Breach Response

Personal Data Breach means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

In the event of a data breach, on behalf of the Data Fiduciary, Data Protection Officer will promptly:

    • Assess and mitigate the possible adverse effects of the breach.
    • Notify affected Data Subject in a timely manner, providing nature and extent of breach and actions they can take to protect themselves from consequences of the breach.
    • Notify relevant regulatory authorities where required by applicable law.
    • Maintain record of Personal Data Breach incidents.

Data Subject’s Rights

Data Subject has the following rights regarding their personal data:

  1. Right to Access: DS can request access to their personal data.
  2. Right to Rectification: DS can request corrections to their personal data.
  3. Right to Erasure: DS can request the deletion of their personal data.
  4. Right to Data Portability: DS can request the transfer of their personal data.
  5. Right to Object: DS can object to the processing of their personal data.
  6. Right to Restriction of Processing: DS can request the restriction of processing under certain circumstances.
  7. Right to withdraw consent: DS can withdraw the consent he/she has agreed to once.
  8. Right to file complaints and complaints with the supervisory authority: The DS can file a complaint with a supervisory authority if he or she is not satisfied with the Data Management.
  9. Right to request explanation: DS can request the Data Protection Officer to explain personal information processing rules.

To exercise these rights, DS can contact the Personal Data Management Administrator or Data Protection Officer at the contact information provided below:

Personal Data Management Administrator or Data Protection Officer - General Manager

Email address: molmi.grievances@molgroup.com

Consequences of Non-Compliance:

Violations of this policy may result in disciplinary action, as per the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”)

Revision and Abolition of this Regulation

Revision and abolition of this Regulation shall be made with the approval of the Chief Compliance & Legal Officer. Revision and abolishment shall be reported to the Management Meeting. However, revision in accordance with laws and regulations, guidelines of each ministry and agency, and minor revisions shall be made with the approval of the Managing Director.

Effective Date:

This policy is effective from 1st June 2024 and shall be revised upon proposal by the Personal Data Management Administrator or Data Protection Officer with the approval of Personal Data Management General Administrator or Data Fiduciary.

Established on 01 Jun 2024 Revised on 24-Dec-2025

ANNEX - I

For the reference of various stakeholders including DS, the following is hereby listed down.

  • The nature of data collected and processed.
  • The intended use of such data so collected.
  • Legal basis for usage of personal data including special category data.
  • Sharing of such personal data.

What personal data will we process?

Usually, we will have access to the following personal data:

Your full name, including (if applicable) your preferred name and previous surname; your gender; your work and personal e-mail addresses; your date of birth; your home address; your mobile number and your home phone number; your current and previous employment details/history; your professional membership details and training certificates (if applicable); passport / AADHAAR / PAN details; Family details, medical information; and reference details.

The personal data we hold about you may have been supplied by you or on your behalf in the form of a curriculum vitae (CV) that has been delivered to us (usually by you or on your behalf (for example by a recruitment consultant or agency), by e-mail, by post, or by hand). We believe that all information that you supply to us in your CV is relevant to our recruitment process.

  • via our website; and
  • in person or over the telephone.

We may collect your personal data via other means, including but not limited to e-mails you send to us; from references whose details you provide to us; online forms or surveys, background verification conducted at the time recruitment, and exchanged business cards.

Further we may collect data such as your family’s personal data (including any minor child) for the sake of entailing various benefits to your family such as health insurance, nominations to various acts and statutes.

How will we use your personal data?

We will hold and process your personal data and sensitive personal data (special categories data, such as personal information revealing your racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; data relating to your health; data concerning your sexual orientation; and/or criminal convictions or involvement in criminal proceedings) to carry out our recruitment various business functions, including but not limited to followings namely:

  • Making a decision about your recruitment or appointment.
  • Communicating with you about the recruitment or appointment process.
  • Carrying out background and reference checks, where applicable.
  • Determining the terms on which to offer work, employment or consultancy with us.
  • Managing any disabilities or special needs you have, including administering adjustments to work and/or the recruitment process.
  • Dealing with legal disputes involving you, or other employees, workers and contractors, including employment disputes.
  • Complying with health and safety obligations.
  • Equal opportunities monitoring.
  • Taking health and other insurances as per policies of the company
  • Arranging Company gatherings, Company conferences
  • Travel arrangements for business/personal purposes

What is the basis on which we use your personal data?

We will use your personal data on the following basis:

  • It is necessary for us to comply with our obligations in compliance with laws governing Data Privacy.
  • It is necessary for our legitimate interests, except where your interests and rights override those.
  • It is necessary to protect your interests or those of someone else; and/or
  • It is necessary to process your personal data to decide whether to enter into a contract with you for employment, work or services.

If you fail to provide information when requested that is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references for a role and you fail to provide us with relevant details, we will not be able to take your application further.

When will we be sharing your data with third parties?

We have contracts with third-party service providers and suppliers to deliver certain services. Other than as set out in this Privacy Notice, we will not share your personal data with any third-parties.

We may contact the following parties in connection with our recruitment processes and, in order to obtain the information required from those parties, share your personal information:

  • regulators, government departments, law enforcement authorities, tax authorities and insurance companies.
  • any relevant dispute resolution body or the courts.
  • persons in connection with any sale, merger, acquisition, disposal, re-organisation or similar change in our business.
  • any recruitment consultant or agency with which you are engaged.
  • any training, education or certification body from which we require verification of your attendance at, or certification from, such body (e.g., university); and
  • the referees whose details you have provided to us for the purpose of obtaining a reference for your application.
  • payment processors for processing financial transactions relating to your dues.
  • Information and Communication Technology service providers for hosting and maintenance of systems and databases for your official accounts.