With the coming into force of the EU Regulation no. 679/2016, “relative to the protection of natural persons as regards the processing of personal data, as well as the free circulation of such data and abrogating the directive 95/46/EC”, Grimaldi Group S.p.A., as Data Controller, is bound to provide information concerning the methods and purposes of processing personal data.
The table below gives a brief summary of the content of the information notice subsequently provided.
|GRIMALDI GROUP S.p.A., with registered office in Via Emerico Amari, 8 – 90139, Palermo - Tax ID 00117240820 and VAT no. IT00117240820 – Fax +390815517401 – E-mail: firstname.lastname@example.org.
|To conclude, manage and implement out maritime transport contracts
|Fulfilment of the contract and legal obligations
|Transfer of data
|Possible, where adequate guarantees safeguarding the data subject’s rights exist
|Data subject’s rights
|a. to access personal data;
|b. to obtain the rectification or erasure of data or limit the processing thereof;
|c. to object to the processing of personal data;
|d. to obtain the portability of such data;
|e. to complain to the appropriate control authority (e.g. Data Protection Authority), right which can be exercised by writing to: email@example.com
TheData Controller has designated a Data Protection Officer (DPO), having specialist knowledge of legislation and standard practices in the matter of data protection, who is therefore qualified to perform the tasks as per Article 39 of the Reg. EU 679/2016.
- Subject of the processing
We hereto inform you, pursuant to Art. 13 GDPR,that the identification personal data, sensitive or not (i.e. name, surname,tax ID, VAT number, e-mail, telephone no. etc.) provided by you to this Company, or otherwise acquired by the same in compliance with the current legislative and contractual provisions- concerning, related and/or instrumental to the maritime transport contract -may be subject to processing in compliance with the aforementioned legislation and requirements of confidentiality.
The processing operations concern:
- passengers’ personal details;
- data relating to professional categories - i.e. membership of professional registers, Police forces – or participation in loyalty or association programmes entered into with third parties – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. (to obtain discounts on the services offered by the company).
We remind you, moreover, that the processing of certain sensitive data is provided for by Article 9 of the EU Regulation:
- data provided by you, if any, about special needs related to your state of health.
Such sensitive personal data is provided on a voluntary basis. In this regard, we inform you that the acquisition and processing of such data will not only allow us to better meet your needs, but also to achieve the purpose envisaged in the Circular of the Ministry of Infrastructure and Transport no. 104/2014, namely “collecting passenger information and data [...] to facilitate search and rescue operations and optimise the resources needed to cope with an SAR event".
- Purposes of the processing which the data is intended for (art. 24 letters a, b, c Personal Data Protection Code and art. 6 letter b, and GDPR)
Such data will be processed for purposes related to the mutual obligations deriving from the maritime transport contract in force with you.
In particular, the data will be processed:
- to manage requests for quotes;
- to conclude, manage and carry out the operations related to the maritime transport contract;
- to send logistical information about the journey (e.g. delays, departure quay, etc.);
- to organize internal events on board ship;
- to supply on board ship the products and services purchased;
- to extract statistical information, in anonymous form;
- to transmit your data to shipping agents, terminals and port authorities, judicial authorities and police forces.
We also hereto inform you that if you call our Contact Center,the calls may be listened to, after voice masking applications (morphing), for quality monitoring purposes.
- Data processing methods (Art. 4 Personal Data Protection Code and Art. 5 GDPR)
We also inform you that the personal data concerning you will be processed, including using electronic means, in compliance with the methods indicated in the GDPR, which provides, among other things, that the data must be:
- processed according to the principles of lawfulness, transparency and fairness;
- collected and recorded for specific, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and kept up to date (“accuracy”);
- kept for no longer than is necessary for the purposes for which the personal data are processed («retention limitation»);
- processed in a manner that ensures appropriate security and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').
Personal data is stored according to the following table.
|Purpose of storage
|Date of Birth
|Place of Birth
|Details of ID
|Sensitive data (state of health)
|Vehicle number plate
|10 years from the end of the journey
|For the purposes of accounting records and for legal defence purposes in the case of possible disputes raised by passengers
- Legal basis
The legal basis of the processing listed above from point 1 to point 5 of paragraph 2 “Purpose of the processing for which the data are intended” is reflected in the fulfilment of contractual obligations, pre-contractual and statutory measures in order to manage the maritime transport contract.
For point 7 of paragraph 2 “Purpose of the processing for which the data are intended” , the legal basis of the processing is reflected in the fulfilment of legal obligations to which the Data Controller is subject and in the public interest of safety in ports.
- Transfer of data
Please note that your data may be disclosed, as well as to other companies belonging to the Grimaldi Group, also to entities established in third countries, even outside the territory of the European Union, subject to compliance with specific procedures.
With reference to EU countries, your data may be disclosed to the Port Authorities, Judicial Authorities, and Police Forces, Shipping Agents and Terminals situated in Spain, Greece, Germany, Belgium, Ireland, Portugal, Cyprus, Sweden and Denmark.
As regards non-EU countries, the data may be transferred to the above recipients working in Great Britain, Tunisia, Morocco, Turkey, Israel, Brazil, Uruguay, Argentina, Senegal, Benin, Nigeria, Ghana, Ivory Coast, USA and Canada.
In particular, the communication of your data to shipping agents is envisaged since the same act as representatives of the shipowner in forwarding data to the Authorities.
With reference to the Terminals, however, there is an obligation under which the same must carry out particular checks on persons and things intended for boarding or disembarking. This means that the shipowner is obliged to communicate passenger data to the Terminal in advance, which in compliance with the security procedures is required to communicate the data received to the Competent Authorities (e.g. Harbour Master, Border Police, Financial Police and Customs).
In addition, Grimaldi Group S.p.A. may communicate the passenger data to the Authorities mentioned above directly.
With reference to transfers that may take place in countries such as Israel, Uruguay, Argentina, the USA and Canada, the European Commission has expressed itself by legitimising the transfer with appropriate adequacy decisions pursuant to Article 25 paragraph 6 of Directive 95/46/EC.
In other countries, however, the transfer of data will be regulated by the contractual relationships between Grimaldi Group S.p.A. and the Shipping Agents and Terminals concerned at the time on the basis of the Standard Contractual Clauses referred to in Art. 26 paragraph 4 of Directive 95/46/EC.
- Communication of data
We also inform you that the aforementioned processing of personal and sensitive data concerning, related and/or instrumental to the maritime transport contract may provide for access to the above data by:
- Public Authorities pursuant to the Circular of the Ministry of Infrastructure and Transport no. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master and port authority);
- Judicial Authorities and Police Forces;
- Ticket Offices, Terminals and Shipping Agents for the organisation of boarding/disembarkation activities;
- Catering companies, for the supply of products and services on board ship;
- External companies dealing with the organisation of events on board ship;
- Companies with which you have subscribed to loyalty or association programmes – e.g. Trenitalia, Payback, Telepass, Poste Italiane, ACI etc. – which, under the agreement with Grimaldi Group S.p.A., assure you access to discounts on services offered by the company;
- Legal practices, in the event of disputes arising;
- Insurance companies both when booking tickets and filing a claim;
- Appraisers during the claim phase;
- Companies, including those belonging to the Grimaldi, Group providing other essential services for the maritime transport service or for carrying out marketing activities, such as hosting websites and web systems, e-mail services, marketing, sponsorship of competitions and other promotions, audit services, data analysis, market research and customer satisfaction surveys.
The need to communicate passenger data to the authorities referred to in point 1 arises from the obligation to count and register persons on board passenger vessels, referred to in the Circular of the Ministry of Infrastructure and Transport No 104/2014.
It may be necessary for us - in relation to laws, legal proceedings, disputes and/or requests made by public or governmental authorities within or outside your country of residence, national security purposes or other issues of public importance - to communicate your personal data. Whenever legally permitted, we will inform you before such communication.
We may also communicate your personal data if we establish in good faith that such communication is reasonably necessary to enforce and protect our rights and activate the available remedies.
- Data Subject’s Rights (Art. 7 Personal Data Protection Code and Art. 15 - 21 GDPR)
Lastly, we inform you that the data subject may, at any time, exercise the rights:
- access to personal data, requiring that such data be made available to you in an intelligible form, as well as the purposes of the processing (former Art. 15);
- to obtain the rectification (former Article 16) or the erasure (former art. 17) of the same or the limitation of processing (former Art. 18);
- to obtain the portability of such data (former Art. 20);
- to object to the processing of personal data (former Art. 21);
- to lodge a complaint with a competent supervisory authority.
The above rights may be exercised by contacting the following e-mail address firstname.lastname@example.org.
In this regard, we also inform you that the Data Protection Officer (DPO) appointed by the Company can be contacted at the following e-mail address: email@example.com
- Provision of data and consequences of possible refusal
The provision of data is necessary for the correct performance of contractual and pre-contractual obligations which we are required to perform; failure to provide the same will make it impossible for us to conclude the maritime transport contract requested by you, as well as to correctly fulfil the legal obligations and those arising from the public interest concerning safety in ports.
- Soft spam
We inform you that we may use your e-mail address to market services similar to those which you have purchased. In this regard please note that you may exercise the right to oppose such processing at any time, by sending a request to the following e-mail address firstname.lastname@example.org by clicking on the appropriate link in the emails sent to you at the time .