Privacy Policy

In compliance with the provisions of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”) (hereinafter “Regulation” or “GDPR”) ,this document briefly summarises the principles regulating the processing of data by Grimaldi Group S.p.A. (having its registered office in Palermo, in Via Emerico Amari n. 8, 90139, Tax ID and VAT no. 0117240820- hereinafter also “Company”), as Data Controller, in its passenger transport business.
For information relating to the cookie policy adopted by the Company for this website, reference is made to this link
Data Controller Grimaldi Group S.p.A. having its registered office in Palermo, in Via Enrico Amari n. 8, 90139, Tax ID and VAT no. 0117240820
Purposes To conclude, manage and carry out maritime transport contracts
Legal basis Fulfilment of the contract and legal obligations
Data transfer Possible, where adequate guarantees safeguarding the data subject’s rights exist
Data subject’s rights a. to access personal data;
b. to obtain the rectification or erasure of data or limit the processing thereof;
c. to object to the processing of personal data;
d. to obtain the portability of such data;
e. to complain to the appropriate control authority (e.g. Data Protection Authority);
rights which can be exercised by writing to:
The Data Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.

1. Subject of the processing
The processing operations may concern:
  • personal and contact details;
  • data relating to professional categories or participation in loyalty or association programmes entered into with third parties.
Moreover, the processing of certain sensitive data provided for by Article 9 of the EU Regulation may be performed:
  • data concerning special needs related to your state of health.
Such sensitive personal data is provided on a voluntary basis. The acquisition and processing of such data will not only allow us to better meet passengers’ needs, but also achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data [...] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event".

2. Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal data Protection Code and art. 6 letter b, and GDPR)
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract.
In particular, the data will be processed:
  1. to manage requests for quotes;
  2. to conclude, manage and carry out the operations related to the maritime transport contract;
  3. to send logistical information about the journey (e.g. delays, departure quay, etc.);
  4. to organize internal events on board ship;
  5. to supply on board ship the products and services purchased;
  6. to extract statistical information, in anonymous form;
  7. to transmit data to shipping agents, terminals and port authorities, judicial authorities and police forces.
3. Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
The personal data will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
  • processed according to the principles of lawfulness, transparency and fairness;
  • collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and kept up to date (“accuracy”);
  • kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
  • processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
Data Storage times Purpose of storage
  • Personal and contact details
  • Data relating professional categories or participation in loyalty or association programmes entered into with third parties
  • Any data concerning special needs related to your state of health
10 years from the end of the journey
For the purposes of accounting records and for legal defence purposes in the case of possible disputes raised by passengers
4. Legal basis
The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 7 of paragraph 2 “Purpose for which the data will be processed”, the legal basis of the processing lies in the fulfilment of legal obligations assigned the controller and in the public interests of protecting security at ports.
5. Data transfer and/or communication
Data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures and within the sphere of the aforesaid purposes.
In addition, we may need to communicate personal data in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside the data subject’s country of residence, national security purposes other issues of public importance. Whenever legally permitted, we will inform the data subject before such communication.
We may also communicate personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.
6. Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
The data subject may , at any time, exercise the rights:
  • to access personal data, requiring that such data be made available in an intelligible form, as well as the purposes of the processing (former Art. 15);
  • to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
  • to obtain the portability of such data (former Art. 20);
  • to object to the processing of personal data (former Art. 21);
  • to lodge a complaint with a competent supervisory authority.
The above rights can be exercised by e-mailing a request to
In this regard, we would also point out that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address:
7. Nature of data provision and consequences of a potential failure to disclose the data
The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which the Company is required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.