INFORMATION ON THE PROCESSING OF PASSENGERS’ PERSONAL DATA

  1. Data controller and scope of data processing

Grimaldi Group S.p.A., in its capacity as data controller (“Grimaldi Group“), informs you, pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR“) and the legislation applicable from time to time on the protection of personal data, that your personal data, identification (i.e. name, surname, nationality, gender, e-mail, telephone number and, if you request the issuance of an invoice, also address, tax code and VAT number) and possibly belonging to special categories (i.e. data relating to health), provided by you to Grimaldi Group S.p.A. at the time of signing the contract of carriage by sea, will be processed in compliance with the above mentioned legislation and confidentiality obligations. All data of natural persons identified as passengers (i.e. persons who use the travel ticket) will be processed. The booking holder undertakes to inform all passengers on whose behalf the booking is made of the content of this notice. Personal data relating to a third party that you may have indicated and identified as an emergency contact may also be processed.

Data processing operations concern the following:

  • personal data and contact details of passengers;
  • contact details of third parties identified as emergency contacts, if requested by the passenger
  • data concerning membership of professional categories – i.e. membership of professional associations, police forces – or membership of loyalty or association programs signed with third party companies – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on services offered by the company).

We also remind You that the processing may concern the following data belonging to special categories pursuant to art. 9 of the GDPR, if spontaneously provided by passengers in order to take advantage of special assistance on board or if otherwise processed by on-board personnel in the event of emergencies and/or accidents to the passenger’s person during navigation:

  • information about a limitation of one’s mobility;
  • Information about disabilities;
  • information about particular health conditions;
  • information about any special needs of the passenger in relation to any treatment that may be necessary in case of emergency, due to the state of health of the passenger.

Grimaldi Group does not guarantee or provide information about the processing of your personal data that may be carried out through additional contact channels with Grimaldi Group managed by third parties (eg. Facebook), which remain the sole responsibility and ownership of such third parties.

  1. Purposes of data processing

Dati not belonging to particular categories will be processed for the following purposes:

  1. management of requests for quotes;
  2. conclusion, management and execution of operations connected with the contract of carriage, including Your identification;
  3. communications (also by telephone, also through re-contact by the Grimaldi Group call center in case of missed calls by the passenger) of logistical information on the trip and/or generally useful to the passenger to face the departure (e.g. delays, departure pier, organization on board, etc.);
  4. on-board communications;
  5. provision of purchased products and services aboard ship;
  6. extraction of statistical information anonymously;
  7. transmission of your data to maritime agencies, terminals and port authorities, judicial authorities and law enforcement agencies;
  8. contact of third parties indicated as “emergency contacts”, pursuant to Directive (EU) 2017/2109;
  9. sending communications by e-mail, for promotional and marketing purposes, if you have given Your consent for this purpose (“generic marketing”);
  10. sending communications via email, for promotional, marketing and/or brand reputation protection purposes, as a result of profiling, if you have given your consent for this purpose (“profiled marketing”);
  11. sending of questionnaires anonymously for the purpose of improving the services offered by the Grimaldi Group, as well as sending information relating to: (a) the operational organization of the Grimaldi Group (even if not related to the trip purchased by the interested party); (b) products/services similar to those chosen by the passenger (including, by way of example and not limited to: offers for trips similar to those purchased; offers for travel insurance; etc.. ); as well as (c) offers, discounts, rewards and / or promotions of third party partners of the Grimaldi Group, which Grimaldi Group has an interest in offering to its passengers in the context of gifts and / or promotional initiatives reserved for passengers (including, by way of example and not limited to, in the case of co-marketing initiatives, which allow Grimaldi Group to include coupons with offers of third parties on the back of Your ticket, etc.). In the latter case, no promotional communication will be made to you by the partners of the Grimaldi Group, nor any transfer of your personal data to such partners, unless you give your explicit and informed consent in this sense.

Finally, in relation to point 10, we inform you that Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting in the use of such personal information to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of personal preferences, interests, behaviour, sensitivity to commercial offers, the location or movement of that natural person”. Therefore, it can be considered a personal data processing activity that consists in dividing customers into homogeneous groups according to their behavior. If you give Your consent, Your Personal Data may be processed in order to trace a “history” of Your business relationship with the Grimaldi Group (for example, the different “touch points” with the Grimaldi Group, the interaction modalities You used, the preferences and the purchase frequency may be taken into consideration). This activity aims at elaborating a profile of Yours in order to personalize the offer of services and eventual specific services requested by You. If you decide to participate in Grimaldi Group brand reputation initiatives, we may process your data to reserve you ad hoc promotions.

It is understood that the activities referred to in paragraphs 9, 10 and 11 above will be carried out only on the personal contact data of the booking holder, i.e. the person who provided his or her e-mail address during the booking process.

Data belonging to special categories will be processed for the following purposes:

  1. guaranteeing passengers who so request the use of special assistance on board;
  2. in case of emergency and/or accident of the passenger on board, guaranteeing passengers who so request special care and/or assistance due to their state of health;
  3. apply any special discounts that may be provided for disabled persons and their companions, if the passenger has given his or her consent for this purpose.
  1. Retention of personal data

Personal data are retained according to the table below, unless specific legal and/or regulatory obligations or the need to defend a Grimaldi Group right in court require different retention periods:

Data Storage time Storage purposes
Name

Surname

Sex

Nationality

Tax code

Date of Birth

Place of Birth

Nationality

Identity card details

Residence address

Data related to particular categories to take advantage of particular assistance on board during navigation

Vehicle license plate

Telephone number

E-mail address

10 years from the end of the trip In order to manage the fulfilments following the execution of the contract (e.g.: sending of tax documentation, etc.), to fulfill the legal obligations to which the Grimaldi Group is subject (including the obligations to keep accounting records), to protect the legitimate interests of the Grimaldi Group and to resist in case of any disputes raised by passengers
Particular data relating to specific care and/or need for assistance of passengers in case of emergency situations

Data suitable to reveal the state of health otherwise processed by the staff on board in case of emergencies and/or accidents during navigation

Contacts of third parties indicated by the passenger as “emergency contacts”.

Pursuant to art. 12 of Legislative Decree no. 38/2020, only for the time necessary for the purposes of this notice and, in any case, only until the journey of the ship in question is completed safely and the data have been declared in the single national interface Guaranteeing the preparation and effectiveness of assistance operations on board, and search and rescue at sea
Name

Surname

Date of birth

Country/Province

E-mail address

12 months Carrying out generic marketing, profiled marketing, sending promotional emails of goods and services similar to those purchased, and other communication activities (as described in paragraph 2, numbers 9, 10 and 11 above)
  1. Legal basis

The legal basis for the processing operations listed above in paragraph 2, numbers 1 to 7, is the need to execute an agreement or pre-contractual measures in the interest of each passenger (Art. 6, paragraph 1, letter b, GDPR), as well as the need to comply with a legal obligation to which the data controller is subject (Art. 6, paragraph 1, letter c, GDPR).

The legal basis for the processing operations listed above in paragraph 2, number 8 , consists in the need to fulfil a legal obligation to which the data controller is subject (Art. 6, paragraph 1, letter c, GDPR).

The legal basis for the processing operations listed above in paragraph 2, numbers 9 and 10, is Your consent (Art. 6, para. 1, letter a, GDPR).

The legal basis for the processing operations listed above in paragraph 2, number 11, is the legitimate interest of the Grimaldi Group (Art. 6, paragraph 1, letter f, GDPR). In the event that the Grimaldi Group sends you electronic communications regarding products/services similar to those you have chosen, the legal basis is the application of art. 130, paragraph 4, of Legislative Decree no. 196/2003.

You will in any case have the right to object, at any time and at no cost, to the processing activities referred to in paragraph 2, numbers 9, 10 and 11 (limited to the activity of soft spam), even revoking the consent given, by sending a request to the e-mail privacy@grimaldi.napoli.it, as well as using the channel that will be indicated in the communications that you will receive, or by clicking on the appropriate link in the e-mails that will be sent to you.

The legal basis for the processing operations listed above in paragraph 2, numbers 12 and 13, is found in the existence of grounds of substantial public interest based on the law of EU or of Member States, which must be proportionate to the purpose pursued, respecting the essence of the right to data protection and providing for appropriate and specific measures to protect the fundamental rights and interests of the data subject, as well as in the purpose of the provision of healthcare on board (Art. 9, paragraph 2, lett. g and h GDPR).

Finally, the legal basis for the processing operations listed above in paragraph 2, number 14, is the consent of the passenger (Art. 9, paragraph 2, letter a, GDPR).

  1. Data transfer

Please note that passenger data may be communicated not only to other companies belonging to the Grimaldi Group, but also to entities established in third countries, even outside the territory of the European Union, in accordance with the principles established by the Regulation.

In particular, the communication of the data to shipping agencies is foreseen as these agencies act on behalf of the shipowner to transmit the data to the Authorities.

The shipowner is also required to communicate passenger data in advance to the terminal which, in compliance with security, will be responsible for communicating the data received to the competent Authorities (e.g. Port Authority, Border Police, Financial Police and Customs).

In addition, Grimaldi Group can directly communicate passengers data to the above mentioned Authorities

  1. Disclosing your data

We also inform you that the aforementioned processing of personal and sensitive data inherent, connected with and/or instrumental to the maritime transport agreement, may provide for access to such data by:

  1. Public authorities pursuant to the Circular of the Ministry of Infrastructure and Transport No. 104/2014 in compliance with Directive 98/41/EC (i.e. harbor master’s office and port authority);
  2. Ministry of Infrastructure and Transport – General Command of the Port Authority Corps;
  3. Judicial authorities and Police Forces, even when such communication is deemed reasonably necessary by the Grimaldi Group to ascertain or defend its own right;
  4. On-board doctor, in case of emergencies and/or personal injury to the passenger;
  5. Ticket offices, terminals and shipping agencies for the organization of embarkation/disembarkation operations;
  6. Catering companies, for the supply of products and services on board ship;
  7. External companies involved in the organization of events on board ship;
  8. Companies with which you have subscribed to loyalty or membership programs – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI, etc. – which, by virtue of an agreement with the Grimaldi Group, guarantee you access to discounts on services offered by the company;
  9. Legal firms, should disputes arise;
  10. Insurance companies both when booking tickets and making claims;
  11. Experts dealing with complaints;
  12. Companies, including those not belonging to the Grimaldi Group, which provide other services essential to the provision of maritime transport or the performance of marketing activities, including those subject to your express consent, such as the hosting of websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, the conduct of market research and satisfaction surveys.

The need to communicate passenger data to the authorities referred to in point no. 1 stems from the requirement to count and register people on board passenger ships, which is the subject of Ministry of Infrastructure and Transport Circular No. 104/2014.

The data relating to the emergency contact reported by passengers as well as the data relating to particular categories provided for the provision of special care and/or assistance in the event of an emergency, will be communicated, before departure or in any case no later than 30 minutes after departure, to the captain and the commissioner of the ship where the passenger is and in any case included by Grimaldi Group in the single national interface provided in accordance with Directive (EU) 2017/2109 in order to ensure the preparation and effectiveness of search and rescue operations at sea.

It may be necessary for Grimaldi Group – based on laws, legal proceedings, disputes and/or requests made by public or governmental authorities inside or outside your country of residence, national security purposes or other matters of public importance – to disclose your personal data. When legally possible, we will inform you prior to the disclosure.

We may also disclose personal data if we establish in good faith that it is reasonably necessary to assert and protect our rights and activate available remedies.

  1. Nature of data provision and consequences of any failure to comply

The communication of data not belonging to particular categories (with the exception of the data relating to the emergency contact that may be indicated) is necessary for the exact execution of the contractual and pre-contractual obligations to be fulfilled by us, and failure to indicate such data will make it impossible to conclude the sea transport contract you have requested, as well as to exactly fulfil the legal obligations and those deriving from the public interest to protect safety in ports.

Communication of data relating to the passenger’s “emergency contact” is, on the other hand, optional: failure to provide such data will therefore have no impact on the conclusion of the sea transport contract requested.

The communication of data belonging to special categories is optional. However, if such data will be provided, Grimaldi Group will be able to better meet the needs of passengers and provide them with the necessary assistance, as well as apply – in the cases and ways provided – the special discount applied.

  1. Rights of data subjects

Each passenger may, at any time, exercise the following rights (within the limits established by the GDPR):

  1. to access personal data, requesting that these data be made available in an intelligible form, as well as the purposes on which the processing is based;
  2. to obtain the correction or deletion of the data or the limitation of processing;
  3. to revoke consent (where this is the legal basis for the processing) without prejudice to the lawfulness of the processing based on the consent before revocation;
  4. to obtain data portability;
  5. to object to data processing;
  6. to lodge a complaint with the competent supervisory authority, which in Italy is the Data Protection Authority, following the instructions on the website of the aforementioned authority.

The above-mentioned rights may be asserted by addressing requests to the following e-mail address: privacy@grimaldi.napoli.it.

The Data Protection Officer (DPO) appointed by the Grimaldi Group Companies is available at the following e-mail address: DPO@grimaldi.napoli.it.

  1. Changes to this document

Grimaldi Group reserves the right to update the content of this notice regarding the processing of personal data of its passengers in accordance with applicable national legislation on personal data protection. Any news related to the updating of this information notice will be communicated to the interested parties in the manner defined by Grimaldi Group.

Grimaldi Group SpA
Sede legale Palermo - Via Emerico Amari n°8 | Capitale Sociale: €150.000.000,00 | C.F. e Registro Imprese di Palermo: 00117240820 | P.IVA: IT 00117240820