1. Who we are: MSC Cruises and the companies of our group
Please read carefully this information notice, which is based on article 13 of the General Data Protection Regulation (Reg. (EU) 2016/679 or simply “GDPR”).
For any doubts regarding the content of this document, please refer to our FAQ document available HERE or contact our designated Data Protection Officer via email at firstname.lastname@example.org. You can also send requests in writing to MSC Cruises S.A., Avenue Eugène-Pittard 40, Geneva, Switzerland; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.
2. Why when and how we collect data about you
Our main objective is to provide you with a great experience during your cruise. Below you will find the main purposes why your data is processed. Please click on each to find out what categories of data are collected and how we use such data in each case.
a. Providing you with information regarding your requests about our cruises (via website, call centre or email)
We need to know your name, contact details as well as the content of your request. Without this data, we cannot provide you with the requested information. We will only use this information to answer your request. This processing is carried out to take steps at the request of the data subject prior to entering into a contract (Article 6.1(b) GDPR).
In addition, and only where you indicate your express and specific consent, we will use your contact details to send you newsletters and marketing communications via email or SMS about our products and services that may interest you. This processing is based on your consent, pursuant to Art. 6.1(a) GDPR), and you can revoke the consent at any time emailing us using the contact email address provided in section 1 of this notice.
b. Completing and handling the booking of a cruise
To travel on-board our ships, you need to provide your name, contact details, date of birth and nationality at booking stage. We also register some information about your cruise choices, such as cabin type and type of cruise experience. We process this data on the basis of our contract with you (Article 6.1(b) GDPR).
You also need to provide information about valid travel documents and visas, where applicable. We process this information to comply with regulatory requirements in the ports of call, therefore on the basis of an existing legal obligation (Article 6.1(c) GDPR).
During the booking, in some cases, you could communicate data revealing information about your health or even your religious preferences (for example, food preferences that indicate the observance of a specific religion – such as kosher or halal food – or medical conditions requiring special attention on-board – such as disabilities or celiac disease). We collect this data in our Special Needs form and process it only on the basis of your informed and specific consent (Art. 9.2(a) GDPR). It is not mandatory to provide this data, but please be informed that if you do not provide it, we are unable to accommodate your needs on-board.
When you make a booking with a Travel Agency, that Travel Agency will insert the above data into our booking systems, acting as autonomous data controller; the Travel Agency will be responsible for the processing it carries out on your personal data and for taking the adequate data protection measures. Please contact your local Travel Agency for information about how it processes your personal data.
c. Sending you personalised newsletters and communications according to your preferences
When you write us a message using the “Contact us” page and indicate that you wish to receive personalised information about our products and services by clicking the consent box, we will contact you via email or SMS to let you know our latest offers and cruise products that we think might be of interest to you. Similarly, you have the opportunity of providing your informed and specific consent to receive personalised information from us when you sign up for our Newsletter, when you enrol in the MSC Voyagers Club, when you request a brochure or a call from us, as well as when you sign up for a ship visit or participate in one of the competitions we organise on our Website. In all the cases above, it is not mandatory to provide your consent to receive personalised messages and offers from us, but without your consent we will not be able to send you personalised offers.
Since the processing of your data for the purposes indicated above is based on your specific consent (Article 6.1(a) GDPR), you can revoke this consent at any time by clicking on the “unsubscribe” link at the bottom of a marketing email received from us or by using the contact email address provided in section 1 of this notice.
Before you board the cruise ship, we will also register your interest in receiving special personalised offers in your cabin. For example, if you are travelling with children, we will send you specific information about the events we organise for children on board. You can choose not to provide this consent, but in that case, you will not receive personalised messages in the cabin during the cruise. We will process your personal data on the basis of our legitimate interests in informing you of the on-board promotions that are active during your cruise and that may enhance your cruise experience (Article 6.1(f) GDPR). You can obtain information about the balancing test upon request by using the contact email address provided in section 1 of this notice.
In addition, when you browse our Website, we use profiling cookies that can track some information about you, provided that you consent to our use of such cookies. We use this information to make the Website more intuitive and to suggest products or services that may be of interest to you. You can find more information about our use of cookie and other tracking technologies used on the Website below.
d. Sending you information about similar products and services to the ones you already booked
When you give us your email in the context of booking a cruise with us, we will send you information about products or services that are similar or related to the ones you booked, unless you exercise your right to opt out of receiving marketing communications from us at the time of booking.
For example, we will send you information about drinks package deals or excursion deals that are available on the cruise you booked. If you do not wish to receive this kind of information, please select the opt-out box when booking or click the relevant “unsubscribe” link in any of the emails that we sent you.
This data processing is carried out on the basis of our legitimate interests in informing you of similar or related products and services that we offer and that may enhance your cruise experience (Article 6.1(f) GDPR). You can obtain information about the balancing test upon request by using the contact email address provided in section 1 of this notice.
e. Handling requests, complaints and comments
We keep track of the comments and complaints that you make on board in order to adequately respond to your requests. We process these data in connection with our provision of services to you, therefore on the basis of the booking contract (Article 6.1(b) GDPR). You have the option of making an anonymous complaint or comment, but please be aware that in such case it will be impossible for us to follow up on the complaint or to provide assistance and support.
In addition, we can use the content of the request, complaint or comment to improve our services on board. We limit as much as possible the use of data that may identify you personally in this case. This processing is carried out on the basis of our legitimate interests in developing our services in a way that ensures our guests get a pleasant experience on board, in accordance with Article 6.1(f) GDPR. You can obtain information about the balancing test upon request by using the contact email address provided in section 1 of this notice.
f. Ensuring on-board security
We keep track of the people who are on board at all times in order to be able to handle crisis situations and to ensure everybody’s security throughout the cruise. We therefore record your name, cabin number, picture (taken when you come on board), date of birth, people you are travelling with, port of embarkation, port of disembarkation and information about special needs that may require specific assistance in case of emergencies.
For security reasons, we operate CCTV cameras onboard our ships, including all access points and in all public areas. These CCTV cameras are continuously recording 24 hours a day.
We may perform screening of your personal data against publicly available databases to ensure security on board of our ships.
We process these data on the basis of the need to ensure public security and to manage potential crisis situations (Article 6.1(d) GDPR). For security reasons, we operate CCTV cameras onboard our ships, including all access points and in all public areas. These CCTV cameras are continuously recording 24 hours a day. For this processing, the data controller is MSC Cruise Management (UK) Ltd, 5 Roundwood Avenue, London, and the data processor is MSC Cruises S.A., Avenue Eugène-Pittard 40, Geneva.
g. Additional data processing activities on-board
Some additional information about you may be collected during the cruise on paperback forms, in order to enable you to participate in specific activities (for example, the gym or the Spa) or to handle the request of specific packages (for example, the Romantic Sunset package). The data processed varies depending to the specific activity on board, however, we make sure to only collect the strictly necessary data to achieve the specific purposes. You will be required to complete the form if you want to receive that specific offer/event/package requested and we will process the data on the basis of our contract with you (Article 6.1(b) GDPR).
We also process some personal data about you to assign you to a dinner table at one of our main restaurants during the cruise, to make sure that you are able to enjoy your meal without having to look for an adequate table for yourself and the people you are travelling with. To assign the tables, our Maître D’ takes into account elements such as the size of the group you are travelling with, the place where you booked the cruise and your preferred language. You can request a different table at all times by contacting the Maître D’ or the Guest Service on-board. This data processing is conducted on the basis of our legitimate interests in ensuring that all passengers are assigned adequate dinner seating on-board (Article 6.1(f) GDPR).
The information collected on board is stored for as long as necessary for each purpose. You can obtain information about the balancing test upon request by using the contact email address provided in section 1 of this notice.
h. Loyalty Program
We may process your loyalty account details through a unique Voyager’s Club ID that contains information about your points balance, account activity, cruiser milestones, and loyalty tier. We create these details for you when you join one of our loyalty programs and update them as you credit bookings and other activity to your loyalty account.
When you play in the onboard casino using your card, we track information of your play and spend in onboard casinos (including how much you spend, loyalty rewards details and gaming pattern). We sometimes use these details to identify guests that may be interested in casino gaming. Alternatively, you can use cash when we would not track your playing information.
i. MSC 360VR App
If you choose to download our mobile application MSC 360VR for an immersive cruise configurator where you can preview the excitement of your next cruise, we will collect your name, surname, date of birth, phone number and email through the app in order to provide you with our catalogue tailored to the selections you make within our app.
3. How long we store the data
We have defined a Corporate Data Retention Policy that specifies the time frame for data processing at the end of which all copies of the personal data are either destroyed or anonymised using adequate techniques that do not permit the re-identification of the data subject.
4. Categories of data recipients and personal data transfer
a. Companies of our group
Depending on the country where the booking is made from, and to provide you with specific services, we share information about you with the companies of our group. All companies are processing the personal data in compliance with the GDPR.
Depending on the country where the booking is made from, your personal data could be processed by one of the companies of our group, acting as data processors upon instructions from the data controller. The companies of the MSC Cruises group that process personal data of European passengers are: MSC Cruises S.A., MSC Crociere S.p.A., MSC Cruise Management UK Ltd, MSC Cruises UK Ltd, MSC Food & Beverage Division Spa, MSC Kreuzfahrten AG, MSC Cruises Belgium NV, MSC Cruises Scandinavia AB, MSC Kreuzfahrten (Austria) GmbH, MSC Netherlands B.V., MSC Cruises Ltd – Cyprus, Mediterranean Shipping Cruises Cruceros Sau and MSC Kreuzfahrten GmbH.
In limited cases, the above-mentioned companies could act as data controllers in relation to a specific data processing activity (for example, when competitions are organized and handled at local level). In such cases, we will provide you with a separate privacy information notice in relation to that specific activity.
Personal data of passengers in the EU is not usually shared with companies of our group that are located outside of Europe. However, should data need to be transferred to a non-EU/EEA country, MSC Cruises will adopts relevant safeguards to ensure that the transfer is carried out in compliance with the applicable privacy legislation, in particular the provisions of the GDPR.
b. Commercial partners
Some services that you book with us are provided by our commercial partners. For example, some shore excursions or experiences may be provided by local tour guides that have been carefully selected by MSC Cruises for their knowledge and experience. We need to communicate your name to such partners in order to provide you with the service you booked.
In such cases, we only communicate the data that is strictly necessary and we have agreements in place with our commercial partners to ensure that the data we communicate to them is used only for specific purposes related to the fulfilment of your request.
Our commercial partners operate in the following industries:
- Tourism (e.g. tour operators, local tour guides);
- Transportation services (e.g. bus, train, airplane or other means of transportation depending on type of service required on a case by case basis);
- Insurance companies (e.g. when there is a need to activate your insurance package during a cruise);
Restaurants and shops (e.g. where you sign up for a lunch, dinner or for special offers); in some cases, where lunch/dinner is included in a package offered by us and provided by one of our commercial partners, we communicate data about allergies or food preferences that may reveal health information about you.
We take utmost care to only reveal your identity when this is strictly necessary and, where possible, we work with anonymous data.
Thus, personal data of are transferred to a non-EU/EEA country if the commercial partner is based outside the EU/EEA. MSC Cruises adopts relevant safeguards to ensure that the transfer is carried out in compliance with the applicable privacy legislation, in particular the provisions of the GDPR, either by signing a specific contract with the commercial partner or by signing appropriate safeguards as approved by the European Commission, as the case may be.
c. Data sharing with port agents and authorities
As a travel operator, we need to share some information about our passengers with local port agents and authorities for immigration purposes. The sharing of data with these agents and authorities can trigger the transfer of data outside the EU/EEA if these entities are based abroad, outside the EU/EEA. These data are shared and transferred based on the legal obligation that MSC Cruises has in relation to the provision of information to the relevant authorities, and only the strictly necessary data is communicated. We are required to cooperate with state authorities and law enforcement agencies of each country on your route, including customs and immigration authorities. Personal information about you may be shared with these entities prior to embarkation, during your cruise, or after disembarkation for security or immigration reasons. Our Immigration Officers can clarify any questions you might have about these data processing activities.
5. Your data subject rights
The GDPR provides for enhanced rights and MSC Cruises is committed to giving you the appropriate control of your own personal data.
In particular, you have the following rights in connection to your personal data:
a. The right to access your personal data and obtain specific information about how we process it, in accordance with Article 15 GDPR; please be aware that you can only exercise this right in relation to your own data or to the data of a minor or another vulnerable person, where you have provided such data as a holder of parental authority or legal responsibility. MSC Cruises reserves the right to ask for proof of identity, as well as to refuse to provide the personal data if the identity or relevant connection to the data subject cannot be proven.
b. The right to rectify your personal data, in accordance with Article 16 GDPR, including by means of providing a supplementary statement.
c. The right to obtain the erasure of personal data concerning you, in accordance with Article 17 GDPR, unless the data are necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which MSC Cruises is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9.2 as well as Article 9.3 GDPR; or for the establishment, exercise or defence of legal claims.
d. The right to obtain the restriction of the processing of your personal data. In accordance with Article 18 GDPR, this right may be exercised in the following cases:
• Temporary restriction, where you are contesting the accuracy of the personal data; in this case, we will restrict the processing of your data for a period enabling us to verify the accuracy of your data and we will provide feedback to you as to the lifting of the restriction;
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• MSC Cruises S.A. no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• Where you have objected to processing pursuant to Article 21.1 GDPR, the processing is restricted pending the verification whether our legitimate grounds override your rights as data subject.
e. The right to data portability. In accordance with Article 20 GDPR, you may exercise this right in those cases where the processing is based on your consent or on your contractual relationship with MSC Cruises S.A. or one of the companies of our group, and the processing is carried out by automated means.
f. The right to object, at any time, to the processing of the personal data concerning you. In accordance with Article 21 GDPR, you may exercise this right where the processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or where the processing is based on our legitimate interests.
g. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. In accordance with Article 22 GDPR, you may exercise this right unless the processing is necessary for entering into, or performance of, a contract between you and MSC Cruises S.A. or one of the companies of our group; or is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or if the processing is based on the your explicit consent.
h. The right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to him or her infringes the GDPR, in accordance with Article 77 GDPR.
Please find the list of all European Data Protection Supervisory Authorities at the following link: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
To exercise your data subject rights, please access this link and we will address it shortly thereafter.
Requests may also be sent in writing to MSC Cruises S.A., Avenue Eugène-Pittard 40, Geneva, Switzerland; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.
6. Changes to this Information Notice
Each version of the information notice takes effect from the moment it is published on the Website. Significant changes to the processing of your personal data will require your approval, in accordance with the applicable legislation.
You are responsible for reviewing this document from time to time in order to make sure that you are aware of the current version. If you would like to obtain a prior version of the information notice, please contact us using our contact details provided in section 1 of this notice.