PRIVACY POLICY REGISTRATION RESERVED AREA
Personal Data Processing Policy
Pursuant to Article 13 of EU Regulation 2016/679 (“GDPR”)
1. Scope
1.1 Grimaldi Group S.p.A., in the person of its legal representative pro tempore (“Grimaldi” or the “Data Controller” and, together with the companies Grimaldi Euromed S.p.A. and Grimaldi Deep Sea S.p.A., the “Grimaldi Group”), herein provides you with certain information regarding the processing of your Personal Data that is necessary in order to process your request for Registration (“Registration”) to the Grimaldi Lines website grimaldi-lines.com/it (the “Site”) and/or App (the “App”).
1.2 Registration allows you to access the Reserved Area on the Site and/or App. If you wish to register, the Data Controller will ask you to provide some of your Personal Data. Grimaldi undertakes to process the information you provide in accordance with the Privacy Policy (as defined below).
2. Data Controller
2.1 Grimaldi, as Data Controller of your Personal Data, provides you with this Privacy Policy pursuant to Article 13 of the GDPR and the applicable legislation in force concerning Personal Data protection (together with the GDPR, the “Privacy Law”).
2.2 The Grimaldi Group has appointed a Data Protection Officer (DPO), as envisaged by the GDPR, tasked with surveillance, supervision and specialised consultancy in the field of privacy, who may be contacted for support at the email address: DPO@grimaldi.napoli.it.
3. Data Subjects and categories of Personal Data processed
3.1 Data Subjects affected by the processing of Personal Data by the Data Controller are natural persons who intend to register on the Site and/or App (the “Data Subjects”).
3.2 The Data Controller shall process the Data Subjects’ common Personal Data provided, at the Data Controller’s request, for the purpose of enabling Registration. Such Personal Data includes identification data (name and surname) and contact data (email).
3.3 Once Registration has been completed, Data Subjects may freely enter additional Personal Data relating to them, including their gender, date of birth, address, information contained on their identification document (including type of document, number, expiry date, issuing country), information relating to the route booked or of interest, as well as the vehicle to be boarded, and information regarding any accompanying persons. The Data Subjects undertake to inform any accompanying persons of the content of this Privacy Policy and to not transmit to the Data Controller any Personal Data relating to their accompanying persons without the latter’s consent to such communication.
3.4 The data processed by the Data Controller and referring to the Data Subjects and/or their accompanying persons is collectively referred to as “Personal Data”.
3.5 The provision of Personal Data is always optional. However, in the absence of the categories of Personal Data referred to in Paragraph 2 above, the Data Controller may be unable to complete the Registration. The data referred to in Paragraph 3.3 above is not, in any case, necessary for completing the Registration process but by providing such details, the Data Subjects give their free consent to communicate the data to the Data Controller. The Data Controller will not use such data for profiling or other purposes and will in any event allow Data Subjects to complete the Registration even without such data.
4. Purpose and legal basis of the processing
4.1 The Personal Data shall be processed by the Data Controller, in compliance with the Privacy Law, for the purposes of enabling Registration as well as allowing the Data Subjects to take advantage of the benefits of Registration, including calling up a purchased ticket in order to consult or download it, storing the data necessary to make a reservation and, in the sole case in which Registration is made on the App, modifying a ticket already purchased, as well as, in the sole case in which Registration is made on the App, request the invoice relating to an issued ticket.
4.2 Personal Data shall be processed on the basis of the free and informed consent of the Data Subjects, pursuant to Article 6(1)(a) of the GDPR. Personal Data may also be processed on the basis of the fulfilment of legal obligations of the Data Controller related to the Registration, pursuant to Article 6(1)(c) of the GDPR, as well as on the basis of the legitimate interest of the Data Controller, also to defend their rights in court or in a pre-litigation phase, pursuant to Article 6(1)(f) of the GDPR.
4.3 The processing of Personal Data shall be carried out in compliance with the Privacy Law and conducted through computerised and/or manual systems, in all cases suitable for guaranteeing the security of such processing. The processing of Personal Data shall in all cases be governed by the principles of proportionality and necessity, whereby no unnecessary Personal Data shall be processed or collected, as well as by the principle of fairness and transparency and by the requirement for adequate security measures. For any further information on how the Data Controller processes Personal Data, Data Subjects are invited to refer to the Privacy Policy of the Grimaldi Group, available at grimaldi-lines.com/it/privacy-policy.
5. Personal Data recipients and retention periods
5.1 For the pursuit of the purposes set out in Paragraph 4 above, Personal Data may be disclosed to other companies belonging to the same Corporate Group as the Data Controller, as well as to the latter’s suppliers involved in the management and organisation of the Site and/or App. All such persons are in any case bound by confidentiality obligations and the provisions of the Privacy Law.
5.2 Personal Data shall be processed by the Data Controller through their own duly-authorised personnel, only to the extent necessary and on the basis of specific instructions from the Data Controller, with confidentiality and privacy guaranteed. Personal Data will not be transferred to countries outside the European Union nor to international organisations.
5.3 Personal Data will be retained for the duration of the Data Subjects’ Registration with the Site and/or App, or until the Data Subjects communicate their intention to cancel their Registration. The retention periods indicated herein may be extended due to the application of legal or regulatory obligations incumbent on the Data Controller or due to orders issued by the competent authorities or due to the Data Controller’s need to protect their own rights in court or at a preliminary stage of a legal proceeding.
6. Rights of Data Subjects
6.1 With regard to Personal Data, the Data Subjects and the persons to whom the Personal Data refer may exercise their rights under the Privacy Law. In particular, Data Subjects may:
a) Ask the Data Controller to confirm the existence of their Personal Data, the origin of such data, the logic and purposes of processing, the categories of subjects to whom the Personal Data may be communicated, as well as the identification details of the Data Controller and their Data Processors;
b) Request access to their Personal Data, its transformation into anonymous form, its blocking, rectification, integration or erasure, or the restriction of its processing;
c) Oppose processing in the cases established by the Privacy Law;
d) Withdraw consent at any time, without prejudice to the lawfulness of the processing carried out prior to such withdrawal;
e) Exercise the right to portability, within the limits set under Article 20 of the GDPR;
f) File a complaint with the Data Protection Authority, following the procedures and instructions published on the Authority’s official website at garanteprivacy.it.
6.2 For the purposes of exercising the rights referred to in Paragraph 1 above, as well as for any clarifications, Data Subjects may contact the Data Controller directly by sending an email to the competent Data Protection Officer (DPO), via the company contact details or to DPO@grimaldi.napoli.it, or use the channels made available by the Data Controller.