Information on personal data protection

INFORMATION POLICY ON THE PROCESSING OF PERSONAL DATA

With the entry into force of EU Regulation 2016/679, “concerning the protection of individuals and personal data processing, as well as the free circulation of such data and repealing Directive 95/46/EC” (hereinafter “Regulation” or “GDPR”), Grimaldi Group S.p.A Companies, as Data Controller, is required to provide some information regarding the methods and purposes related to the processing of personal data.

The table below provides a brief summary of the information reported on the next page.

Data Controller Grimaldi Group S.p.A. (Hereinafter “Data Controller” or “Company”)
Purpose 1.     Conclusion, management and execution of the maritime transport contract, including the identification of passengers

2.     Offer of special assistance on board to passengers

3.     Preparation of special care and assistance that may be needed in an emergency, if requested by the passenger

4.     Emergency contact number possibly provided by the passenger in case of particular needs and/or emergencies relating to the passenger

5.     Passenger contact number where to provide information relating to the Data Controller’s operational organisation (even if not relating to the trip purchased by the data subject) and/or relating to services already used by the data subject

6.     Application of discounts to passengers with disabilities and their caregivers

7.     Advertising and marketing

8.     Profiling

Legal Basis Based on the purpose, respectively:

1.     Fulfilment of the Data Controller’s legal obligations and execution of contract or pre-contractual measures in place with the data subject

2.     Reasons of overriding public interest on the basis of Union law or the law of Member States and/or purposes of providing health care on board (Article 9, paragraph 2, letter g) and h), GDPR)

3.     Reasons of overriding public interest on the basis of Union law or the law of Member States and/or purposes of providing health care on board (Article 9, paragraph 2, letter g) and h), GDPR)

4.     Fulfilment of a legal obligation to which the Data Controller is subject

5.     The Data Controller’s legitimate interest

6.     The data subject’s consent

7.     Consent of the data subject

8.     Consent of the data subject

Data transfer Possible, with adequate guarantees for the protection of the data subject’s rights
The Data Subjects Rights a.         access to personal data;

b.         obtain data correction or deletion or processing limitation;

c.         object to the processing of the data;

d.         obtain data portability;

e.         file a complaint with the competent supervisory authority (e.g. Privacy Guarantor).

The rights referred to in letters a) to d) can be exercised by contacting the following address privacy@grimaldi.napoli.it.

The Data Controller has designated a Data Protection Officer, who has specialist knowledge of the data protection legislation and practices and can, therefore, fulfil the tasks referred to in Article 39 of the GDPR.

  1. Processing purpose

Pursuant to Article 13 of the GDPR, we inform you that your personal data, identification data (i.e. name, surname, nationality, gender, address, social security number, VAT number, e-mail, telephone number) and possible belonging to particular categories (i.e. data related to health), provided by you to this company during the stipulation of the maritime transport contract will be processed in compliance with the aforementioned law and confidentiality obligations. Personal data relating to a third party that you may have indicated and identified as an emergency contact may also be processed.

Data processing operations concern the following:

  • personal data and contact details of passengers;
  • contact data of third parties identified as emergency contact, if required by the passenger;
  • data concerning the belonging to professional categories – i.e. enrolment in professional registers, law enforcement agencies – or rather, belonging to loyalty or membership programs signed with third-party companies – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to get discounts on the services offered by the company).

However, we inform you that the processing may concern the following data belonging to particular categories as per Article 9 of the GDPR, if you provide this data spontaneously to take advantage of the special assistance on board:

  • information regarding the limitation of your mobility;
  • Information regarding your disabilities;
  • information about your particular health conditions;
  • any data you may have provided regarding your particular needs with respect to any treatment that may become necessary in an emergency, due to your health conditions.
  1. Data processing purposes (Article 6 of the GDPR)

Non-specific data will be processed for the following purposes:

  1. management of requests for a quote;
  2. conclusion, management and execution of operations related to the maritime transport contract, including your identification;
  3. sending of logistical information on the trip (e.g. delays, departure pier, etc.);
  4. Communications on board the ship;
  5. Provision on board of products and services purchased;
  6. Extraction of anonymous statistical information;
  7. Transmission of data to maritime agencies, terminals and port authorities, judicial authorities and law enforcement agencies;
  8. contact of third parties indicated as “emergency contacts”, pursuant to EU Directive 2017/2109;
  9. Sending of communications via e-mail, for promotional and marketing purposes, if you have given your consent for this purpose (“generic marketing”);
  10. Sending of communications via e-mail, for promotional and marketing purposes, resulting from profiling, if you have given your consent for this purpose (“profiled marketing”);
  11. sending information relating to the Data Controller’s operational organisation (even if not relating to the trip purchased by the data subject) and/or relating to services already used by the data subject.

In relation to point 10, we inform you that Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting in the use of such personal information to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of personal preferences, interests, behaviour, sensitivity to commercial offers , the location or movement of that physical person”. Therefore, the same can be considered a personal data processing activity which consists in subdividing the customers into homogeneous groups according to their conduct.

As part of the Company’s activities, therefore, where you give your consent, your Personal Data may be processed to trace a “history” of your business relationship with Grimaldi Group S.p.A. (for example, the different “touch points” with the Company, the methods of interaction you use, your preferences and purchase frequency may be taken into account). This activity aims to develop your profile to customize the offer of services and any specific services you requested.

We inform you that, should you contact our contact centre, the calls can be listened to for quality monitoring using the making of the voice (morphing).

Data belonging to particular categories will be processed for the following purposes:

  1. guarantee the use of special assistance on board to the passenger who requests it;
  2. in case of emergency, guarantee the special care and/or forms of assistance due to the passenger’s health conditions to the passenger who requests it;
  3. apply the special discounts possibly provided for disabled people and their caregivers, if the passenger has given his or her consent for this purpose.
  1. Processing methods (Article 5 of the GDPR)

Your personal data will be processed also with the aid of IT tools and in compliance with the procedures indicated by the GDPR, which provides, inter alia, that the data be:

  • processed according to the principles of lawfulness, transparency and correctness;
  • collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
  • adequate, relevant, and not exceeding processing formalities (“data minimization”);
  • accurate and updated (“accuracy”);
  • retained for a period no longer than it takes to achieve the purposes for which they are processed (“storage limitation”);
  • processed using tools that guarantee security and confidentiality, including protection against unauthorised or unlawful processing and loss, destruction or accidental damage (“integrity and confidentiality”).

Personal data is stored according to the following table, unless specific legal and/or regulatory obligations or the need to defend the Data Controller’s rights in court require other retention terms:

Data Storage time Storage purposes
Name

Surname

Gender

Nationality

Tax Code

Date of Birth

Place of Birth

Nationality

Identity card details

Address of Residence

Data relating to particular categories to take advantage of particular assistance on board during navigation

Licence plate

Telephone number

E-mail address

10 years from the end of the voyage For the purposes of managing the obligations resulting from the execution of the contract (e.g.: sending tax documentation, etc.), to fulfil the legal obligations to which the Data Controller is subject (including the obligations to keep accounting records), to protect the legitimate interests of the Data Controller and to resist in the event of any disputes raised by passengers
Particular data relating to the passenger’s specific care and/or emergency in case of emergency situations

Contacts of third parties indicated by the passenger as “emergency contacts”

According to Article 12 of Legislative Decree 38/2020, only for the time necessary for the purposes referred to in this statement and, in any case, only until the time when the voyage of the ship in question is safely completed and the data has been declared in the single national interface Ensure the preparation and effectiveness of search and rescue operations at sea
Name

Surname

Date of birth

City/Province

E-mail address

For marketing purposes, the data will be retained until the user unsubscribes using a link available in each e-mail communication, which will be sent at least every 12 months General marketing activities and profiled marketing activities
  1. Legal basis

The legal basis of the processing listed above in paragraph 2, numbers 1 to 7, is identified in the need to implement a contract or pre-contractual measures (Article 6, paragraph 1, letter b, GDPR), as well as the need to comply with a legal obligation to which the data controller is subjected (Article 6, paragraph 1, letter c, GDPR).

The legal basis of the processing listed above in paragraph 2, number 8, is the need to fulfil a legal obligation to which the data controller is subject (Article 6, paragraph 1, letter c), GDPR).

The legal basis of the processing listed above in paragraph 2, numbers 9 and 10, is the passenger’s consent (Article 6, paragraph 1, letter a), GDPR).

The legal basis of the processing listed above in paragraph 2, number 11, is the Data Controller’s legitimate interest (Article 6, paragraph 1, letter f), GDPR) .You will have the right to object, at any time and without any cost, to this processing by using the methods indicated by the Data Controller at the bottom of each communication sent and/or in the manner indicated from time to time by the Data Controller.

The legal basis of the processing listed above in paragraph 2, numbers 12 and 13, is the existence of significant public interest based on the law of the European Union or of the Member States, which must be proportionate to the purpose pursued, respect the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject, as well as for providing health care on board (Article 9, paragraph 2, letter g) and h) GDPR).

The legal basis of the processing listed above in paragraph 2, numbers 14, is the passenger’s consent (Article 9, paragraph 2, letter a), GDPR).

 

  1. Data transfer

We inform you that your data may be communicated in addition to other companies belonging to the Grimaldi Group to entities established in third countries, even outside the territory of the European Union, with the observance of suitable procedures.

With reference to the countries within the EU, your data may be communicated to port authorities, judicial authorities and law enforcement agencies, shipping agencies and terminals in Spain, Greece, Germany, Belgium, Ireland, Portugal, Cyprus, Sweden and Denmark.

As for non-EU countries, data may be transferred to the aforementioned recipients operating in Great Britain, Tunisia, Morocco, Turkey, Israel, Brazil, Uruguay, Argentina, Senegal, Benin, Nigeria, Ghana, Ivory Coast, USA and Canada.

In particular, the communication of your data to the maritime agencies is foreseen since the same represents the shipowner in transmitting the data to the Authorities.

With reference to the terminal, however, there is an obligation for which the same will have to perform special checks on people and things intended to be embarked or disembarked. This results in an obligation for the shipowner to communicate in advance the data of passengers at the terminal, which in compliance with the security will be required to communicate the data received to the competent authorities (e.g. Port Authority, Border Police, Guardia di Finanza and Customs ).

Moreover, Grimaldi Group S.p.A. can directly communicate passenger data to the authorities mentioned above.

With reference to the transfers that may take place in countries such as Israel, Uruguay, Argentina, USA and Canada, the European Commission expressed its legitimacy by transferring it with appropriate adequacy decisions pursuant to Article 25 paragraph 6 of Directive 95/46/EC.

In other countries, however, where imposed by the GDPR, the transfer of data will be regulated in accordance with the principles established by the Regulation in the contractual relations maintained by the Company.

 

  1. Disclosing your data

Furthermore, we inform you that the processing of personal and sensitive data inherent, connected and/or instrumental to the maritime transport contract may involve access to the data above by the following:

  1. Public authorities pursuant to the Circular Letter of the Ministry of Infrastructures and Transport 104/2014 in compliance with Directive 98/41/EC (i.e. The Harbour Office and the Port Authorities);
  2. Ministry of Infrastructure and Transport – General Command of the Port Authority Corps;
  3. Judicial authorities and law enforcement agencies, even where such communication is reasonably deemed necessary by the Data Controller to ascertain or defend its rights;
  4. Ticket offices, terminals and maritime agencies for the organization of boarding/disembarking;
  5. Catering companies for the supply of products and services on board;
  6. External companies that deal with the organization of events on board;
  7. Company with which you have subscribed to loyalty or membership programs – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI, etc. – that, by virtue of an agreement with Grimaldi Group SpA, guarantees you access to discounts on the services offered by the company;
  8. Legal firms, should disputes arise;
  9. Insurance companies both when booking tickets and at the time of the claim;
  10. Experts dealing with complaints;
  11. Companies, also belonging to the Grimaldi Group, suppliers of other services essential to the provision of maritime transport or the carrying out of marketing activities, also subject to your explicit consent, such as hosting sites and web systems, e-mail services, marketing, sponsorship of sweepstakes and other promotions, audit services, data analysis, market research and satisfaction surveys.

The need to communicate passenger data to the authorities referred to in point n. 1 derives from the obligation to count and register the persons on board the passenger ships, as provided for by the Circular Letter of the Ministry of Infrastructures and Transport 104/2014.

The data relating to the emergency contact reported by the passengers as well as the data relating to particular categories provided for the provision of particular care and/or assistance in the event of an emergency, will be communicated, before departure or in any case no later than 15 minutes after departure, to the commander and commissioner of the ship where the passenger is located and in any case entered by the Data Controller in the single national interface provided for in accordance with Directive (EU) 2017/2109 in order to guarantee the preparation and effectiveness of the search and rescue at sea.

It may be necessary for the Company to disclose your personal data based on laws, legal proceedings, disputes and/or requests by public or governmental authorities within or outside your country of residence, national security purposes and other matters of public importance. When legally possible, we will inform you prior to the disclosure.

We may also disclose your personal data if we establish in good faith that it is reasonably necessary to assert and protect our rights and activate available remedies.

  1. The data subject’s rights (Articles 15 – 21 of the GDPR)

Lastly, we inform you that the data subject may exercise the following rights at any time:

  1. have access to one’s personal data, requesting that it be made available in an intelligible form, as well as to the purposes on which the processing is based (pursuant to Article 15);
  2. to obtain the rectification (pursuant to Article 16), deletion (pursuant to Article 17), or limitation of processing (pursuant to Article 18);
  3. to withdraw consent, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
  4. obtain data portability (pursuant to Article 20);
  5. object to the processing of the data (pursuant to Article 21);
  6. file a complaint with the competent supervisory authority.

The rights referred to in letters a) to d) can be exercised by sending requests to the following e-mail address privacy@grimaldi.napoli.it.

In this regard, we also point out that the Data Protection Officer appointed by the Company can be contacted at the following e-mail address: DPO@grimaldi.napoli.it

 

  1. Nature of data provision and consequences of any failure to provide the data

The communication of data not belonging to particular categories(with the exception of the data relating to the emergency contact possibly reported) is necessary for the exact execution of our contractual and pre-contractual obligations and failure to indicate them will make it impossible to conclude the maritime transport contract requested by you, as well as to fulfil exactly the legal obligations and those deriving from the public interest to the protection of security in ports.

The communication of data relative to the passenger’s “emergency contact” is optional; however, failure to communicate this data will not have any impact on the conclusion of the requested sea transport contract.

The communication of data belonging to particular categories is optional. However, if this data is provided, the Company will be able to: better satisfy your needs and provide you with the necessary assistance; apply – in the cases and ways provided for – the special reserved discounts.

  1. Consent

Your personal data may be processed for the purposes indicated in paragraph 2, numbers 9 and 10 only if you have provided explicit consent according to Articles 7 of the GDPR.

In this regard, we point out that, without prejudice to the lawfulness of the processing based on consent before the revocation, you will be able to revoke the consent given at any time by sending a request to the following e-mail address privacy@grimaldi.napoli.it, as well as using the channel that will be indicated in the communications you will receive or by clicking on the appropriate link in the emails that will be sent to you.

  1. Changes to this document

The Data Controller reserves the right to update the content of this privacy policy regarding the processing of personal data of its passengers in accordance with the applicable national legislation on the protection of personal data. The data subjects will be informed of the updating of this privacy policy in the manner defined by the Data Controller.

Skip to content