Data Protection Policy

Wilh. Wilhelmsen Holding ASA has implemented a framework of policies and procedures designed to ensure compliance by Wilh. Wilhelmsen Holding ASA and its group companies (the “Wilhelmsen group”) with data protection and privacy regulations. The policies and procedures set out the principles adopted, requirements to followed and practices implemented across the Wilhelmsen group to meet the legal and regulatory requirements imposed upon us when dealing with personal data. This personal data protection policy forms part of the Wilhelmsen group’s personal data protection policy framework and outlines the overall purpose of the policy framework and the principles to be applied to all processing of personal data across the Wilhelmsen group.

The Wilhelmsen Binding Corporate Rules

A key element of the Wilhelmsen’ group’s policy framework is the adoption of Binding Corporate Rules ("BCRs").

The purpose of the BCRs is to provide:

  • appropriate safeguards and an adequate level of protection for the transfers and processing of personal data within the Wilhelmsen group; and
  • enforceable data subject rights and effective legal remedies for data subjects affected by the processing of personal data within the Wilhelmsen group.

By providing the above, the BCRs ensure the transfer of Personal Data across borders and processing activity within the group complies with the GDPR. The BCRs are made legally binding on the members of the Wilhelmsen group through the execution of an intra-group agreement. 

The Wilhelmsen group has also adopted the BCRs as its core GDPR policy document, setting out the rules for processing personal data, how personal data may be transferred within the group and how the group complies with the GDPR.

The Wilhelmsen group’s BCRs have been approved by the Norwegian data protection supervisory authority. 

The Wilhelmsen group’s BCRs are available here: Wilhelmsen Binding Corporate Rules.

Privacy Principles across the Wilhelmsen group

The core elements of the Wilhelmsen personal data protection policy framework are as follows:

Any handling (processing) of personal data within the group shall be governed by the main principles of GDPR which state that personal data shall be: 

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’).
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that if personal data is inaccurate, having regard to the purposes for which it is processed, it is erased or rectified without delay (‘accuracy’).
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’). 
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • the group shall be responsible for, and be able to demonstrate compliance with, the BCRs (‘accountability’).

Legal basis for processing 

To process personal data lawfully, it is necessary to demonstrate a valid legal basis:

  • Regular personal data: Processing is only allowed if one of the six legal bases applies (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
  • Special categories (sensitive data): Stricter rules apply. In addition to a regular legal basis, there must also be a specific exception (e.g. explicit consent, healthcare purposes, legal obligation, or legal claims). These data categories involve high risk and require extra safeguards.
  • Criminal convictions and offences (Article 10 data): Such data can only be processed if explicitly authorised by EU or national law, with strong safeguards. Consent or “legitimate interests” are not sufficient.

Risk assessments/Data Protection Impact Assessments

The group shall regularly assess the exposure to potential risks inherent to the processing and will implement measures to mitigate those risks. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the group shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (Data Protection Impact Assessment/DPIA). 

Security of processing

The group shall process personal data in a manner which ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The measures in place shall always ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. Special categories of personal data are processed with enhanced security measures.

Data protection by design and by default

The principle of data protection by design shall be observed in all processing activities. This means that appropriate technical and organizational measures must be implemented at the earliest stages of developing and operating systems, services, and business processes to ensure compliance with data protection requirements. By default, only personal data that is necessary for the specific purpose may be processed, and safeguards such as data minimization, access restrictions, and security controls must be integrated into the design.

Transparency and information rights

Data subjects must be informed about who the controller is, why their data is being processed, the legal basis for that processing, what types of data are collected, how long the data will be stored, whether it will be shared with others, and how they can exercise their rights. 

Data subjects have the right to access their data, to have inaccuracies corrected, to request erasure in certain cases, to restrict or object to processing, to receive their data in a portable format, and not to be subject to automated decisions that have legal or significant effects.

A data subject that is of the opinion that a Wilhelmsen group BCR member has infringed the BCRs may, lodge a complaint to the group’s Data Protection Officer.  

General obligations related to Personal Data Breaches

A personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

All employees/personnel shall report, as soon as possible, in accordance with the group’s procedures if they become aware that personal data is or has been processed contrary to the BCRs or if there is otherwise a basis for suspicion of or an actual breach of security related to personal data. The group prohibits retaliation against anyone for making a good-faith report. All reports of suspected violations are taken seriously and shall be followed up, as appropriate. Reports may be made anonymously.

Engaging Data Processors

Processing of personal data by a “Data Processor” on behalf of a “Controller” shall be governed by a data processing agreement, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This applies regardless of whether the processor is within the group or an external processor.

 The group shall ensure that the rules in the GDPR on international transfers are complied with when personal data is transferred to external processors (outside of the group) located outside of EU/EEA, in a country that is not recognised by the EU Commission as ensuring an adequate level of protection.

Supervision of compliance

The group has appointed a Data Protection Officer with the responsibility to assist the group to be compliant with the BCRs and the GDPR, and to monitor the group's compliance with the BCRs and the GDPR. 

Your rights

You have the right to request access to the personal data that is being processed on your behalf and to request deletion or correction of inaccurate or incomplete personal data in accordance with applicable law requirements. 

You have the right to lodge a complaint with your national data protection supervisory authority, or the Norwegian Data Inspectorate. The contact information for the Norwegian Data Inspectorate is as follows:

Address: Datatilsynet, Postboks 8177 Dep., 0152 Oslo
Email: postkasse@datatilsynet.no
Tel: +47 22 39 69 00

 

Brazilian General Data Protection Law

For cases related to Brazilian General Data Protection Law, please contact the local Data Protection Officer by e-mail: Vinicius.Fernandes@wilhelmsen.com

Para casos relacionados ao Brasil, por favor entrar em contato com o Encarregado de Dados através do correio eletrônico: Vinicius.Fernandes@wilhelmsen.com

Questions?

If you have any questions about Wilhelmsen group’s processing of personal data or if you want to make use of your rights as described above, please contact our Data protection officer: data.privacy@wilhelmsen.com


Effective date: 12 January 2026.