Privacy policy

1.   Data Controller Information

1.1.   STS Marine Solutions Ltd (“STS Marine Solutions”, “we”, “us” or “our”) is a company incorporated in England and Wales, with its registered office at 1 The Cloisters, Sunderland, SR2 7BD, United Kingdom.

1.2.   For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, we act as Data Controller in relation to personal data processed via our website. During the offering of our services, our role as Controller, Joint Controller, or Processor depends on the nature of the processing and contractual terms with the relevant counterparty.

1.3.   Contact: dataprivacy@stsms.com 

2.   Categories of Personal Data Processed

2.1.   We process various categories of personal data in accordance with the UK GDPR and the Data Protection Act 2018. Such data includes personal data you provide to us directly, whereby this comprises your full name, contact details including email address and telephone number, company affiliation and job title, as well as the content of any enquiries or communications you submit. This category also extends to recruitment-related information, including curriculum vitae, cover letters, and professional references, together with your preferences relating to subscriptions to newsletters and other marketing communications.

2.2.   Notwithstanding the foregoing, we also collect certain technical and usage data automatically when you access our website. This data may comprise Internet Protocol (IP)addresses, unique device identifiers, browser type and version, operating system and platform information, as well as website usage metrics such as access times and page views. Additionally, data may be obtained via cookies and similar tracking technologies, as further detailed in the Cookies Notice.

3.   Purpose and Lawful Basis for Processing Your Personal Data

3.1.   We process your personal data for a number of distinct purposes, each supported by a lawful basis under the UK GDPR, thereby ensuring compliance and transparency in our operations. Foremost, in relation to service delivery and customer communications, your data is processed to respond to enquiries, provide quotations, and deliver the maritime services you have requested. This processing is justified primarily by the necessity to perform a contract to which you are a party, pursuant to Article 6(1)(b), or alternatively by our legitimate interests under Article 6(1)(f), which include fulfilling service obligations and maintaining ongoing business relationships.

3.2.   We use your personal data to send marketing communications, including newsletters, service updates, and promotional materials. This processing is carried out based on your explicit consent pursuant to Article 6(1)(a) of the UK GDPR. In certain circumstances where consent is not required or has been obtained for a related services, we may rely on our legitimate interests under Article 6(1)(f) to promote our services to existing clients with whom we have an established business relationship. We endeavour to ensure that such communications are consistent with reasonable expectations and respect your rights. You may choose to opt out of marketing communications or withdraw consent at any time, and we will take appropriate steps to accommodate such requests in accordance with applicable regulations.

3.3.   With respect to recruitment and employment processes, your personal data is handled for the purpose of managing job applications, conducting interviews, and making employment decisions. This processing is again based on the necessity to perform a contract under Article 6(1)(b), or where appropriate, on our legitimate interests pursuant to Article 6(1)(f), facilitating effective human resources management.

3.4.   Moreover, to ensure the secure and reliable operation of our website, we process data related to website functionality, security monitoring, and fraud prevention. This activity is justified exclusively by our legitimate interests under Article 6(1)(f), aiming to maintain the integrity of our digital platform and to prevent unauthorized access or misuse.

3.5.   Furthermore, in order to comply with legal and regulatory obligations, we process your personal data under the legal obligation basis set forth in Article 6(1)(c). Such processing is mandatory to ensure adherence to applicable laws and regulations.

3.6.   Finally, your data may be processed for analytical purposes and service improvements, including website performance analysis and enhancement of user experience. This processing is conducted on the basis of our legitimate interests under Article 6 (1)(f), whereby we seek to continually refine our services and operational effectiveness.

3.7.   In all circumstances, we undertake to process your personal data lawfully, fairly, and transparently, balancing our legitimate interests with your rights and freedoms, thereby safeguarding your privacy and maintaining trust.

4.   Maritime Services Data Processing

4.1.  We may process vessel-related personal data, including crew, passengers, and voyage details, where necessary for contractual performance and compliance with applicable international maritime law. Personal data may be disclosed to port authorities, customs, coast guard, and other maritime entities as legally required or contractually appropriate, subject to data protection principles. In maritime emergencies, processing may occur to protect vital interests and facilitate a timely response, notwithstanding usual restrictions. We periodically review maritime regulatory developments to ensure lawful and proportionate data processing.

5.   Data Sharing and Recipients

5.1.   We may disclose your personal data to certain categories of recipients in accordance with applicable lawful bases and operational requirements. In particular, personal data may be transferred between affiliated entities for purposes including administrative functions, technical support, and business development activities. Such processing is undertaken on the basis of legitimate interests, subject to a careful balancing test against your fundamental rights and freedoms, thereby ensuring that the processing remains fair and proportionate.

5.2.   Secondly, we engage a variety of third-party service providers and data processors to facilitate the provision and enhancement of our services. These include entities providing website hosting and technical infrastructure, email marketing platforms, professional services such as legal, accounting, and consultancy support, as well as IT support and maintenance services. Notwithstanding the involvement of these third parties, all processors are bound by contractual obligations requiring strict adherence to the requirements of the UK GDPR, in particular pursuant to Article 28 thereof, thereby ensuring adequate safeguards for the protection of your personal data.

5.3.   Finally, we may disclose personal data to legal and regulatory authorities where such disclosure is mandated by law, required in the context of legal proceedings, or otherwise necessary to protect our legitimate interests. Such disclosures may also be effectuated to safeguard the safety of individuals or to prevent fraudulent or unlawful activities. In all such cases, we ensure that any disclosure complies with applicable legal standards and is strictly limited to the extent necessary for the intended purpose.

6.   International Data Transfer

6.1.   Insofar as personal data is transferred internationally to service providers located outside the United Kingdom, we ensure that such transfers are subject to appropriate safeguards whereby an adequate level of protection is maintained in accordance with UK data protection laws. Transfers are primarily made to jurisdictions benefiting from UK adequacy decisions, thereby obviating the need for further protective measures. Where such adequacy is absent, transfers are governed by legally recognized mechanisms, including Standard Contractual Clauses or equivalent instruments, to secure the protection of the data in transit.

6.2.   Notwithstanding these safeguards, we may, where necessary, undertake Transfer Risk Assessments on a case-by-case basis to identify and mitigate any residual risks associated with the transfer, thereby ensuring that the protection of personal data remains robust and compliant with applicable data protection principles and legal obligations.

7.   Data Retention

7.1.   Personal data shall be retained for the period necessary to fulfil the purposes for which it was collected, in accordance with applicable statutory and regulatory retention obligations. In respect of general business communications, retention shall align with the limitation periods prescribed under the relevant commercial and contract laws, thereby ensuring proper record-keeping while respecting data minimization principles.

7.2.   Marketing data shall be retained only insofar as consent remains valid or where continued retention is justified by legitimate interests consistent with data protection laws. Once consent is withdrawn or inactivity indicates cessation of interest, such data shall be securely deleted.

7.3.   Data relating to website analytics shall be retained for a period consistent with industry best practices and guidance issued by supervisory authorities, thereby facilitating necessary analysis without unduly prolonging storage.

7.4.   With respect to recruitment, personal data of unsuccessful candidates shall be retained only as long as required under employment and anti-discrimination laws, after which such data shall be securely erased. Employment records of successful candidates shall be retained in accordance with mandatory legal obligations.

7.5.   Contract-related personal data shall be retained for a period sufficient to comply with statutory limitation periods and regulatory requirements applicable to contract enforcement and dispute resolution. Moreover, any personal data required for compliance with applicable laws and regulations shall be retained as necessary in accordance therewith.

7.6.   Notwithstanding the foregoing, all personal data shall be securely deleted or anonymized upon the expiry of the relevant retention period, unless a longer retention is compelled by overriding legal or regulatory obligations.

8.   Data Security

8.1.  We employ appropriate technical and organisational measures to safeguard personal data against unauthorised access, disclosure, alteration, or destruction. Such measures include encryption, access controls, regular security reviews, staff training, and incident response protocols. Notwithstanding these safeguards, no system can provide absolute security; however, we remain committed to maintaining a security framework proportionate to the risks and compliant with UK GDPR requirements.

9.   Use of Artificial Intelligence

9.1.  We may use artificial intelligence (AI) systems to enhance our operations, including improving safety, efficiency, and customer service. We do not use AI to make decisions that have legal or similarly significant effects on you without human involvement. Should this practice change, we will inform you and ensure appropriate safeguards are in place to protect your rights in accordance with data protection laws.

10.  Your Rights under UK GDPR

10.1.  Under the UK GDPR, you are granted various rights in respect of your personal data, whereby these rights serve to ensure transparency and provide control over its processing. You are entitled to obtain access to your personal data and receive detailed information regarding its processing. You may also request the rectification of any inaccurate or incomplete data held by us. In certain circumstances, you may require the erasure of your personal data, thereby limiting further retention or use, subject to lawful retention obligations.

10.2.  You have the right to restrict processing of your data, for instance, where its accuracy is contested or the processing is unlawful but you oppose erasure. Additionally, you may receive your personal data in a structured, commonly used, and machine-readable format, facilitating its transmission to another data controller, provided that such data has been processed by automated means and was supplied by you. Furthermore, you may object to the processing of your data where such processing is based on legitimate interests or for direct marketing purposes, there by requiring cessation of such processing.

10.3.  We confirm that no automated decision-making processes producing legal or similarly significant effects are presently employed. Where processing is based on your consent, you may withdraw it at any time, thereby halting further processing reliant solely on that consent.

10.4.  Notwithstanding these rights, their exercise may be subject to restrictions where necessary to comply with other legal obligations, to protect public interests (including national security and crime prevention), or to safeguard the rights and freedoms of others, such as freedom of expression. Requests to exercise these rights must be submitted in writing to the contact details provided. Prior to fulfilling any request, we will verify your identity to prevent unauthorized disclosures. We may refuse or limit requests that are manifestly unfounded, excessive, or otherwise restricted by law, and, where appropriate, a reasonable fee may be charged. We undertake to respond to valid requests within thirty (30) days, which period may be extended by up to sixty (60) days in cases of complexity or numerous requests, in accordance with the UK GDPR.

11.  Cookies

11.1.  For detailed information regarding the use of cookies on our website, including the types of cookies employed, their purposes, and how you may manage or withdraw your consent, please refer to our Cookies Notice. This document provides guidance on how cookies are handled in accordance with applicable data protection laws.

12.  Children’s Data Protection

12.1.  Our services are not directed at children. Where we process personal data of children in connection with our services, we implement appropriate safeguards to protect their privacy and comply with the UK GDPR and the Age-Appropriate Design Code. In particular, for children under the age of 13 in the UK, we require verifiable parental consent prior to any consent-based processing.

13.  Data Breach Notification and Compliant

13.1.  In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by the UK GDPR. We kindly ask that you first contact us at the provided contact details to address any concerns regarding our processing of your personal data. Nevertheless, you retain the right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time.

14.  Change to this Policy

14.1.  We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated through our website or direct contact where appropriate.