Information on personal data protection

With the coming into force of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”(hereinafter “Regulation” or “GDPR”), Grimaldi Group S.p.A. as Data Controller, is bound to provide information concerning the methods and purposes of processing personal data.
The table below gives a brief summary of the content of the information notice subsequently provided.
Data Controller Grimaldi Group S.p.A. (hereinafter, “Company”)
  1. To conclude, manage and carry out maritime transport contracts
  2. Advertising and marketing
  3. Profiling
Legal basis
  1. Fulfilment of the contract and legal obligations
  2. Consent of the data subject
  3. Consent of the data subject
Data transfer Possible, where adequate guarantees safeguarding the data subject’s rights exist
Data subject’s rights a. to access personal data;
b. to obtain the rectification or erasure of data or limit the processing thereof;
c. to object to the processing of personal data;
d. to obtain the portability of such data;
e. to complain to the appropriate control authority (e.g. Data Protection Authority);
rights which can be exercised by writing to:
The Data Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.

1. Subject of the processing

We would hereby inform you, in accordance with Art. 13 GDPR,that the identification personal data, sensitive or not (i.e.  name, surname,tax ID, VAT number, e-mail, telephone no. etc.) provided by you to this Company, or otherwise acquired by the same in compliance with the current legislative and contractual provisions- concerning, related and/or instrumental to the maritime transport contract -may be subject to processing in compliance with the aforementioned legislation and requirements of confidentiality.
The processing operations concern:
  • passengers’ personal details;
  • data relating to professional categories - i.e. membership of professional registers, police forces – or participation in loyalty or association programmes entered into with third parties – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on the services offered by the company).
We remind you, moreover, that the processing of certain sensitive data is provided for by Article 9 of the EU Regulation:
  • data provided by you, if any, about special needs related to your state of health.
Such sensitive personal data is provided on a voluntary basis. In this regard, we inform you that the acquisition and processing of such data will not only allow us to better meet your needs, but also to achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data [...] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event".

2. Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal Data Protection Code and art. 6 letter b, and GDPR)
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract in force with you.
In particular, the data will be processed:
  1. to manage requests for quotes;
  2. to conclude, manage and carry out the operations related to the maritime transport contract;
  3. to send logistical information about the journey (e.g. delays, departure quay, etc.);
  4. to organize internal events on board ship;
  5. to supply on board ship the products and services purchased;
  6. to extract statistical information, in anonymous form;
  7. for the transmission of your data to shipping agencies, terminals and port authorities, legal authorities and police forces;
  8. to send communications via e-mail, telephone and SMS for promotional and general marketing purposes (e.g. Newsletter), wherever you have given consent for these purposes;
  9. to carry out profiled marketing activities and send communications via e-mail, telephone and SMS wherever you have given consent for these purposes.
With reference to point 9, article 4 of the GDPR specifies ‘profiling’ as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Consequently the same may be considered an activity aimed at collecting and processing data concerning customers so as to divide them into groups according to their behaviour.
Within the scope of Company activities therefore, where you express your consent, your personal data may be processed to create a “record” of your business relations with Grimaldi Group S.p.A. ( for example, the various “touch points” with the Company may be considered, the method of interaction used by you; your purchase preferences and frequency as well as what your objectives might be based on performance indicators.  Such activities are aimed at creating a profile so as to customise the services offered and any specific services which you might request.
We also hereto inform you that if you call our contact center,the calls may be listened to, after voice masking applications (morphing), for quality monitoring purposes.

3. Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
We also inform you that the personal data concerning you will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
  • processed according to the principles of lawfulness, transparency and fairness;
  • collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and kept up to date (“accuracy”);
  • kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
  • processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
Data Storage times Purpose of storage
Tax Code
Date of Birth
Place of Birth
Details of ID
Residential Address
Sensitive data (state of health)
Vehicle number plate
Telephone number
10 years from the end of the journey
For the purposes of accounting records and for legal defence purposes in the case of possible disputes raised by passengers
Use of the aforesaid data for the general marketing and profiled marketing purposes specified above will respectively cease at the end of the first and of the second year from the date of obtaining consent to use your data for the aforesaid purposes.

4. Legal basis
The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 7 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the fulfilment of legal obligations to which the Data Controller is subject and in the public interest of safety in ports.
For points 8 and 9 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the consent , if any, you should decide to provide.

5. Data transfer
Please note that your data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures.
With reference to EU countries, your data may be disclosed to the port authorities, judicial authorities, and police forces, shipping agents and terminals situated in Spain, Greece, Germany, Belgium, Ireland, Portugal, Cyprus, Sweden and Denmark.
As regards non-EU countries, the data may be transferred to the above recipients working in Great Britain, Tunisia, Morocco, Turkey, Israel, Brazil, Uruguay, Argentina, Senegal, Benin, Nigeria, Ghana, Ivory Coast, USA and Canada.
In particular, the communication of your data to shipping agents is envisaged since the same act as representatives of the shipowner in forwarding data to the Authorities.
With reference to the terminals, however, there is an obligation under which the same must carry out particular checks on persons and things intended for boarding or disembarking. This means that the shipowner is obliged to communicate passenger data to the terminal in advance, which in compliance with the security procedures is required to communicate the data received to the competent Authorities (e.g. Port Authorities, Financial Police Force and Customs).
In addition, Grimaldi Group S.p.A. may communicate the passenger data to the Authorities mentioned above directly.
With reference to transfers that may take place in countries such as Israel, Uruguay, Argentina, the USA and Canada, the European Commission has expressed itself by legitimising the transfer with appropriate adequacy decisions pursuant to Article 25 paragraph 6 of Directive 95/46/EC.
In other countries, however, where the GDPR applies, data transfer will be regulated in accordance with the principles established by the Regulation in the contractual relations carried out by the Company.

6. Communication of data
We also inform you that the aforementioned processing of personal and sensitive data concerning, related and / or instrumental to the maritime transport contract may provide for access to the above data by:
  1. Public Authorities pursuant to the Circular of the Ministry of Infrastructure and Transport no. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master and port authority);
  2. legal authorities and police forces;
  3. ticket offices, terminals and shipping agencies for the organisation of embarkation/disembarkation;
  4. Catering companies, for the supply of products and services on board ship;
  5. External companies dealing with the organisation of events on board ship;
  6. Companies with which you have subscribed to loyalty or association programmes – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. – which, under the agreement with Grimaldi Group S.p.A., assure you access to discounts on services offered by the company;
  7. Legal practices, in the event of disputes arising;
  8. Insurance companies both when booking tickets and filing a claim;
  9. Appraisers during the claim phase;
  10. Companies, including those belonging to the Grimaldi, Group providing other essential services for the maritime transport service or for carrying out marketing activities, also conditional to your specific consent, such as hosting websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, market research and customer satisfaction surveys.
The need to communicate passenger data to the authorities referred to in point 1 arises from the obligation to count and register persons on board passenger vessels, referred to in the Circular of the Ministry of Infrastructure and Transport No 104/2014.
It may be necessary for us - in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside your country of residence, national security purposes or other issues of public importance - to communicate your personal data. Whenever legally permitted, we will inform you before such communication.
We may also communicate your personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.

7. Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
Lastly, we inform you that the data subject may, at any time, exercise the rights:
  • to access personal data, requiring that such data be made available in an intelligible form, as well as the purposes of the processing (former Art. 15);
  • to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
  • to obtain the portability of such data (former Art. 20);
  • to object to the processing of personal data (former Art. 21);
  • to lodge a complaint with a competent supervisory authority.
The above rights can be exercised by e-mailing a request to
In this regard, please also note that the Data Protection Officer appointed by the Company can be contacted by e-mail at

8. Nature of data provision and consequences of a potential failure to disclose the data
The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which we are required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract requested by you, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.

9. Consent
As mentioned in the paragraph “Purpose of the processing for which the data are intended””, the company intends to process your data for the further purposes specified in points 7 and 8 of said paragraph.

In this regard please note that without affecting the lawfulness of processing based on consent before its withdrawal; you may withdraw the consent given at any time, by sending a request to the e-mail address as well as by using the channel indicated in the communication you receive or by clicking on the link provided in the emails sent to you.
In addition, we inform you that we may use your e-mail address to market services similar to those which you have purchased. In this regard please note that you may exercise the right to oppose such processing at any time, by sending a request to the following e-mail address and by clicking on the appropriate link in the emails sent to you at the time .