Information on personal data protection

 Glossary -Definitions pursuant to Legislative Decree no. 196/2003 and EU Reg. no. 679/2016
  1. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  2. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
  4. “identification data” means personal data allowing a data subject to be directly identified;
  5. ‘sensitive data’ means personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;
  6. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  9. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
  10. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  11. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  12. ‘communication’ means disclosing the personal data to one or more identified entities other than the data subject, the data controller’s representative in the State territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data;
  13. ‘dissemination’ means disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data;
  14. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
  15. ‘cross-border processing’ means either:
    • processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
    • processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
With the coming into force of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”, Grimaldi Group S.p.A., as Data Controller, is bound to provide information concerning the methods and purposes of processing personal data.
The table below gives a brief summary of the content of the information notice subsequently provided.
Data Controller GRIMALDI GROUP S.p.A., with registered office in Via Emerico Amari, 8 – 90139, Palermo - Tax ID 00117240820 and VAT no. IT00117240820 – Fax +390815517401 – E-mail:
Purposes To conclude, manage and implement out maritime transport contracts
Legal basis Fulfilment of the contract and legal obligations
Transfer of data Possible, where adequate guarantees safeguarding the data subject’s rights exist
Data subject’s rights a. to access personal data;
b. to obtain the rectification or erasure of data or limit the processing thereof;
c. to object to the processing of personal data;
d. to obtain the portability of such data;
e. to complain to the appropriate control authority (e.g. Data Protection Authority), right which can be exercised by writing to:
TheData Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.

      1. Subject of the processing
We hereto inform you, pursuant to Art. 13 GDPR,that the identification personal data, sensitive or not (i.e.  name, surname,tax ID, VAT number, e-mail, telephone no. etc.) provided by you to this Company, or otherwise acquired by the same in compliance with the current legislative and contractual provisions- concerning, related and/or instrumental to the maritime transport contract -may be subject to processing in compliance with the aforementioned legislation and requirements of confidentiality.
The processing operations concern:
  • passengers’ personal details;
  • data relating to professional categories - i.e. membership of professional registers, Police forces – or participation in loyalty or association programmes entered into with third parties – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on the services offered by the company).
We remind you, moreover, that the processing of certain sensitive data is provided for by Article 9 of the EU Regulation:
  • data provided by you, if any, about special needs related to your state of health.
Such sensitive personal data is provided on a voluntary basis. In this regard, we inform you that the acquisition and processing of such data will not only allow us to better meet your needs, but also to achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data [...] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event".
      2. Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal Data Protection Code and art. 6 letter b, and GDPR)
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract in force with you.
In particular, the data will be processed:
  1. to manage requests for quotes;
  2. to conclude, manage and carry out the operations related to the maritime transport contract;
  3. to send logistical information about the journey (e.g. delays, departure quay, etc.);
  4. to organize internal events on board ship;
  5. to supply on board ship the products and services purchased;
  6. to extract statistical information, in anonymous form;
  7. to transmit your data to shipping agents, terminals and port authorities, judicial authorities and police forces.
We also hereto inform you that if you call our Contact Center,the calls may be listened to, after voice masking applications (morphing), for quality monitoring purposes.
      3. Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
We also inform you that the personal data concerning you will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
  • processed according to the principles of lawfulness, transparency and fairness;
  • collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and kept up to date (“accuracy”);
  • kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
  • processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
Data Storage times Purpose of storage
Tax Code
Date of Birth
Place of Birth
Details of ID
Residential Address
Sensitive data (state of health)
Vehicle number plate
Telephone number
10 years from the end of the journey
For the purposes of accounting records and for legal defence purposes in the case of possible disputes raised by passengers
      4. Legal basis
The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 7 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the fulfilment of legal obligations to which the Data Controller is subject and in the public interest of safety in ports.
      5. Transfer of data
Please note that your data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures.
With reference to EU countries, your data may be disclosed to the Port Authorities, Judicial Authorities, and Police Forces, Shipping Agents and Terminals situated in Spain, Greece, Germany, Belgium, Ireland, Portugal, Cyprus, Sweden and Denmark.
As regards non-EU countries, the data may be transferred to the above recipients working in Great Britain, Tunisia, Morocco, Turkey, Israel, Brazil, Uruguay, Argentina, Senegal, Benin, Nigeria, Ghana, Ivory Coast, USA and Canada.
In particular, the communication of your data to shipping agents is envisaged since the same act as representatives of the shipowner in forwarding data to the Authorities.
With reference to the Terminals, however, there is an obligation under which the same must carry out particular checks on persons and things intended for boarding or disembarking. This means that the shipowner is obliged to communicate passenger data to the Terminal in advance, which in compliance with the security procedures is required to communicate the data received to the Competent Authorities (e.g. Harbour Master, Border Police, Financial Police and Customs).
In addition, Grimaldi Group S.p.A. may communicate the passenger data to the Authorities mentioned above directly.
With reference to transfers that may take place in countries such as Israel, Uruguay, Argentina, the USA and Canada, the European Commission has expressed itself by legitimising the transfer with appropriate adequacy decisions pursuant to Article 25 paragraph 6 of Directive 95/46/EC.
In other countries, however, the transfer of data will be regulated by the contractual relationships between Grimaldi Group S.p.A. and the Shipping Agents and Terminals concerned at the time on the basis of the Standard Contractual Clauses referred to in Art. 26 paragraph 4 of Directive 95/46/EC.
      6. Communication of data
We also inform you that the aforementioned processing of personal and sensitive data concerning, related and/or instrumental to the maritime transport contract may provide for access to the above data by:
  1. Public Authorities pursuant to the Circular of the Ministry of Infrastructure and Transport no. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master and port authority);
  2. Judicial Authorities and Police Forces;
  3. Ticket Offices, Terminals and Shipping Agents for the organisation of boarding/disembarkation activities;
  4. Catering companies, for the supply of products and services on board ship;
  5. External companies dealing with the organisation of events on board ship;
  6. Companies with which you have subscribed to loyalty or association programmes – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. – which, under the agreement with Grimaldi Group S.p.A., assure you access to discounts on services offered by the company;
  7. Legal practices, in the event of disputes arising;
  8. Insurance companies both when booking tickets and filing a claim;
  9. Appraisers during the claim phase;
  10. Companies, including those belonging to the Grimaldi, Group providing other essential services for the maritime transport service or for carrying out marketing activities, such as hosting websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, market research and customer satisfaction surveys.
The need to communicate passenger data to the authorities referred to in point 1 arises from the obligation to count and register persons on board passenger vessels, referred to in the Circular of the Ministry of Infrastructure and Transport No 104/2014.
It may be necessary for us - in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside your country of residence, national security purposes or other issues of public importance - to communicate your personal data. Whenever legally permitted, we will inform you before such communication.
We may also communicate your personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.
      7. Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
Lastly, we inform you that the data subject may, at any time, exercise the rights:
  • access to personal data, requiring that such data be made available to you in an intelligible form, as well as the purposes of the processing (former Art. 15);
  • to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
  • to obtain the portability of such data (former Art. 20);
  • to object to the processing of personal data (former Art. 21);
  • to lodge a complaint with a competent supervisory authority.
The above rights may be exercised by contacting the following e-mail address
In this regard, we also inform you that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address:
      8. Provision of data and consequences of possible refusal
The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which we are required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract requested by you, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.
     9. Soft spam
We inform you that we may use your e-mail address to market services similar to those which you have purchased. In this regard please note that you may exercise the right to oppose such processing at any time, by sending a request to the following e-mail address and by clicking on the appropriate link in the emails sent to you at the time .