Purpose and Scope

Danaos Shipping Co. Ltd. ("Danaos" or "the Company") is committed to protecting the personal data of its employees, customers and stakeholders. This policy outlines the measures taken to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws, including but not limited to Greek Law 4624/2019.

This policy applies to all employees, contractors and third parties who handle personal data on behalf of the Company. It covers all personal data collected, processed, stored and shared in any form, whether electronic or manual, across all global operations.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, date of birth, gender, location data, email address, identification number).
• Processing: Any operation performed on personal data (e.g., collection, storage, use, dissemination, or deletion).
• Data Subject: An individual whose personal data is processed.
• Data Controller: The person or entity that determines the purposes and means of processing personal data. For the purposes of this Policy, Danaos Shipping Co. Ltd. is the Data Controller for the personal data it processes.
• Data Processor: The person or entity that processes personal data on behalf of the Data Controller.

2. Data Protection Principles

Danaos adheres to the following principles:

1. Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly and transparently.

2. Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes.

3. Data Minimization: Personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

4. Accuracy: Personal data is accurate and kept, where necessary, up to date.

5. Storage Limitation: Personal data is retained in a form which permits identification of Data Subjects only for the period it is necessary, for the purposes for which it is processed.

6. Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security of the personal data, including unauthorized or unlawful processing and accidental loss, destruction or damage.

7. Accountability: The Company is responsible for complying with these principles and must be able to demonstrate compliance.

3. Lawful Basis for Processing

Danaos processes Personal Data based on one or more of the following lawful grounds:

• Consent by the Data Subject: When explicit consent to the processing of his or her Personal Data for one or more specific purposes has been obtained.
• Performance of a Contract: Necessary for the performance of a contract to which the Data Subject is a party.
• Legal Obligation: Compliance with a legal obligation to which the Company, as Data Controller, is subject.
• Protection of Vital Interests: To protect the vital interests of the data subject or another person.
• Legitimate Interests: Necessary for the purposes of legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Personal Data Collected and Purposes of Processing

The Company collects and processes the following categories of Personal Data, as necessary for its operations and in compliance with applicable laws:

1. Identification Data: Includes full name, father's name, mother's name, photo, identity number, passport number, etc.

• Purpose: Used for employment verification, crew management, compliance with maritime regulations and security protocols.

2. Communication Data: Includes postal address, phone numbers, email address, etc.

• Purpose: Used for operational communications, emergency contacts, customer relations, and logistical coordination.

3. Demographic Data: Includes nationality, citizenship, date of birth, place of birth, country of birth, etc.

• Purpose: Used for compliance with legal obligations, travel arrangements, and diversity reporting.

4. Health Data: Includes medical opinions, medical certificates, etc.

• Purpose: Collected to ensure fitness for duty, comply with health and safety regulations, and for insurance purposes.
• Note: Health data is a special category of personal data and is processed with additional safeguards.

5. Curriculum Vitae (CV): Includes employment history, educational qualifications, skills, certifications, and other information typically included in a CV.

• Purpose: Used for recruitment, assessing qualifications, and career development planning.

These data categories are processed only for specified, legitimate purposes and in compliance with applicable laws, ensuring data minimization and protection.

4. Recipients of Personal Data

Danaos ensures that personal data is shared only with authorized recipients and strictly for legitimate purposes, in compliance with GDPR and other applicable laws, while respecting privacy and confidentiality. The categories of recipients include:
1. Public Authorities: For fulfilling statutory or regulatory obligations, such as tax reporting, social security, maritime regulatory authorities, or other mandatory disclosures.
2. Legal Authorities: In response to lawful requests, court orders or other legal processes to ensure compliance with applicable laws.
3. External & Internal Auditors: For conducting audits and assessments to ensure compliance with legal, financial and operational requirements.
4. Service Providers: Third-party vendors handling data on behalf of the Company, including but not limited to:

• IT Services: Providers of information technology solutions and support.
• Payroll Processors: Companies managing payroll and related services.
• Medical Service Providers: Health professionals conducting medical examinations and providing healthcare services.
• Travel Agencies: Facilitating travel arrangements for personnel.
• Port Agents: Assisting with vessel operations, crew changes, and logistics at ports.
• Other Vendors: Any other third parties providing services essential to Company operations.

All service providers are required to sign Data Processing Agreements and comply with GDPR and other applicable data protection laws.
5. Business Partners: Entities involved in joint ventures or collaborations, where necessary for business operations.

Danaos does not share personal data with other third parties unless:

• Explicit consent has been obtained from the data subject.
• A lawful basis applies and confidentiality agreements are in place to protect the shared data.

All recipients are required to handle personal data securely and in compliance with applicable data protection laws.

5. Rights of Data Subjects

Data subjects have the following rights:

• Right to be Informed: About how their Personal Data is collected, processed and used.
• Right to Access: Obtain confirmation of whether their data is being processed and access the data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): Request deletion of their Personal Data.
• Right to Restrict Processing: Limit the processing of their Personal Data.
• Right to Data Portability: Receive their personal data in a structured, commonly used format.
• Right to Object: Object to data processing, especially for direct marketing purposes.
• Rights Related to Automated Decision-Making and Profiling: The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Exercising Your Rights

Data subjects wishing to exercise any of these rights may contact the Company using the contact details provided in Section 10. The Company will respond to such requests within one month, as required by GDPR, or within the timeframe specified by other applicable laws. Identity verification may be required to process the request.

6. Data Retention

Personal data will only be retained for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. Specific retention periods are defined in the Company's Data Retention Policy (please refer to this policy for detailed information).

7. Data Security

The Company implements technical and organizational measures to ensure data security, including:

• Data Minimization and Pseudonymization: Collecting only necessary data and applying pseudonymization, where appropriate.
• Encryption: Using encryption for data at rest and in transit.
• Access Controls: Implementing role-based access to limit personal data access to authorized personnel only.
• Regular Security Assessments: Conducting periodic security assessments and audits.
• Incident Response Plan: Establishing procedures for detecting, reporting, and responding to data breaches.

For more detailed information, please refer to our Data Protection Policy.

8. Employee Training and Awareness

All Danaos employees are required to undergo training on data protection and compliance with GDPR and other applicable laws upon onboarding and periodically thereafter to ensure adherence to this policy. Training includes updates on changes in data protection laws and internal policies.

9. Monitoring and Review

This policy will be reviewed annually or as necessary to reflect changes in data protection laws or organizational practices. The Legal Department of the Company is responsible for monitoring compliance and conducting regular audits.

10. Controller - Contact Details

• Address: 14 Akti Kondyli, Piraeus 18545, Greece
• Phone: +302104196449
• Email: legal@danaos.com

Data Subjects may contact the above responsible department of the Company, for any inquiries or requests related to personal data processing.

This Danaos Data Privacy Policy has been effective since November 2023;

Note: This policy may be supplemented by additional policies or procedures, such as the Data Retention Policy, Data Protection Policy and Incident Response Plan, which provide further details on specific aspects of data protection and processing.