In compliance with the provisions of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”, this document briefly summarises the principles regulating the processing of data by Grimaldi Group S.p.A. (having its registered office in Palermo, in Via Emerico Amari n. 8, 90139, Tax ID and VAT no. 0117240820), as Data Controller, in its passenger transport business.
|Data Controller||Grimaldi Group S.p.A. having its registered office in Palermo, in Via Emerico Amari n. 8, 90139, Tax ID and VAT no. 0117240820|
|Purposes||To conclude, manage and carry out maritime transport contracts|
|Legal basis||Fulfilment of the contract and legal obligations|
|Transfer of data||Possible, where adequate guarantees safeguarding the data subject’s rights exist|
|Data subject’s rights||a. to access personal data; |
b. to obtain the rectification or erasure of data or limit the processing thereof;
c. to object to the processing of personal data;
d. to obtain the portability of such data;
e. to complain to the appropriate control authority (e.g. Data Protection Authority);
rights which can be exercised by writing to: firstname.lastname@example.org.
The Data Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.
1. Subject of the processing
The processing operations may concern:
- personal and contact details;
- data relating to professional categories or participation in loyalty or association programmes entered into with third parties.
- data concerning special needs related to your state of health.
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract.
In particular, the data will be processed:
- to manage requests for quotes;
- to conclude, manage and carry out the operations related to the maritime transport contract;
- to send logistical information about the journey (e.g. delays, departure quay, etc.);
- to organize internal events on board ship;
- to extract statistical information, in anonymous form;
- to transmit data to shipping agents, terminals and port authorities, judicial authorities and police forces.
3. Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
The personal data will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
- processed according to the principles of lawfulness, transparency and fairness;
- collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and kept up to date (“accuracy”);
- kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
- processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
|Data||Storage times||Purpose of storage|
| ||10 years from the end of the journey. ||For the purposes of accounting records and for defence purposes in the case of possible disputes raised by passengers. |
4. Legal basis
The legal basis of the processing listed above from point 1 to point 4 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 6 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the fulfilment of legal obligations to which the Data Controller is subject and in the public interest of safety in ports.
5. Data transfer and/or communication
Data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures and within the sphere of the aforesaid purposes.
In addition, we may need to communicate personal data in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside the data subject’s country of residence, national security purposes other issues of public importance. Whenever legally permitted, we will inform the data subject before such communication.
We may also communicate personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.
6. Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
The data subject may , at any time, exercise the rights:
- to access personal data, requiring that such data be made available in an intelligible form, as well as the purposes of the processing (former Art. 15);
- to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
- to obtain the portability of such data (former Art. 20);
- to object to the processing of personal data (former Art. 21);
- to lodge a complaint with a competent supervisory authority.
The above rights may be exercised by contacting the following e-mail address email@example.com.
In this regard, we would also point out that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address: firstname.lastname@example.org