DOMESTIC LINES (WITHIN GREECE)
Name of Controller: MINOAN LINES Shipping S.A. Company
Address: Heraklion Crete, Nr. 17, 25 Augoustou Str., P.C. 71202
Telephone – Fax: +30 2810 399800 - Fax: +30 2810 330308
ADRIATIC LINES (GREECE – ITALY)
JOINT CONTROLLERS: “MINOAN LINES Shipping S.A. Company” AND THE ITALIAN COMPANY “GRIMALDI GROUP S.p.A.” (Article 26 of the GDPR)
- Name of Controller: MINOAN LINES Shipping S.A. Company
Address: Heraklion Crete, Nr. 17, 25 Augoustou Str., P.C. 71202
Telephone – Fax: +30 2810 399800 - Fax: +30 2810 330308
- Name of Controller: GRIMALDI GROUP S.p.A.
Address: Via Emerico Amari, 8 – 90139, Palermo - Italy
Fax: +39 0815517401
CONTACT FOR PRIVACY AND PERSONAL DATA ISSUES
TYPES OF DATA COLLECTED
Personal data are data which identify you or could reasonably be used to identify you, are submitted to or collected by the website, and are maintained by MINOAN LINES in an accessible form. Indicatively, the personal data we collect during your use of this site are your name, postal address, e-mail address, phone number, and your credit card details for booking your ferry ticket.
For what purpose does MINOAN LINES collect my data?
As stated above, this Policy concerns the processing of personal data you provide us with through this site. The purposes of processing your personal data are:
- finalizing your online ferry ticket reservation.
- processing your requests, answering your questions when you contact us for various reasons.
- sending newsletters for informational purposes after obtaining your consent
What type of data does MINOAN LINES collect electronically?
Personal data you submit: Most of our services do not require any form of subscription, allowing you to visit our site without the need to provide any personal information. MINOAN collects the personal data you enter into the data fields on the site. For example, you may enter your name, postal address, e-mail address and/or other details in order to book your ticket online.
Passive collection of other specific technical and navigation data: The website may collect information about your visits to it without you actively submitting such information. This information may include, for example, the type and language of your browser, your operating system, IP address, the URLs of the websites you visited before and after your visit to the website, the search that led you to the website, as well as the pages and ads you see and the links you click on our site. These data can be collected using various technologies, such as cookies, Internet tags, and web beacons. Your browser also automatically transmits some of these data, such as the URL of the site you just visited, and the version of the browser installed on your computer.
We explicitly state that when you subscribe to the newsletter of our websitehttps://www.minoan.gr, you will only be registered in the MINOAN newsletter and not in the GRIMALDI GROUP S.p.A. newsletter. Therefore, the personal data you provide us with through your subscription to the newsletter are collected only by MINOAN, the newsletters you receive will only come from MINOAN, and regarding the right to withdraw your consent to receive our newsletter (unsubscribe), you can only enforce it towards MINOAN.
PERSONAL DATA COLLECTION
What are the legal bases for processing my personal data?
The legal bases for the abovementioned processing purposes are:
a) the execution of your contractual relationship with GRIMALDI GROUP S.p.A. when booking a ferry ticket (art. 6 par. 1 subpar. B of the GDPR);
b) the compliance of both Joint Controllers with their legal obligations regarding the reservation of ferry tickets (art. 6 par. 1 subpar. C of the GDPR);
c) the fulfillment of the legitimate interests of both Joint Controllers regarding the handling of your requests when you contact us (art. 6 par. 1 subpar. F of the GDPR);
d) your explicit consent (art. 6 par. 1 subpar. A of the GDPR and art. 9 par. 2 subpar. A of the GDPR) e.g. subscription to our newsletter, processing the personal data of people with disabilities, etc., which you have the right to revoke at any time.
Does MINOAN share personal data with third parties?
MINOAN, as mentioned above, is a Joint Controller along with the Italian Group GRIMALDI GROUP S.p.A. (under Article 26 of the GDPR) with regard to the personal data of Adriatic Line passengers. This means that the personal data of the Adriatic Line passengers are collected (jointly) by both our company and GRIMALDI GROUP S.p.A., who both act as Controllers.
As far as its activity is concerned, MINOAN does not sell, share, disclose, transmit or distribute your personal data to third parties in any way, except in the case of the sale or transfer of a line, product, or part of the company, or in relation to a joint promotion program.
MINOAN is required to provide your personal data in response to formal requests from state authorities in case of national security situations or as otherwise required by law.
Which persons within MINOAN will have access to my personal data?
Personal information is accessible to a limited number of MINOAN employees. We train our employees on the importance of privacy and confidentiality as well as the way your data are subject to proper and safe handling and processing.
How does MINOAN guarantee the security of personal data?
MINOAN’s policy is to secure every website that collects personal data. To this end, it has cooperated with specialized consultants and employs trained personnel. However, the privacy of personal data transmitted over the Internet cannot be guaranteed. We urge you to be careful when transmitting personal data over the Internet, especially data related to your health. MINOAN cannot guarantee that unauthorized third parties will not gain access to your personal information. Therefore, when submitting personal information to MINOAN websites, you have to take into account both the benefits and the risks.
Does MINOAN LINES transfer personal data to different jurisdictions?
MINOAN does not keep the data on servers outside the Greek Territory.
How does MINOAN protect the privacy of children?
MINOAN does not collect or use – to its knowledge – any personal data of children (we define “children” as minors under the age of 18) on MINOAN websites. We do not allow children to order our products, contact us, or use any of our online services to our knowledge. If you are a parent and have realized that your child has provided us with information, please contact us through one of the methods provided below and we will cooperate with you to address the issue.
What are my rights with respect to the processing of my personal data?
The processing of your personal data is also connected to your respective rights, which, subject to any provisions limiting the exercise thereof, are:
- The right to access and correction. You have the right to access and correct your personal data at any time.
- The right to data portability. The personal data you have given us is portable. This means they can be moved, copied, or transferred electronically.
- The right to erasure. If you withdraw your consent to personal data processing at any time, you have the right to request that we erase your data.
- The right to data processing restriction. You can always restrict the scope and type of personal information that MINOAN receives in regard to your person by choosing not to enter any personal information into certain forms or data fields on its site. Some of our online services can only be provided if you enter the necessary personal information (for example, online ticket issuance). You may also be asked if you wish to be included in our contact lists for offers, promotions, and additional services that may be of interest to you.
- The right to withdraw consent. If you have provided your consent to the processing of your personal data (e.g. when you subscribe to our newsletter), you have the right to withdraw your consent at any time by contacting us with the information provided herein.
- The right to object to data processing for direct marketing purposes (e.g. receiving information e-mails from us).
- The right to file a complaint with the Personal Data Protection Authority. You have the right to file a complaint regarding the way we process your personal data directly with the local Supervising Authority for the Protection of Personal Data.
In the event that you exercise one of the afore-mentioned rights, we will take all reasonable measures to satisfy your request within a reasonable time period, at the latest within one (1) month from the verification of your submitted request, informing you in writing in regard to the resolution of said request, or the reasons that may be impeding your enforcing the right in question and/or the successful implementation of one or more of your rights, in accordance with the General Data Protection Regulation. Please note that, in some cases, it may not be possible to meet your relevant requests, such as when they are contrary to a legal obligation or impinge on a contractual legal basis for the processing of your data.
How can I exercise my GDPR rights?
In order to exercise your GDPR rights, namely the rights to update, access, correct, delete, restrict data processing, edit, transfer, oppose, and withdraw your consent, you can contact our company by e-mail: firstname.lastname@example.org, as well as the DPO of our company, Mr. Andreas Lianeris at the address: Heraklion Crete, 17 25 Augoustou Str., P.C. 71202.
Adriatic Line passengers especially can contact both our company and GRIMALDI GROUP S.p.A.. We wish to clarify that enforcing your rights towards our company does not in any way prevent you from enforcing your rights towards GRIMALDI GROUP S.p.A. and vice versa.
In the event that you believe that any of your rights or legal obligations of our company regarding Personal Data protection have been violated but, even though you contacted the Data Protection Officer (DPO) of our company regarding this matter thus exercising your rights towards the Company, you did not receive a response within one month (extending the deadline to two months in case of a complex request) or you deemed the response you received from the Company unsatisfactory since your issue was not resolved, you have the option to file a complaint with the Greek supervising authority i.e. the Hellenic Data Protection Authority (HDPA), 1-3 Kifissias Av., PC 115 23 Athens; e-mail: email@example.com; Fax 2106475628.
Adriatic Line passengers can also submit a complaint to the competent Italian supervising authority (Garante per la protezione dei dati personali), Piazza Venezia 11 - 00187 Rome; Tel: + 39-06-6967 71; Fax: + 39-06-6967 73785; e-mail: firstname.lastname@example.org &email@example.com
CONTACT FOR PRIVACY AND PERSONAL DATA ISSUES
INFORMATION ON PERSONAL DATA PROTECTION ADRIATIC LINE
Glossary -Definitions pursuant to Legislative Decree no. 196/2003 and EU Reg. no. 679/2016
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- “identification data” means personal data allowing a data subject to be directly identified;
- ‘sensitive data’ means personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ‘communication’ means disclosing the personal data to one or more identified entities other than the data subject, the data controller’s representative in the State territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data;
- ‘dissemination’ means disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data;
- ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
- ‘cross-border processing’ means either:processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
In compliance with the provisions of the EU Regulation
In compliance with the provisions of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”, this document briefly summarises the principles regulating the processing of data by Grimaldi Group S.p.A. (having its registered office in Palermo, in Via Enrico Amari n. 8, 90139, Tax ID and VAT no. 0117240820), as Data Controller, in its passenger transport business.
|Data Controller||Grimaldi Group S.p.A. having its registered office in Palermo, in Via Enrico Amari n. 8, 90139, Tax ID and VAT no. 0117240820|
|Purposes||To conclude, manage and carry out maritime transport contracts|
|Legal basis||Fulfilment of the contract and legal obligations|
|Transfer of data||Possible, where adequate guarantees safeguarding the data subject’s rights exist|
|Data subject’s rights||a. to access personal data;||b. to obtain the rectification or erasure of data or limit the processing thereof;||c. to object to the processing of personal data;||d. to obtain the portability of such data;||e. to complain to the appropriate control authority (e.g. Data Protection Authority);||rights which can be exercised by writing to: firstname.lastname@example.org.|
The Data Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.
- Subject of the processing
The processing operations may concern:
- personal and contact details;
- data relating to professional categories or participation in loyalty or association programmes entered into with third parties.
Moreover, the processing of certain sensitive data provided for by Article 9 of the EU Regulation may be performed:
- data concerning special needs related to your state of health
Such sensitive personal data is provided on a voluntary basis. The acquisition and processing of such data will not only allow us to better meet passengers’ needs, but also achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data […] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event“.
- Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal data Protection Code and art. 6 letter b, and GDPR)
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract.
In particular, the data will be processed:
- to manage requests for quotes;
- to conclude, manage and carry out the operations related to the maritime transport contract;
- to send logistical information about the journey (e.g. delays, departure quay, etc.);
- to organize internal events on board ship;
- to supply on board ship the products and services purchased;
- to extract statistical information, in anonymous form;
- to transmit data to shipping agents, terminals and port authorities, judicial authorities and police forces.
- Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
The personal data will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
- processed according to the principles of lawfulness, transparency and fairness;
- collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and kept up to date (“accuracy”);
- kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
- processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
|Data||Storage times||Purpose of storage|
- Personal and contact details
- Data relating professional categories or participation in loyalty or association programmes entered into with third parties
- Any data concerning special needs related to your state of health
|10 years from the end of the journey||For the purposes of accounting records and for defence purposes in the case of possible disputes raised by passengers|
- Legal basis
The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 7 of paragraph 2 “Purpose for which the data will be processed”, the legal basis of the processing lies in the fulfilment of legal obligations assigned the controller and in the public interests of protecting security at ports.
- Data transfer and/or communication
Data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures and within the sphere of the aforesaid purposes.
In addition, we may need to communicate personal data in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside the data subject’s country of residence, national security purposes other issues of public importance. Whenever legally permitted, we will inform the data subject before such communication.
We may also communicate personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.
- Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
The data subject may , at any time, exercise the rights:
- to access personal data, requiring that such data be made available in an intelligible form, as well as the purposes of the processing (former Art. 15);
- to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
- to obtain the portability of such data (former Art. 20);
- to object to the processing of personal data (former Art. 21);
- to lodge a complaint with a competent supervisory authority.
The above rights can be exercised by e-mailing a request to email@example.com.
In this regard, we would also point out that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address: DPO@grimaldi.napoli.it.
7. Nature of data provision and consequences of a potential failure to disclose the data
The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which the Company is required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.