Ocean Infinity 2024
Ocean Infinity

Vessel Monitoring Privacy Notice

This privacy notice explains our processing of CCTV, audio, and other personal data recording that takes places on our vessels 

This privacy notice was last updated on 28 June 2023. 

1. Information about us and this notice 

  1. We are Ocean Infinity Group Limited (‘Ocean Infinity’, or ‘we’, ‘our’, or ‘us’). Our primary place of business and the location of our UK establishment is at 17 Grosvenor Street, London W1K 4QG.
  2. If you want to speak to someone about this privacy notice, your rights, your personal data, or something else related to privacy or data protection, you can email [email protected] or contact us at our above address. 
  3. We are a data controller because we decide how we obtain, keep, and use your personal data. We comply with the obligations placed upon data controllers by the UK GDPR and the Data Protection Act 2018, and other applicable data protection regimes.  
  4. This privacy notice is not a contract. We will comply with it, and we will notify you of changes, which we may make of any time, by posting updates on our vessels and intranet. 

2. Introduction 

  1. This privacy notice explains our processing of CCTV, audio, and other personal data recording that takes places on our vessels (‘Vessel Personal Data’). 
  2. Ocean Infinity is developing a comprehensive technological maritime environment that will facilitate a transition from conventional maritime operations to the lean-crewed, remote-crewed, and eventually autonomous operation of its vessels. Remote video and audio recording is essential for the operation, maintenance, and further development of its fleet. 
  3. The benefits of developing our capacity for remote operations are described in Section ‎5 below. 

3. Vessel monitoring personal data: what, how, and where 

    1. This privacy notice applies only: 
      1. if you are onboard a vessel that we own and operate; and 
      2. to Vessel Personal Data. 
    2. We record, store, transmit and review the following types of personal data:  
      1. video footage and audio captured by the CCTV cameras installed on our vessels; and 
      2. digital and analogue audio transmitted from our vessels to Ocean Infinity staff working in our remote control centres. 
    3. CCTV cameras are installed all over our vessels, and their placement will change over time as the utility of their recording and vantage point is evaluated. Cameras are not installed in the following places: 
      1. crew cabins; 
      2. hospital rooms; 
      3. mess rooms; 
      4. bathrooms and toilets; and 
      5. television or recreation rooms. 
    4. Some cameras transmit footage and audio directly to our remote control centres, where it can be viewed live. Transmitted data is stored on local servers accessible only within the remote control centre. Most data is stored only on the vessel’s servers and, if not retrieved within 30 days for incident investigation, review, or development purposes, is overwritten.  
    5. Data transmitted to our remote control centres is accessible by: 
      1. vessel operators; 
      2. third party workers who would otherwise be performing their work onboard (such as client representatives); and 
      3. our IT technicians and other engineers providing IT troubleshooting and support, and other maintenance. 
    6. If you want to know whether footage containing your likeness or audio containing your voice has been transmitted to our remote control centre, submit a subject access request to [email protected]. 

    4. Purposes of data processing 

      1. There are two overarching purposes that underpin our processing of Vessel Personal Data: to help us operate our vessels remotely; and to help us develop the technology to operate them more efficiently, safely, and consistently in the future. 
      2. We may process your personal data for any of the following specific purposes: 
        1. to perform central vessel functions (including navigation, maintenance and marine mammal observation) from our remote control centres; 
        2. to provide vessel support (including fire, workplace safety, and security monitoring) from our remote control centres; 
        3. to facilitate the investigation of safety and disciplinary incidents that occur on our vessels; 
        4. to supply evidence of suspected criminal conduct to competent enforcement authorities; and 
        5. to support the ongoing development of our technological capacity to operate our vessels remotely. 

      5. Lawful basis for data processing: legitimate interests 

      1. We process Vessel Personal Data on the basis of our legitimate interests in operating our vessels remotely, doing so safely, and further developing their safety and reliability. 
        Explaining our legitimate interests: the future 
      2. We anticipate that we will achieve the following beneficial outcomes from remote vessel operations: 
        • a reduction in vessel size (by comparison to vessels capable of performing similar operations) and a consequent reduction in greenhouse gas emissions and waste production; 
        • a reduction in the likelihood of physical harm for seafarers and other offshore workers whose work can be performed onshore; 
        • an increase in the accessibility of maritime work for workers with physical or other disabilities or significant personal onshore commitments that prevent them from undertaking offshore work; and 
        • the standardisation of remote vessel operations for use across the maritime industry in pursuit of the benefits listed above. 
      3. We have legitimate interests in achieving these objectives, and must be able to demonstrate the safety, efficacy, and efficiency of remote vessel operations to maritime regulatory authorities who are asked to permit it. This requires both that we develop our environment to continually improve its safety and reliability; and evaluate the footage and audio we have recorded to demonstrate the workability of our operations model. 

        Explaining our legitimate interests: safety in daily operations.
      4. We have legitimate interests in maintaining the safety and security of our vessels and personnel, including by detecting and taking action to prevent safety incidents, misconduct, and the commission of criminal offences which may otherwise go undetected on vessels with small crews. Subject to Section ‎5.5, this is the lawful basis we will rely on when processing Vessel Personal Data for the purposes of investigating safety and disciplinary incidents and allegations of criminal offences. 
      5. Note: If we or our personnel are subject to a court order or other statutory obligation to share Vessel Personal Data with a third party (such as a court or law enforcement authorities), we will do so on the basis of that legal obligation, if this is the more appropriate lawful basis to rely on in the circumstances. 

      6. When we process criminal offence data 

      1. We may collect Vessel Personal Data that appears to capture the commission of a criminal offence (‘Criminal Offence Data’). We may process Criminal Offence Data in the following ways: 
        1. by disclosure to law enforcement authorities in reliance on paragraph 10 of Schedule 1 to the Data Protection Act 2018; 
        2. in the conduct of an internal review if a law, regulation, or industry standard requires us to determine whether you have committed an offence or engaged in other serious misconduct, in reliance on paragraph 12 of Schedule 1 to the Data Protection Act 2018; and 
        3. in the conduct of an internal review and subsequent disciplinary proceedings, in reliance on paragraph 1 of Schedule 1 to the Data Protection Act 2018 and in accordance with our data protection policy. 
      2. We may not be required to seek your consent to this processing, and may be exempted from other obligations under the GDPR. 
      3. If Vessel Personal Data appears to capture evidence of misconduct that does not amount to a criminal offence, we will process it on the basis of our legitimate interests in the safe remote operation of our vessels for the purposes listed in Section ‎4

      7. How long we will keep your data 

          1. We will retain Vessel Personal Data for different periods of time, depending on which of the purposes described in Section ‎4 applies and whether the Vessel Personal Data is Criminal  Offence Data. 
          2. If Vessel Personal Data is not transmitted to our remote control centres from the vessel’s servers, it will be deleted 30 days after it is recorded. 
          3. If Vessel Personal Data is transmitted to our remote control centres, it will be deleted 30 days after it is received by onshore servers in the remote control centre. 
          4. If Vessel Personal Data is retrieved to form part of an internal disciplinary or safety investigation, it will be retained until the later of: 
            1. the conclusion of the investigation, if no adverse disciplinary findings are made; or 
            2. the statutory limitation period for the bringing of unfair dismissal claims, if disciplinary action is taken. 
          5. If Criminal Offence Data is retrieved and transmitted to law enforcement authorities, it will be retained by Ocean Infinity in accordance with Section ‎7.4. Law enforcement authorities are data controllers and will retain Criminal Offence Data according to their own data retention rules. 

          8. Third party transmittal and disclosure 

          1. Exception in accordance with Sections ‎6.1.1 and ‎10, we will not transmit Vessel Personal Data to third parties. 

          9. Exemptions 

          In some circumstances, data protection law provides exemptions from compliance with some rights and obligations. For example, if your personal data is relevant to legal proceedings we anticipate or are party to, we may disclose it to our lawyers even if we collected it from you for a different purpose. There are other exemptions that we may rely on. 

          10. International transfers and transfers to our affiliates 

          1. Ocean Infinity is headquartered in the UK, but we may transfer Vessel Personal Data directly from our vessels to a remote control centre in another country. If Ocean Infinity is the legal entity that controls the remote control centre in the other country, no international transfer of data has occurred. 
          2. We will only transfer Vessel Personal Data to a remote control centre in another country operated by another legal entity that is part of Ocean Infinity’s corporate group. We will only do this if: 
            1. the other country is deemed to afford you adequate protection by a decision made in accordance with Article 45 of the GDPR; or 
            2. we can ensure that processing of your personal data is subject to appropriate safeguards, including standard contractual clauses that have been approved by data protection authorities in countries that are subject to the GDPR. 
          3. If you want to see the appropriate safeguards we have implemented to protect your personal data, you can email [email protected]

          11. Your rights  

          1. The GDPR affords you a range of rights that you can read about on the Information Commissioner’s Office (ICO) website
          2. ICO is the supervisory authority in the UK that you can complain to about a breach of data protection law or your rights under the GDPR. You can contact the ICO: 
          3. You have a right of access to personal data that we hold about you, and if you ask us, we must tell you whether we hold your personal data, and we do, we must provide it to you along with details about what we do with it, who we share it with (if anyone), and how long we are going to keep it for. 
          4. We must answer you within one month of your request. 
          5. You can tell us to rectify inaccurate personal data or complete incomplete personal data we hold about you. 
          6. You can ask us to erase the personal data we hold about you. We do not have to do this in all circumstances, and we will tell you if we are not going to comply with your request. If we have processed your personal data on the basis of your consent, you may withdraw it freely and at any time, and in such circumstances, we must erase your personal data. 
          7. If we are processing your personal data and: 
            1. you think your data is recorded inaccurately; 
            2. we are doing so unlawfully but you do not want us to erase that data; 
            3. we no longer need it, but you need it for legal proceedings; or 
            4. you have objected to that processing and you believe that our legitimate interests do not outweigh your own interests, rights, and freedoms, 

              you can tell us to restrict our processing, and we will not process your personal data except with your consent unless the GDPR permits us to continue doing so, in which case we will tell you why. We will resolve your claim and we may, once we have told you about that resolution, start processing your personal data again. 
          8. If we are processing your personal data on the basis of our legitimate interests, you can object to that processing. If we can demonstrate to you: 
            • the compelling legitimate grounds that we have for processing your data and which outweigh your interests, rights, and freedoms; or 
            • that we need your personal data to prosecute or defend legal proceedings,

              we may refuse to comply with your objection. If we cannot demonstrate either of these grounds for processing, we must stop processing your data. 
          9. If your request is manifestly unfounded or excessive, we may charge you a reasonable fee to deal with your request, or refuse to do what you have requested. We will tell you if we believe these options are open to us.