Privacy Policy

PRIVACY POLICY

This Privacy Policy explains the way we handle and process the personal data you provide us with. This Privacy Policy also describes the collection procedure of other technical and navigation information through cookie files and similar technologies.

Please read this Privacy Policy before using the website or before submitting your personal data to us.

Contents

DOMESTIC LINES (WITHIN GREECE)

Name of Controller: MINOAN LINES Shipping S.A. Company

Address: Heraklion Crete, Nr. 17, 25 Augoustou Str., P.C. 71202

Telephone – Fax: +30 2810 399800 - Fax: +30 2810 330308

CONTACT PERSON FOR PRIVACY AND PERSONAL DATA ISSUES

Andreas Lianeris, DPO

E-mail: dporequests@minoan.gr

ADRIATIC LINES (GREECE – ITALY)

JOINT CONTROLLERS: “MINOAN LINES Shipping S.A. Company” AND THE ITALIAN COMPANY “GRIMALDI GROUP S.p.A.” (Article 26 of the GDPR)

1. Name of Controller: MINOAN LINES Shipping S.A. Company

Address: Heraklion Crete, Nr. 17, 25 Augoustou Str., P.C. 71202

Telephone – Fax: +30 2810 399800 - Fax: +30 2810 330308

CONTACT PERSON FOR PRIVACY AND PERSONAL DATA ISSUES

Andreas Lianeris, DPO

E-mail: dporequests@minoan.gr

1. Name of Controller: GRIMALDI GROUP S.p.A.

Address: Via Emerico Amari, 8 – 90139, Palermo - Italy

Fax: +39 0815517401

E-mail: switchboard@grimaldi.napoli.it.

CONTACT FOR PRIVACY AND PERSONAL DATA ISSUES

Email: privacy@grimaldi.napoli.it

For further information regarding the processing of your personal data by GRIMALDI GROUP S.p.A., please refer to the articles “PERSONAL DATA PROCESSING FOR ADRIATIC LINES” and “PRIVACY POLICY FOR ADRIATIC LINES” below, as well as the following link: https://www.grimaldi.napoli.it/en/index.html on the “Privacy Policy” tab.

TYPES OF DATA COLLECTED

How does this Privacy Policy define “personal data”?

Personal data are data which identify you or could reasonably be used to identify you, are submitted to or collected by the website, and are maintained by MINOAN LINES in an accessible form. Indicatively, the personal data we collect during your use of this site are your name, postal address, e-mail address, phone number, and your credit card details for booking your ferry ticket.

For what purpose does MINOAN LINES collect my data?

As stated above, this Policy concerns the processing of personal data you provide us with through this site. The purposes of processing your personal data are:

1. finalizing your online ferry ticket reservation.
2. processing your requests, answering your questions when you contact us for various reasons.
3. sending newsletters for informational purposes after obtaining your consent

What type of data does MINOAN LINES collect electronically?

Personal data you submit: Most of our services do not require any form of subscription, allowing you to visit our site without the need to provide any personal information. MINOAN collects the personal data you enter into the data fields on the site. For example, you may enter your name, postal address, e-mail address and/or other details in order to book your ticket online.

Passive collection of other specific technical and navigation data: The website may collect information about your visits to it without you actively submitting such information. This information may include, for example, the type and language of your browser, your operating system, IP address, the URLs of the websites you visited before and after your visit to the website, the search that led you to the website, as well as the pages and ads you see and the links you click on our site. These data can be collected using various technologies, such as cookies, Internet tags, and web beacons. Your browser also automatically transmits some of these data, such as the URL of the site you just visited, and the version of the browser installed on your computer.

We explicitly state that when you subscribe to the newsletter of our websitehttps://www.minoan.gr, you will only be registered in the MINOAN newsletter and not in the GRIMALDI GROUP S.p.A. newsletter. Therefore, the personal data you provide us with through your subscription to the newsletter are collected only by MINOAN, the newsletters you receive will only come from MINOAN, and regarding the right to withdraw your consent to receive our newsletter (unsubscribe), you can only enforce it towards MINOAN.

PERSONAL DATA COLLECTION

What are the legal bases for processing my personal data?

The legal bases for the abovementioned processing purposes are:

a) the execution of your contractual relationship with GRIMALDI GROUP S.p.A. when booking a ferry ticket (art. 6 par. 1 subpar. B of the GDPR);

b) the compliance of both Joint Controllers with their legal obligations regarding the reservation of ferry tickets (art. 6 par. 1 subpar. C of the GDPR);

c) the fulfillment of the legitimate interests of both Joint Controllers regarding the handling of your requests when you contact us (art. 6 par. 1 subpar. F of the GDPR);

d) your explicit consent (art. 6 par. 1 subpar. A of the GDPR and art. 9 par. 2 subpar. A of the GDPR) e.g. subscription to our newsletter, processing the personal data of people with disabilities, etc., which you have the right to revoke at any time.

Does MINOAN share personal data with third parties?

MINOAN, as mentioned above, is a Joint Controller along with the Italian Group GRIMALDI GROUP S.p.A. (under Article 26 of the GDPR) with regard to the personal data of Adriatic Line passengers. This means that the personal data of the Adriatic Line passengers are collected (jointly) by both our company and GRIMALDI GROUP S.p.A., who both act as Controllers.

As far as its activity is concerned, MINOAN does not sell, share, disclose, transmit or distribute your personal data to third parties in any way, except in the case of the sale or transfer of a line, product, or part of the company, or in relation to a joint promotion program.

MINOAN is required to provide your personal data in response to formal requests from state authorities in case of national security situations or as otherwise required by law.

Which persons within MINOAN will have access to my personal data?

Personal information is accessible to a limited number of MINOAN employees. We train our employees on the importance of privacy and confidentiality as well as the way your data are subject to proper and safe handling and processing.

How does MINOAN guarantee the security of personal data?

MINOAN’s policy is to secure every website that collects personal data. To this end, it has cooperated with specialized consultants and employs trained personnel. However, the privacy of personal data transmitted over the Internet cannot be guaranteed. We urge you to be careful when transmitting personal data over the Internet, especially data related to your health. MINOAN cannot guarantee that unauthorized third parties will not gain access to your personal information. Therefore, when submitting personal information to MINOAN websites, you have to take into account both the benefits and the risks.

In addition, MINOAN websites covered by this Privacy Policy will display a warning message each time you sign in to a site that is not controlled by MINOAN or is not subject to the MINOAN Privacy Policy. You should check the privacy policies of these third-party sites before submitting personal information to them.

Does MINOAN LINES transfer personal data to different jurisdictions?

MINOAN does not keep the data on servers outside the Greek Territory.

How does MINOAN protect the privacy of children?

MINOAN does not collect or use – to its knowledge – any personal data of children (we define “children” as minors under the age of 18) on MINOAN websites. We do not allow children to order our products, contact us, or use any of our online services to our knowledge. If you are a parent and have realized that your child has provided us with information, please contact us through one of the methods provided below and we will cooperate with you to address the issue.

What are my rights with respect to the processing of my personal data?

The processing of your personal data is also connected to your respective rights, which, subject to any provisions limiting the exercise thereof, are:

• The right to information. You have the right to receive clear, transparent and comprehensible information about how we use personal data and what your rights are. To that end, we provide you with said information in this Statement of Privacy Policy and urge you to contact us for any clarifications.
• The right to access and correction. You have the right to access and correct your personal data at any time.
• The right to data portability. The personal data you have given us is portable. This means they can be moved, copied, or transferred electronically.
• The right to erasure. If you withdraw your consent to personal data processing at any time, you have the right to request that we erase your data.
• The right to data processing restriction. You can always restrict the scope and type of personal information that MINOAN receives in regard to your person by choosing not to enter any personal information into certain forms or data fields on its site. Some of our online services can only be provided if you enter the necessary personal information (for example, online ticket issuance). You may also be asked if you wish to be included in our contact lists for offers, promotions, and additional services that may be of interest to you.
• The right to withdraw consent. If you have provided your consent to the processing of your personal data (e.g. when you subscribe to our newsletter), you have the right to withdraw your consent at any time by contacting us with the information provided herein.
• The right to object to data processing for direct marketing purposes (e.g. receiving information e-mails from us).
• The right to file a complaint with the Personal Data Protection Authority. You have the right to file a complaint regarding the way we process your personal data directly with the local Supervising Authority for the Protection of Personal Data.

In the event that you exercise one of the afore-mentioned rights, we will take all reasonable measures to satisfy your request within a reasonable time period, at the latest within one (1) month from the verification of your submitted request, informing you in writing in regard to the resolution of said request, or the reasons that may be impeding your enforcing the right in question and/or the successful implementation of one or more of your rights, in accordance with the General Data Protection Regulation. Please note that, in some cases, it may not be possible to meet your relevant requests, such as when they are contrary to a legal obligation or impinge on a contractual legal basis for the processing of your data.

How can I exercise my GDPR rights?

In order to exercise your GDPR rights, namely the rights to update, access, correct, delete, restrict data processing, edit, transfer, oppose, and withdraw your consent, you can contact our company by e-mail: dporequests@minoan.gr, as well as the DPO of our company, Mr. Andreas Lianeris at the address: Heraklion Crete, 17 25 Augoustou Str., P.C. 71202.

Adriatic Line passengers especially can contact both our company and GRIMALDI GROUP S.p.A.. We wish to clarify that enforcing your rights towards our company does not in any way prevent you from enforcing your rights towards GRIMALDI GROUP S.p.A. and vice versa.

As stated in the articles “PERSONAL DATA PROCESSING FOR ADRIATIC LINES” and “PRIVACY POLICY FOR ADRIATIC LINES” below, in order to exercise your GDPR rights towards GRIMALDI GROUP S.p.A., you can contact the DPO of the Group at the e-mail address: dpo@grimaldi.napoli.it., as well as at: privacy@grimaldi.napoli.it.

In the event that you believe that any of your rights or legal obligations of our company regarding Personal Data protection have been violated but, even though you contacted the Data Protection Officer (DPO) of our company regarding this matter thus exercising your rights towards the Company, you did not receive a response within one month (extending the deadline to two months in case of a complex request) or you deemed the response you received from the Company unsatisfactory since your issue was not resolved, you have the option to file a complaint with the Greek supervising authority i.e. the Hellenic Data Protection Authority (HDPA), 1-3 Kifissias Av., PC 115 23 Athens; e-mail: complaints@dpa.gr; Fax 2106475628.

Adriatic Line passengers can also submit a complaint to the competent Italian supervising authority (Garante per la protezione dei dati personali), Piazza Venezia 11 - 00187 Rome; Tel: + 39-06-6967 71; Fax: + 39-06-6967 73785; e-mail: protocollo@pec.gpdp.it &urp@gdpd.it

CONTACT INFORMATION AND PRIVACY POLICY UPDATES

How will I know if MINOAN has updated this privacy policy?

Our Privacy Policy will be renewed in order to meet legislative and technological developments. Any change will be communicated to you by a notice posted in a prominent spot on our site.

CONTACT PERSON FOR PRIVACY AND PERSONAL DATA ISSUES

Andreas Lianeris, DPO

Email: dporequests@minoan.gr

INFORMATION ON PERSONAL DATA PROTECTION ADRIATIC LINE

INFORMATION ON PERSONAL DATA PROTECTION

Glossary -Definitions pursuant to Legislative Decree no. 196/2003 and EU Reg. no. 679/2016

1. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

1. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future; 

1. “identification data” means personal data allowing a data subject to be directly identified;

1. ‘sensitive data’ means personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;

1. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; 

1.  ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

1. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

1.  ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation; 

1.  ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; 

1. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

1. ‘communication’ means disclosing the personal data to one or more identified entities other than the data subject, the data controller’s representative in the State territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data;

1. ‘dissemination’ means disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data;

1. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

1. ‘cross-border processing’ means either:
   1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
   2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

***

With the coming into force of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”, Grimaldi Group S.p.A., as Data Controller, is bound to provide information concerning the methods and purposes of processing personal data.

For information regarding the cookie policy adopted by Grimaldi Groups S.p.A for this website, we refer you to the following link: https://www.grimaldi-lines.com/it/page/cookie

The table below gives a brief summary of the content of the information notice subsequently provided.

TheData Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.

1. Subject of the processing

We hereto inform you, pursuant to Art. 13 GDPR,that the identification personal data, sensitive or not (i.e. name, surname,tax ID, VAT number, e-mail, telephone no. etc.) provided by you to this Company, or otherwise acquired by the same in compliance with the current legislative and contractual provisions- concerning, related and/or instrumental to the maritime transport contract -may be subject to processing in compliance with the aforementioned legislation and requirements of confidentiality.

The processing operations concern:

• passengers’ personal details;
• data relating to professional categories - i.e. membership of professional registers, Police forces – or participation in loyalty or association programmes entered into with third parties – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on the services offered by the company).

We remind you, moreover, that the processing of certain sensitive data is provided for by Article 9 of the EU Regulation:

• data provided by you, if any, about special needs related to your state of health.

Such sensitive personal data is provided on a voluntary basis. In this regard, we inform you that the acquisition and processing of such data will not only allow us to better meet your needs, but also to achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data [...] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event".

1. Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal Data Protection Code and art. 6 letter b, and GDPR)

Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract in force with you.

In particular, the data will be processed:

1. to manage requests for quotes;
2. to conclude, manage and carry out the operations related to the maritime transport contract;
3. to send logistical information about the journey (e.g. delays, departure quay, etc.);
4. to organize internal events on board ship;
5. to supply on board ship the products and services purchased;
6. to extract statistical information, in anonymous form;
7.  to transmit your data to shipping agents, terminals and port authorities, judicial authorities and police forces.

We also hereto inform you that if you call our Contact Center,the calls may be listened to, after voice masking applications (morphing), for quality monitoring purposes.

1. Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)

We also inform you that the personal data concerning you will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:

• processed according to the principles of lawfulness, transparency and fairness;
• collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
• adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
• accurate and kept up to date (“accuracy”);
• kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
• processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').

Personal data is stored according to the following table.

1. Legal basis

The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.

For point 7 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the fulfilment of legal obligations to which the Data Controller is subject and in the public interest of safety in ports.

1. Transfer of data

Please note that your data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures.

With reference to EU countries, your data may be disclosed to the Port Authorities, Judicial Authorities, and Police Forces, Shipping Agents and Terminals situated in Spain, Greece, Germany, Belgium, Ireland, Portugal, Cyprus, Sweden and Denmark.

As regards non-EU countries, the data may be transferred to the above recipients working in Great Britain, Tunisia, Morocco, Turkey, Israel, Brazil, Uruguay, Argentina, Senegal, Benin, Nigeria, Ghana, Ivory Coast, USA and Canada.

In particular, the communication of your data to shipping agents is envisaged since the same act as representatives of the shipowner in forwarding data to the Authorities.

With reference to the Terminals, however, there is an obligation under which the same must carry out particular checks on persons and things intended for boarding or disembarking. This means that the shipowner is obliged to communicate passenger data to the Terminal in advance, which in compliance with the security procedures is required to communicate the data received to the Competent Authorities (e.g. Harbour Master, Border Police, Financial Police and Customs).

In addition, Grimaldi Group S.p.A. may communicate the passenger data to the Authorities mentioned above directly.

With reference to transfers that may take place in countries such as Israel, Uruguay, Argentina, the USA and Canada, the European Commission has expressed itself by legitimising the transfer with appropriate adequacy decisions pursuant to Article 25 paragraph 6 of Directive 95/46/EC.

In other countries, however, the transfer of data will be regulated by the contractual relationships between Grimaldi Group S.p.A. and the Shipping Agents and Terminals concerned at the time on the basis of the Standard Contractual Clauses referred to in Art. 26 paragraph 4 of Directive 95/46/EC.

1. Communication of data

We also inform you that the aforementioned processing of personal and sensitive data concerning, related and/or instrumental to the maritime transport contract may provide for access to the above data by:

1. Public Authorities pursuant to the Circular of the Ministry of Infrastructure and Transport no. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master and port authority);
2. Judicial Authorities and Police Forces;
3. Ticket Offices, Terminals and Shipping Agents for the organisation of boarding/disembarkation activities;
4. Catering companies, for the supply of products and services on board ship;
5. External companies dealing with the organisation of events on board ship;
6. Companies with which you have subscribed to loyalty or association programmes – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. – which, under the agreement with Grimaldi Group S.p.A., assure you access to discounts on services offered by the company;
7. Legal practices, in the event of disputes arising;
8. Insurance companies both when booking tickets and filing a claim;
9. Appraisers during the claim phase;
10. Companies, including those belonging to the Grimaldi, Group providing other essential services for the maritime transport service or for carrying out marketing activities, such as hosting websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, market research and customer satisfaction surveys.

The need to communicate passenger data to the authorities referred to in point 1 arises from the obligation to count and register persons on board passenger vessels, referred to in the Circular of the Ministry of Infrastructure and Transport No 104/2014.

It may be necessary for us - in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside your country of residence, national security purposes or other issues of public importance - to communicate your personal data. Whenever legally permitted, we will inform you before such communication.

We may also communicate your personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.

1. Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)

Lastly, we inform you that the data subject may, at any time, exercise the rights:

1. access to personal data, requiring that such data be made available to you in an intelligible form, as well as the purposes of the processing (former Art. 15);
2. to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
3. to obtain the portability of such data (former Art. 20);
4. to object to the processing of personal data (former Art. 21);
5. to lodge a complaint with a competent supervisory authority.

The above rights may be exercised by contacting the following e-mail address privacy@grimaldi.napoli.it.

In this regard, we also inform you that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address: privacy@grimaldi.napoli.it

1. Provision of data and consequences of possible refusal

The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which we are required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract requested by you, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.

1. Soft spam

We inform you that we may use your e-mail address to market services similar to those which you have purchased. In this regard please note that you may exercise the right to oppose such processing at any time, by sending a request to the following e-mail address privacy@grimaldi.napoli.itand by clicking on the appropriate link in the emails sent to you at the time .

PRIVACY POLICY ADRIATIC LINE

The purpose of this document is to provide users of the websites www.grimaldi-lines.com and booking.grimaldi-lines.com (collectively, the “Website”) with some information on the processing of personal data carried out through the Website by the companies:

• Grimaldi Group S.p.A., having its registered office in Palermo, at Via Emerico Amari n. 8, 90139, Tax Code/VAT Number 0117240820 (“Grimaldi Group”);
• Grimaldi Euromed S.p.A., having its registered office in Palermo, at Via Emerico Amari n. 8, 90139, Tax Code/VAT Number 00278730825 (“Grimaldi Euromed”); and
• Grimaldi Deep Sea S.p.A., having its registered office in Palermo, Via Emerico Amari n. 8, 90139, Tax Code/VAT Number 04068550823 (“Grimaldi Deep Sea” and, together with Grimaldi Group and Grimaldi Euromed, also referred to as the “Companies”).

The Companies act as independent data controllers or joint data controllers, as indicated in this policy from time to time.

The Companies have adopted specific cookie policies with reference to the processing of personal data carried out by means of cookies installed on the Website.

For the cookie policy of the website www.grimaldi-lines.com click here;

for the cookie policy of the website booking.grimaldi-lines.com click here.

1. INFORMATION ON THE PROCESSING ACTIVITIES CARRIED OUT THROUGH THE WEBSITE

A. Sending of informative and promotional communications and/or messages (newsletters)

The Website may process the user’s contact data in order to send informative and/or promotional communications on the activities and latest promotions of the Grimaldi Group, subject to the user’s free subscription to the newsletter service and consent to the processing of his/her personal data for such purposes

NOTICE REGARDING THE PROCESSING OF USERS’ PERSONAL DATA FOR THE PURPOSE OF SENDING COMMERCIAL COMMUNICATIONS (NEWSLETTERS)

1. Data controller and scope of the processing

Grimaldi Group, as data controller, is required to provide you with some information regarding the methods and purposes relating to the processing of personal data, pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”).

The processing operations concern Your personal and contact data (i.e. name, surname, e-mail, telephone number, etc.) and, possibly, data related to Your preferences in case You give Your consent collectively the “Personal Data”.

1. Purpose and legal basis of the processing

Personal Data will be processed, based on your consent pursuant to art. 6, paragraph 1, letter a of the GDPR, for purposes related to the execution of your request for subscription to the newsletter managed by Grimaldi Group. In particular, your Personal Data will be processed:

1. for sending communications via e-mail, for promotional purposes and general marketing;
2. for profiled marketing activities and the sending of communications by e-mail, if You have given Your consent for this purpose;
3. for the extraction of statistical information anonymously.

With reference to letter b), it should be noted that Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person”. Therefore, it can be considered as an activity aimed at collecting and processing data relating to its customers, in order to divide them into groups according to their behaviour. If you give Your consent, Your Personal Data may be processed in order to trace a “history” of Your business relationship with the Grimaldi Group (for example, the different “touch points” with the Grimaldi Group, the interaction modalities You used, your purchasing preferences and frequency, and what your goals might be based on performance indicators). This activity aims at elaborating a profile of Yours in order to personalize the offer of services and eventual specific services requested by You.

1. Right to object

In relation to the purpose described in letter a) of the preceding paragraph, you have the right to object at any time to the processing of your Personal Data carried out for the described purposes, by sending a request to the e-mail address indicated below in the paragraph “Rights of the data subject”, as well as using the channel that will be indicated in the communications that you will receive, or by clicking on the appropriate link in the e-mails that will be sent to you.

1. Disclosure of Personal Data and retention times

Personal data shall be retained 24 months from registration to the newsletter for general marketing purposes and 12 months from obtaining the consent for profiled marketing.

We would also like to inform You that Your Personal Data may be made accessible to other companies, including those not belonging to the Grimaldi Group, that provide services essential to the performance of marketing activities, even subject to Your explicit consent, such as the hosting of websites and web systems, e-mail services, sponsorship of competitions and other promotions, audit services, data analysis, market research and satisfaction surveys.

It may be necessary for Grimaldi Group – based on laws, legal proceedings, disputes and/or requests made by public or governmental authorities inside or outside your country of residence, national security purposes or other matters of public importance – to disclose Your Personal Data. When legally possible, we will inform you prior to the disclosure.

We may also disclose your Personal Data to additional third parties if we determine in good faith that such disclosure is reasonably necessary to enforce and protect the rights of the Grimaldi Group and to pursue available remedies.

B. Booking of passenger tickets on Grimaldi ships

The necessary information may be collected through the Website (including, by way of example but not limited to: name; surname; date of birth; identification document; data relating to particular assistance needs on board; etc.) in order to proceed with the request for booking tickets on Grimaldi ships by the user (also on behalf of third parties). Such processing may also take place through the chatbot service offered by the Website to facilitate the user in the booking process.

INFORMATION ON THE PROCESSING OF PASSENGERS’ PERSONAL DATA

The table below provides a brief summary of the information reported on the next page.

1. Data controller and scope of data processing

We inform You, according to art. 13 GDPR, that the personal data, identification data (i.e. name, surname, nationality, gender, e-mail, telephone number and, if You request the issuance of an invoice, also address, tax code and VAT number) and possibly belonging to special categories (i.e. data related to health), provided by You to Grimaldi Group during the stipulation of the contract of carriage by sea, will be processed in compliance with the above mentioned law and the obligations of confidentiality. All data of natural persons identified as passengers (i.e. persons who use the travel ticket) will be processed. The booking holder undertakes to inform all passengers on whose behalf the booking is made of the content of this notice. Personal data relating to a third party that you may have indicated and identified as an emergency contact may also be processed.

Data processing operations concern the following:

• personal data and contact details of passengers;
• contact details of third parties identified as emergency contacts, if requested by the passenger
• data concerning membership of professional categories – i.e. membership of professional associations, police forces – or membership of loyalty or association programs signed with third party companies – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on services offered by the company).

We also remind You that the processing may concern the following data belonging to special categories pursuant to art. 9 of the GDPR, if spontaneously provided by passengers in order to take advantage of special assistance on board or if otherwise processed by on-board personnel in the event of emergencies and/or accidents to the passenger’s person during navigation:

• information about a limitation of one’s mobility;
• Information about disabilities;
• information about particular health conditions;
• information about any special needs of the passenger in relation to any treatment that may be necessary in case of emergency, due to the state of health of the passenger.

Grimaldi Group does not guarantee or provide information about the processing of your personal data that may be carried out through additional contact channels with Grimaldi Group managed by third parties (eg. Facebook), which remain the sole responsibility and ownership of such third parties.

1. Purposes of data processing

Dati not belonging to particular categories will be processed for the following purposes:

1. management of requests for quotes;
2. conclusion, management and execution of the operations related to the contract of carriage by sea, including Your identification, also through the chatbot service activated by Grimaldi Group;
3. communications (also by telephone, also through re-contact by the Grimaldi Group call center in case of missed calls by the passenger) of logistical information on the trip and/or generally useful to the passenger to face the departure (e.g. delays, departure pier, organization on board, etc.);
4. on-board communications;
5. provision of purchased products and services aboard ship;
6. extraction of statistical information anonymously;
7. transmission of your data to maritime agencies, terminals and port authorities, judicial authorities and law enforcement agencies;
8. contact of third parties indicated as “emergency contacts”, pursuant to Directive (EU) 2017/2109;
9. sending communications by e-mail, for promotional and marketing purposes, if you have given Your consent for this purpose (“generic marketing”);
10. sending communications via email, for promotional, marketing and/or brand reputation protection purposes, as a result of profiling, if you have given your consent for this purpose (“profiled marketing”);
11. sending of questionnaires anonymously for the purpose of improving the services offered by the Grimaldi Group, as well as sending information relating to: (a) the operational organization of the Grimaldi Group (even if not related to the trip purchased by the interested party); (b) products/services similar to those chosen by the passenger (including, by way of example and not limited to: offers for trips similar to those purchased; offers for travel insurance; etc.. ); as well as (c) offers, discounts, rewards and / or promotions of third party partners of the Grimaldi Group, which Grimaldi Group has an interest in offering to its passengers in the context of gifts and / or promotional initiatives reserved for passengers (including, by way of example and not limited to, in the case of co-marketing initiatives, which allow Grimaldi Group to include coupons with offers of third parties on the back of Your ticket, etc.). In the latter case, no promotional communication will be made to you by the partners of the Grimaldi Group, nor any transfer of your personal data to such partners, unless you give your explicit and informed consent in this sense.

Finally, in relation to point 10, we inform you that Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting in the use of such personal information to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of personal preferences, interests, behaviour, sensitivity to commercial offers, the location or movement of that natural person”. Therefore, it can be considered a personal data processing activity that consists in dividing customers into homogeneous groups according to their behavior. If you give Your consent, Your Personal Data may be processed in order to trace a “history” of Your business relationship with the Grimaldi Group (for example, the different “touch points” with the Grimaldi Group, the interaction modalities You used, the preferences and the purchase frequency may be taken into consideration). This activity aims at elaborating a profile of Yours in order to personalize the offer of services and eventual specific services requested by You. If you decide to participate in Grimaldi Group brand reputation initiatives, we may process your data to reserve you ad hoc promotions.

It is understood that the activities referred to in paragraphs 9, 10 and 11 above will be carried out only on the personal contact data of the booking holder, i.e. the person who provided his or her e-mail address during the booking process.

Data belonging to special categories will be processed for the following purposes:

1. guaranteeing passengers who so request the use of special assistance on board;
2. in case of emergency and/or accident of the passenger on board, guaranteeing passengers who so request special care and/or assistance due to their state of health;
3. apply any special discounts that may be provided for disabled persons and their companions, if the passenger has given his or her consent for this purpose.
4. Retention of personal data

Personal data are retained according to the table below, unless specific legal and/or regulatory obligations or the need to defend a Grimaldi Group right in court require different retention periods:

1. Legal basis

The legal basis for the processing operations listed above in paragraph 2, numbers 1 to 7, is the need to execute an agreement or pre-contractual measures in the interest of each passenger (Art. 6, paragraph 1, letter b, GDPR), as well as the need to comply with a legal obligation to which the data controller is subject (Art. 6, paragraph 1, letter c, GDPR).

The legal basis for the processing operations listed above in paragraph 2, number 8 , consists in the need to fulfil a legal obligation to which the data controller is subject (Art. 6, paragraph 1, letter c, GDPR).

The legal basis for the processing operations listed above in paragraph 2, numbers 9 and 10, is Your consent (Art. 6, para. 1, letter a, GDPR).

The legal basis for the processing operations listed above in paragraph 2, number 11, is the legitimate interest of the Grimaldi Group (Art. 6, paragraph 1, letter f, GDPR). In the event that the Grimaldi Group sends you electronic communications regarding products/services similar to those you have chosen, the legal basis is the application of art. 130, paragraph 4, of Legislative Decree no. 196/2003.

You will in any case have the right to object, at any time and at no cost, to the processing activities referred to in paragraph 2, numbers 9, 10 and 11 (limited to the activity of soft spam), even revoking the consent given, by sending a request to the e-mail privacy@grimaldi.napoli.it, as well as using the channel that will be indicated in the communications that you will receive, or by clicking on the appropriate link in the e-mails that will be sent to you.

The legal basis for the processing operations listed above in paragraph 2, numbers 12 and 13, is found in the existence of grounds of substantial public interest based on the law of EU or of Member States, which must be proportionate to the purpose pursued, respecting the essence of the right to data protection and providing for appropriate and specific measures to protect the fundamental rights and interests of the data subject, as well as in the purpose of the provision of healthcare on board (Art. 9, paragraph 2, lett. g and h GDPR).

Finally, the legal basis for the processing operations listed above in paragraph 2, number 14, is the consent of the passenger (Art. 9, paragraph 2, letter a, GDPR).

1. Data transfer

Please note that passenger data may be communicated not only to other companies belonging to the Grimaldi Group, but also to entities established in third countries, even outside the territory of the European Union, in accordance with the principles established by the Regulation.

In particular, the communication of the data to shipping agencies is foreseen as these agencies act on behalf of the shipowner to transmit the data to the Authorities.

The shipowner is also required to communicate passenger data in advance to the terminal which, in compliance with security, will be responsible for communicating the data received to the competent Authorities (e.g. Port Authority, Border Police, Financial Police and Customs).

In addition, Grimaldi Group can directly communicate passengers data to the above mentioned Authorities

1. Disclosing your data

We also inform you that the aforementioned processing of personal and sensitive data inherent, connected with and/or instrumental to the maritime transport agreement, may provide for access to such data by:

1. Public authorities pursuant to the Circular of the Ministry of Infrastructure and Transport No. 104/2014 in compliance with Directive 98/41/EC (i.e. harbor master’s office and port authority);
2. Ministry of Infrastructure and Transport – General Command of the Port Authority Corps;
3. Judicial authorities and Police Forces, even when such communication is deemed reasonably necessary by the Grimaldi Group to ascertain or defend its own right;
4. On-board doctor, in case of emergencies and/or personal injury to the passenger;
5. Ticket offices, terminals and shipping agencies for the organization of embarkation/disembarkation operations;
6. Catering companies, for the supply of products and services on board ship;
7. External companies involved in the organization of events on board ship;
8. Companies with which you have subscribed to loyalty or membership programs – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI, etc. – which, by virtue of an agreement with the Grimaldi Group, guarantee you access to discounts on services offered by the company;
9. Legal firms, should disputes arise;
10. Insurance companies both when booking tickets and making claims;
11. Experts dealing with complaints;
12. Companies, including those not belonging to the Grimaldi Group, which provide other services essential to the provision of maritime transport or the performance of marketing activities, including those subject to your express consent, such as the hosting of websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, the conduct of market research and satisfaction surveys.

The need to communicate passenger data to the authorities referred to in point no. 1 stems from the requirement to count and register people on board passenger ships, which is the subject of Ministry of Infrastructure and Transport Circular No. 104/2014.

The data relating to the emergency contact reported by passengers as well as the data relating to particular categories provided for the provision of special care and/or assistance in the event of an emergency, will be communicated, before departure or in any case no later than 30 minutes after departure, to the captain and the commissioner of the ship where the passenger is and in any case included by Grimaldi Group in the single national interface provided in accordance with Directive (EU) 2017/2109 in order to ensure the preparation and effectiveness of search and rescue operations at sea.

It may be necessary for Grimaldi Group – based on laws, legal proceedings, disputes and/or requests made by public or governmental authorities inside or outside your country of residence, national security purposes or other matters of public importance – to disclose your personal data. When legally possible, we will inform you prior to the disclosure.

We may also disclose personal data if we establish in good faith that it is reasonably necessary to assert and protect our rights and activate available remedies.

1. Nature of data provision and consequences of any failure to comply

The communication of data not belonging to particular categories (with the exception of the data relating to the emergency contact that may be indicated) is necessary for the exact execution of the contractual and pre-contractual obligations to be fulfilled by us, and failure to indicate such data will make it impossible to conclude the sea transport contract you have requested, as well as to exactly fulfil the legal obligations and those deriving from the public interest to protect safety in ports.

Communication of data relating to the passenger’s “emergency contact” is, on the other hand, optional: failure to provide such data will therefore have no impact on the conclusion of the sea transport contract requested.

The communication of data belonging to special categories is optional. However, if such data will be provided, Grimaldi Group will be able to better meet the needs of passengers and provide them with the necessary assistance, as well as apply – in the cases and ways provided – the special discount applied.

1. Grimaldi chatbot assistance

You will be able to proceed with the booking request also with the help of Grimaldi chatbot (the software support provided by an external supplier and contracted by Grimaldi Euromed to simulate a conversation with a human being (chatbot)).

Grimaldi chatbot collects the following personal data of passengers: name, surname, cell phone number, e-mail address, departure date, route, booking confirmation number. This personal data processing activity is carried out in order to allow you to book your ticket and/or to receive assistance for an already booked ticket with greater ease, and is lawful on the basis of the execution of pre-contractual measures put in place in the interest of passengers (art. 6, paragraph 1, letter b, of the GDPR).

Grimaldi chatbot is programmed to respond as if it were a human being: it uses algorithms for natural language processing, as well as machine learning processes to learn from other users the answers that could be useful to You. The human operator may still intervene if you do not receive your ticket and/or if you have problems with the payment of your ticket.

The messages you send are saved on the database of the owner, and are made anonymous after 2 years of their acquisition. These data will not be transferred outside the territory of the European Union.

Grimaldi Group does not guarantee or provide information about the processing of personal data of passengers that may be carried out through additional contact channels with Grimaldi Group managed by third parties (eg. Facebook), which remain the sole responsibility and ownership of such third parties.

1. Changes to this document

Grimaldi Group reserves the right to update the content of this notice regarding the processing of personal data of its passengers in accordance with applicable national legislation on personal data protection. Any news related to the updating of this information notice will be communicated to the interested parties in the manner defined by Grimaldi Group.

C. Sending complaints against the services offered by Grimaldi Group companies

The website may be used to process personal and contact data (including data relating to the identity document), data relating to the payment method used to obtain any compensation, data identifying the trip and/or the transport contract (where applicable) in the event that the user intends to submit (on his own behalf and/or on behalf of another third party) a complaint to the attention of the manager of the transport service purchased by the user from the Grimaldi Group.

INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS WHO WISH TO MAKE A COMPLAINT

1. Data controller and scope of data processing

This information is provided by the company Grimaldi Group as data controller pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (“GDPR”) in order to provide you with certain information regarding the processing of personal data carried out for the purpose of handling the complaint submitted by you on your own behalf and/or on behalf of another third party (the “Complaint”). If You submit the Complaint on behalf of a third party, You agree to disclose the contents of this Notice to the third party.

The processing relates to the common personal data relating to You and/or to the third party on whose behalf the Complaint is lodged (the “Data Subjects”), including but not limited to: personal and contact details (including identity document details), details of the payment method by which compensation may be obtained as a result of the Complaint, travel and/or transport contract identification (where applicable), etc. (the “Personal Data”).

1. Purpose and legal basis of the processing

The processing of Personal Data is aimed at the management of the Complaint, and is lawful based on the fulfilment of obligations of a contractual or pre-contractual nature existing with the Interested Parties as well as the fulfilment of legal obligations arising for the Grimaldi Group from the Complaint (art. 6, paragraph 1, letter b, c, of the GDPR). The provision of Personal Data is necessary: without Personal Data, it will not be possible to process the Complaint.

1. Disclosure of Personal Data and retention times

Personal Data may be communicated to other companies of the Grimaldi Group, to consultants and/or suppliers of the Grimaldi Group where necessary for handling the Complaint (including, by way of example, legal consultants), as well as to the Judicial Authorities and/or other Authorities required by law. Personal data will not be transferred outside the territory of the European Union.

Personal Data will be deleted 24 months after the processing of the Complaint, unless specific obligations imposed by the law and/or regulations and/or applicable circulars and/or competent Authorities require a different retention period, or a longer retention period is necessary to defend a right of the Grimaldi Group or of the other companies of the Grimaldi Group in court and/or in a preliminary phase of proceedings.

D. Conclusion of the contract of carriage of goods (so-called “cargo”) and issue of the “Driver Card”

The Website may collect and process personal data and contact details of the user necessary for the conclusion, management and execution of the contract of carriage of goods, as well as to manage the request, issuance and subsequent obligations related to these activities of the “Driver Card”.

NOTICE REGARDING THE PROCESSING OF PERSONAL DATA IN CONNECTION WITH CONTRACTS FOR THE TRANSPORTATION OF GOODS AND THE ISSUANCE OF “DRIVER CARDS”.

1. Data controller and scope of data processing

This notice is provided by the company Grimaldi Euromed as data controller, pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (“GDPR”).

The processing operations concern personal and contact data of Shipper, Consignee and Notify, Customers, Invoice Payer and Driver (the “Personal Data”).

1. Purpose and legal basis of the processing

Personal Data will be processed for purposes related to the obligations arising from the contract of carriage of goods or the issuance of the “Driver Card”. Data will be processed for the following purposes:

1. to manage requests for quotes;
2. to conclude, manage and execute the operations related to the contract of carriage of goods;
3. to send logistical information about the trip (e.g. delays, departure pier, etc.);
4. to transmit data to maritime agencies, terminals and port authorities, law enforcement and judicial authorities;
5. to manage “Driver Card” issue requests;
6. to manage the “Driver Cards” issued;
7. to guarantee the benefits provided by the “Driver Card” to the companies providing the services covered by the agreement;
8. To extract anonymous statistical information.

The legal basis of the processing operations listed above from point 1 to point 3 is found in the fulfillment of contractual obligations, pre-contractual and legal measures in order to manage the maritime transport contract (Art. 6, paragraph 1, letter b, of the GDPR).

For point 4, the legal basis of the processing is found in the fulfilment of legal obligations to which Grimaldi Euromed is subject and in the public interest in the protection of safety in ports (Art. 6, paragraph 1, letter c, of the GDPR).

For the points 5, 6, 7 and 8 the legal basis of the treatment is found in the execution of pre-contractual measures adopted at the request of the person concerned, in the fulfillment of legal obligations in order to manage the process of issuing the “Driver Card” and the use by the interested parties of the benefits provided by the card, as well as in the legitimate interest of Grimaldi Euromed to the management of the “Driver Card” itself (art. 6, paragraph 1, lett. b, c, f, of the GDPR).

The provision of Personal Data is necessary for the proper performance of contractual and pre-contractual obligations of Grimaldi Euromed and failure to provide them makes it impossible to process your requests related to entering into a contract of carriage of goods, the issuance and management of the “Driver Card”, as well as to fulfil exactly the legal obligations and those arising from the public interest to protect safety in ports.

1. Disclosure of Personal Data and retention times

Personal Data are stored according to the following table.

Please note that Personal Data may be communicated not only to other companies belonging to the Grimaldi Group, but also to entities established in third countries, even outside the territory of the European Union, with the compliance of appropriate procedures and within the scope of the aforementioned purposes.

It may also be necessary for the Grimaldi Euromed – based on laws, legal proceedings, disputes and/or requests made by public or governmental authorities inside or outside the State of residence of the data subject, national security purposes other matters of public importance – to disclose personal data. When legally possible, we will inform the data subject prior to such disclosure.

We may also disclose personal data if we establish in good faith that it is reasonably necessary to assert and protect our rights and activate available remedies.

E. Receiving and analysing the curriculum vitae of candidates for employment with the companies of the Grimaldi Group

The Website may collect and/or process the user’s personal data and contact details, as well as data relating to the user’s professional career and any data included in the curriculum vitae provided, necessary for the evaluation of the user’s professional profile in light of any job openings with the companies of the Grimaldi Group, as indicated in the “Work with us” section of the Website.

NOTICE REGARDING THE PROCESSING OF PERSONAL DATA OF APPLICANTS FOR EMPLOYMENT WITH THE COMPANIES OF THE GRIMALDI GROUP

1. Joint data controllers and scope of data processing

This information is provided, pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (“GDPR”, by the companies Grimaldi Group, Grimaldi Euromed and Grimald Deep Sea, as joint data controllers, pursuant to the agreement signed between them on 21 May 2018, in managing the application and selection process of employees (the “Joint Data Controllers”).

Pursuant to Article 26 GDPR, the aforementioned Joint Data Controllers have established, by means of an internal agreement, their respective responsibilities, for the “HR – Staff” and “Crew” areas, regarding compliance with the obligations arising from the GDPR.

Data processing operations may concern the following:

• personal data and relevant photographs
• information related to previous work activities and training courses.

In order to manage the application and the eventual selection process, it may also be necessary to process special categories of data pursuant to art. 9 of the GDPR (e.g. data revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, as well as data concerning health) provided by the candidate. The provision of such data is optional. The acquisition and processing of such data will be necessary in order to fulfil the obligations and exercise the specific rights of the Joint Data Controllers or the person concerned in the field of labour law and social security and social protection.

The personal data of the candidates processed by the Joint Data Controllers are, collectively, the “Personal Data”.

The provision of Personal Data is necessary for the management of the application, and failure to provide such data, or the request for their deletion during the selection phases, will make it impossible to proceed with the evaluation of the application and to fulfil exactly the legal obligations and those arising from the applicable national collective labour agreements.

2. Purposes and legal basis of the processing

Personal Data are processed for purposes related to the implementation of activities prior to the signing of the employment contract, based on Article 6, paragraph 1, letter b) of the GDPR.

In particular, Personal Data will be processed:

– for managing applications and the personnel selection process;

– for the extraction of statistical information, anonymously.

3. Disclosure of Personal Data and retention times

Personal Data will be kept for 2 years from the application date for administrative staff and for 3 years from the application date for maritime staff, in order to contact the candidate with regard to further open positions.

Personal Data will not be communicated to third parties, with the exception of companies that provide processing or computer services to the Joint Data Controllers or that carry out activities instrumental to such service, which, in the performance of such activities, may have access to Personal Data.

It may also be necessary for the Joint Data Controllers – based on laws, legal proceedings, disputes and/or requests made by public or governmental authorities inside or outside the State of residence of the data subject, national security purposes other matters of public importance – to disclose personal data. When legally possible, we will inform the data subject prior to such disclosure.

We may also disclose personal data if we establish in good faith that it is reasonably necessary to assert and protect our rights and activate available remedies.

F. Managing and improving the Website performance

The Website may collect and process any personal data voluntarily provided by the user by contacting the e-mail addresses published on the Website and/or by using the other contact functions provided by the Website itself (for example, the “Invoice Request” function).

Some of the user’s personal data are then automatically collected by the Website, including: IP address; date and time of access to the Website; hardware, software or browser used; information on the operating system; selected language settings; and all other data automatically collected by the Website during the user’s navigation.

Grimaldi Group, as the owner of the processing of personal data, informs the user pursuant to art. 13 of the GDPR that such personal data will be processed for the following purposes and on the following legal bases:

1. Based on the implementation of pre-contractual measures in favour of the user, pursuant to Article 6, paragraph 1, letter b, of the GDPR, to provide the information and services requested by the user.
2. Based on the fulfilment of legal and/or regulatory obligations incumbent on the Company and arising from the operation of the Website, pursuant to Article 6(1)(c) of the GDPR, to ensure compliance with any applicable law, as well as the general conditions of the Website.
3. Based on the legitimate interest of the Company, pursuant to Article 6(1)(f) of the GDPR, to develop and improve the Site, to ensure that the content is displayed in the most effective way for the user and the relevant device, as well as to inform the user of any significant changes to the Website and/or the services offered through it.

The criteria used to determine the period of retention of personal data is based on compliance with the terms allowed by any applicable laws: the Company will only retain the data necessary to fulfill its obligations and/or contractual obligations and for a period not exceeding that required for such fulfillments.

Personal data will not be transferred outside the territory of the European Union.

2. USER RIGHTS AS A DATA SUBJECT

The user may, at any time, exercise the following rights (within the limits established by the GDPR):

1. to access personal data, requesting that these data be made available in an intelligible form, as well as the purposes on which the processing is based;
2. to obtain the correction or deletion of the data or the limitation of processing;
3. to revoke consent (where this is the legal basis for the processing) without prejudice to the lawfulness of the processing based on the consent before revocation;
4. to obtain data portability;
5. object to the processing of the data;
6. to lodge a complaint with the competent supervisory authority, which in Italy is the Data Protection Authority, following the instructions on the website of the aforementioned authority.

The above-mentioned rights may be asserted by addressing requests to the following e-mail address: privacy@grimaldi.napoli.it.

The Data Protection Officer (DPO) appointed by the Companies is available at the following e-mail address: DPO@grimaldi.napoli.it.