PRIVACY
Please click here to download the pdf version1. Who we are: MSC Cruises SA
MSC Cruises S.A., headquartered in Avenue Eugène-Pittard 16, Geneva, Switzerland, registered for tax purposes under number 060.667.071 (CHE- 112.808.357), and acting as data controller (hereinafter, the “Data Controller”, “MSC Cruises”, or “we”) is committed to the fair processing of your personal data (“your data”).
In order to provide you with a great experience, we collect personal data about you on different occasions, such as when you browse our company website, when you book a cruise, or when you make onboard purchases.
Given that we are based in Switzerland but provide our services globally to individuals also located within the EU/EEA, we have appointed MSC Procurement & Logistics SPA (Via Balleydier 7N 16149, Genova, Italy) as representative in the European Union.
MSC Cruises is committed to protecting and legally and ethically using personally identifiable information collected from former, current, and prospective guests, staff, business partners and their representatives, as well as all individuals who have provided information to us.
Accordingly, and as we are part of the MSC Cruises Group of companies, we appointed a Group Data Protection Officer (“DPO”). The DPO is available for any information regarding the processing of personal data carried out by MSC Cruises via dpo@msccruises.com. You can also send requests in writing; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.
Please note that when booking through a travel agency, they will complete your booking by entering the required data into our booking systems, acting as an autonomous data controller. This essentially means that the travel agency independently decides how to process your personal data for activities under its competence and is responsible for the processing and appropriate data protection measures. For details on the processing activities involving your personal data, please contact your local travel agency.
Similarly, in case you booked a ‘Fly & Cruise' package and made a flight booking with us or via a travel agent the flights are to be provided by airline(s) who are also separately be considered as data controllers regarding passenger data processed in the context of providing flight services. You can access the privacy policies of the respective travel agencies or airlines via their own websites or offices.
2. What is personal data and what categories of personal data do we collect
Personal data means any information which identifies you or could be used to indirectly identify you, such as your name and contact details, your travel arrangements, purchase history and preferences.
When you use our services, you will need to provide us with your personal details and/or the details of those individual(s) who will be travelling.
In connection with the relevant processing activities described below, we process the following categories of personal data:
- Identity and contact data (e.g., name, ID number, e-mail address, date of birth, age, gender, etc.);
- Booking and travel information (e.g., booking number, specific packages associated with the booking, complaints, etc.);
- Pictures (e.g., Security Picture taken prior embarkation, photos taken by our photographers onboard, etc.);
- Recordings (e.g. Audio recordings, such as phone calls, CCTV);
- Preferences (e.g., information and inferences about purchases onboard, behavioral patterns, interests, etc.);
- Financial and payment data (e.g., invoices, payment information, tax information for casino winnings, etc.);
- Technical data related to online activity (e.g., IP address, connection logs to Wi-Fi, activity on our website, etc.);
- Health data (e.g., special needs form, medical records/invoices, etc.);
- Biometrics (e.g., when required by port authorities or to associate your photos with your cabin number and account);
- Geolocation data (e.g., approximate location based on IP address);
- Data about religious or philosophical beliefs (e.g., special needs form, and specific dietary needs that may indicate such beliefs, etc.).
3. Why, when and how do we collect data about you or others
We collect personal data about you whenever you use our services (whether these services are provided by us or by other companies or agents acting on our behalf), including when you travel with us, when you use our website or mobile application, or interact with us via email or by calling our contact center.
In addition, we may receive personal information about you from third parties, such as:
- Companies contracted by us to provide services to you;
- Companies involved in your travel plans, including airlines, and customs and immigration authorities;
- Companies that participate in our loyalty schemes and other customer programs;
- Companies that act as our third-party business partners with whom you have interacted and with whom you have consented to provide us with your data to receive marketing communications.
Please also note that when you provide us with data about others (e.g., details of passengers travelling with you, emergency contact data, credit card information belonging to another person), such as a co-traveller or minor, we kindly inform you that it is your responsibility to ensure that such individuals have authorized you to do so and that they are aware and have understood and accepted how our company uses their information (as described in this Privacy Notice).
Below you will find the main purposes as to why your data is processed.
a. Responding to your requests (via website, call center or e-mail)
You can submit your request regarding our activities and services through different channels (phone, e-mail, SMS, messaging systems, etc.). In order for us to respond to your request, we need to process your Identity and Contact data as well as the content of your query. Without this data, we cannot provide you with the requested information. This processing is carried out to take steps at your request prior to entering into a contract or to answer your request in the context of our cruises and services you purchased.
Additionally, using the different forms on the website, you can request to be contacted through different channels (phone, e-mail, SMS, messaging systems, etc.). In case you fill out our online request form for telephone contact:
- We will contact you as per your preference on the date and time you have specified in the request form;
- We will contact you on the following days as per the initial time slot indicated, if the call is not answered or the connection fails;
- We will make a maximum of 3 attempts to contact you by phone if the call is not answered or the connection fails and, if none are successful, we will contact you by e-mail to inform you of our attempts, and invite you to make a new request if you still wish to be recontacted.
Please also note that if you contact us via our call center, phone calls may be recorded for legal purposes where required by local regulations. In other cases, if the recording of the call is not mandatory under local laws, with your consent, the calls may be recorded for the protection and reproducibility of verbal commitments and may be cross-checked with other reservation data. The call recordings may also be processed based on our legitimate interest to meet quality assurance and training purposes. If the call is being recorded, you will be notified at the beginning of the call. Kindly note that this only applicable to inbound calls, as we do not record outbound calls.
b. Completing and handling the booking of a cruise (through our website, application, contact centre, or travel agency)
To travel or stay onboard our ships, we need to process your Identity and contact data as well as Financial and payment information at the booking stage. We also register your Booking and travel information, such as date and port of embarkation and disembarkation, cabin type, cruise experience, as well as information regarding packages or other products and services purchased prior to the cruise.
We process this information in order to finalize your booking and issue the relevant ticket and travel instructions. In that regard, please note that we may also send you communications or notifications via our app to provide you with relevant documents and information, as well as to inform you about necessary steps you need to take prior to your trip. These steps may include changes to embarkation or debarkation times, shore excursion changes or cancellations, ship itinerary changes or cancellations, as well as other last-minute information related to your booking (for example, due to bad weather or unforeseen circumstances).
If you have already booked your cruise, you can use your booking number, email address and date of birth to login directly through the App. This will allow you to manage your existing booking as well as view and book our services/products onboard.
If you have used the same email as your MSC account to book a cruise, then the App will automatically retrieve your booking once you login. On the other hand, if you have booked a cruise using an email that is different from the one used to register an account and login through the App, then you may retrieve your booking manually by inserting your booking number, first name, last name, and date of birth. You will then be able to manage your booking as well as purchase further products/ services for your upcoming trip.
Additionally, if you encounter any issues during the payment stage of your booking (i.e., technical problem or error with payment), we may contact you directly by phone within 24-48 hours of your attempt to finalize the booking to offer our support.
We process all the above data on the basis of our contract with you and to perform the activities prior to the purchase of our cruises and services.
You also need to provide information about valid travel documents and visas, where applicable. Furthermore, some ports of call require the use of facial-recognition technology to facilitate the validation of travel documents and you may be required to provide biometric data to embark or disembark at such ports. We process this information to comply with regulatory requirements in the ports of call, therefore on the basis of an existing legal obligation. Without such information, we will not be able to complete your travel arrangements.
c. Registering your credit card for future purchases
With your consent, we provide you with the option of registering your credit card on the app or website in order to facilitate payments and have your future onboard purchases debited directly from your card.
Please note that this feature is optional and if you do not wish to provide us with your credit card information in the App, you can simply use the totems on board to top-up your cruise card while on the ship.
d. Accommodating your special needs
During the booking process, in some cases, you may provide information and documents containing Health data or Data about religious or philosophical beliefs (for example, food preferences that indicate the observance of a specific religion – such as kosher or halal food – or medical conditions requiring special attention onboard – such as disabilities, or celiac disease). We process this data on the basis of your informed and specific consent. It is not mandatory to provide this data, but please be informed that if you do not provide it, we will be unable to accommodate your needs onboard.
e. Sending you marketing communications
With your consent, we may process your Identity and contact data, Booking and travel information, Preferences and Technical data related to online activity for marketing purposes, including to send you questionnaires/surveys, carry out market research as well as direct marketing via e-mail, Whatsapp, SMS, ordinary mail, over the phone, through push notifications/pop-up banners on our app, instant messaging, through an operator, through MSC Cruises’ official social media pages, as well as for marketing activities in the broad sense, including prize events, games and competitions, products and/or services related to our subsidiaries/ other companies of our group and our business partners (for example, tourist activities, airlines/transportation services, luxury brands, travel agency, insurance companies, etc.) and/or to other third-party products and/or services.
Additionally, as part of our efforts to provide you with relevant information and offers, we may also acquire the above personal data from our third-party business partners. This process involves receiving or accessing databases from our trusted partners to identify individuals who may be interested in our services and products and who have consented to have their data shared from these business partners to MSC Cruises.
Please, note that it is not mandatory to provide your consent to receive promotional messages and offers from us, or from third parties, but without it we will not be able to send you such communications that may be of interest to you.
Since the processing of your data for the purposes indicated above is based on your consent, you can withdraw this consent at any time by clicking on the “unsubscribe” link at the bottom of a marketing email received from us, by emailing us at the email address provided for in section 1 of this notice, replying STOP to any marketing SMS or Whatsapp message received from us, or through the private area on the website. Any consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
f. Sending your personalized communications
With your consent, we may process your personal data by way of tracking your onboard purchases, your browsing activity on our application, or based on data collected from special programs carried out from time to time. We may use such data for analysis of your preferences, habits, behavior and/or interests in order to send you personalized commercial communications and carry out targeted promotional actions.
Since the processing of your data for the purposes indicated above is based on your specific consent, you can withdraw it at any time by emailing us at the email address provided for in section 1 of this notice or as per the dedicated consent management depending on the channel used (i.e. on our website or via app).
Additionally, only if you are based outside of the EU/EEA, specifically in the United States, and with your consent, we may also process your Identity and Contact data, Booking and Travel information, Preferences and Technical data related to online activity for marketing purposes which include promoting our products and services to third parties (for example, by improving the performance of our personalized advertising campaigns by targeting like-minded customers).
We process your data for purposes indicated above by using both automated means, such as emails, text messages, advertising messages through social networks, etc. as well as non-automated means, such as ordinary mail, call from our operators, flyers in your cabin, etc. We personalise our communication by analysing your travel preferences, experiences, consumption habits and analysing market surveys in order to improve the range of services offered and send you communications that may be of interest for you.
Please also note that with your consent, we may carry out social media marketing activities. To target audiences that we believe may be interested in our offers and communications, we perform profiling activities that take into account the analysis of their interactions, preferences, and behaviour.
In addition, when you browse our Website, we use profiling cookies that can track some information about you, provided that you consent to our use of such cookies. We use this information to make the Website more intuitive and to suggest products or services that may be of interest to you. You can find more information about our use of cookie and other tracking technologies used on the Website below.
Before you board the cruise ship, we will also register your interest in receiving special personalised offers in your cabin. For example, if you are travelling with children, we will send you specific information about the events we organise for children on board.
Since the processing of your data for the purposes indicated above is based on your specific consent, please be informed that you can withdraw your consent at any time by clicking on the “unsubscribe” link at the bottom of our communications, if available, or by using the contact details provided in section 1 of this notice.
g. Sending you information about similar products and services to the ones you already booked
When you give us your email address in the context of buying any of our products or services, we may use it to send you information about products or services that are similar or related to the ones you bought (including all the services and experiences you can buy and enjoy on board our ships during your cruise), unless you exercise your right to opt-out of receiving marketing communications from us at the time of booking, or later via the “unsubscribe” link within the footer of our email.
This data processing is carried out on the basis of our legitimate interest of informing you of similar or related products and services that we offer and that may enhance your cruise experience. You can obtain information about the balancing test upon request by using the contact email address provided in section 1 of this notice.
h. Compliance with the applicable laws
When you provide personal data to MSC Cruises, we are obliged to process it in accordance with the applicable laws, which may include storing and reporting personal data to official authorities. Those activities include, for example the processing of personal data for compliance with tax and fiscal laws, or the tracking of boarding and disembarking from the ship by our guests and possible communication of such information to the authorities.
i. Setting up and managing your MSC Cruises account on our website or mobile application
When you create an account on our website or mobile application, you can manage your booking by accessing your personal area when you log in. This will allow you, for instance, to do the check-in online or book or view reservations already made, or visit your MSC Club membership area. For these purposes, we process your Identity and contact data, Booking and travel information, Preferences, as well as Technical data related to online activity.
Kindly note that the creation of an account for these purposes is entirely optional. We process your data for this purpose in the context of the performance of a contract to which you are a party or to perform activities prior to entering a contract with us.
j. Performing the online check-in via your MSC Cruises account or MSC app
To enhance your check-in process, and to avoid queuing at the terminal, our website and application allow you to check in online. To do this, you will need to provide some information about yourself (and any travel companions) and your booking. For this purpose, we will require you to upload certain information to proceed, such as your Identity and contact data, Travel and booking information (i.e. passport, ID, relevant visas necessary to travel) and your Security picture.
We process this information on the basis of our contract with you as well as our legal obligation to collect the necessary travel information at the terminal and ports of call. Additionally, we also process your photo in this case to ensure onboard security of our passengers and crew members pursuant to our legitimate interest.
Once you successfully perform the online check-in, you will receive your travel information, such as your ticket as well as a QR code to be used when embarking on your booked cruise. This QR code will be scanned by our personnel in order to validate your ticket when boarding.
In any case, please be informed that it is not mandatory to perform the check-in online, and you can skip this step and proceed directly to the terminal and perform the check-in with our employees instead.
k. Enabling guests to chat with each other through the MSC for Me Chat
The Chat feature of the MSC for Me app enables guests to contact each other. We collect the following personal data in order to provide the Chat service:
• Name Surname
• Cabin number
• Internet ID
• List of chat contacts, including group membership status with multiple contacts
• Sent / received messages
• Online / offline status over time
• Sent received files, photos
• Profile picture
We process the above personal data on the basis of our contract with you and to provide you with the chat service if you wish to use it.
Please note that the chat history will be automatically deleted the day after disembarkation. With reference to multimedia messages shared, such as photos and/or videos, these files be deleted after 30 days and will no longer be downloadable by the passenger.
l. Processing information through your Cruise card
When you embark on your journey, you will receive a cruise card that is unique to your specific cruise, containing your full name, cabin number, as well as a unique Internet ID.
More specifically, we process your data via the cruise card for the following purposes:
- record and manage the purchases onboard carried out with your cruise card (except for some shops, where you can pay with your personal credit card), including the purchase of WiFi packages and onboard commercial photos (as specified further below), as well as the booking of excursions or onboard activities. Please be informed that every time you make a purchase on board by scanning your cruise card, our employees view the associated Security Picture to perform a check on the identity of the purchaser.
- perform the activities necessary for embarkation and disembarkation during transits at the ports (all entries and exists from the ship are tracked by the security team by scanning the card).
All purchasing information processed through your cruise card is necessary for us to comply with our legal obligations of maintaining accurate records for accountability and taxation needs. In addition, pursuant to our legal obligations, we also require the scanning of the cruise card, which shall be matched with your onboard security picture to avoid instances of fraud and to ascertain the legality of the purchase, for instance, to ensure that we do not serve alcoholic beverages to minors that may make use of another person’s card.
We also process this data on the basis of our contract with you in order to issue invoices and payment receipts during your time onboard. Kindly note that if you do not provide us with your card, we are unable to provide you with any products and/or services that require purchasing through the scanning of your cruise card.
Moreover, we also scan your cruise card for safety reasons when you enter and exit the ship. This is based on our legitimate interest to ensure that we keep track of all our passengers onboard, especially during transit and cruising time. Additionally, a list of all passengers must be maintained based on our legal obligations to communicate it to the relevant authorities, such as during the ports of call. Kindly note that all passengers must provide their cruise card to enter or exit the ship.
m. Purchasing onboard Wi-Fi package
All guests have a unique ID printed on their cruise card (Internet ID) to use when logging in for the Wi-Fi connection. If you have already purchased an internet package during the booking phase or at the designated desk on the cruise, you can login through the MSC Wi-Fi website and connect by inserting your date of birth and internet ID. Otherwise, we will request you to proceed with purchasing a specific package depending on your consumption needs.
We process the data collected in the context of the Wi-Fi package in order to provide you with the requested service and for compliance reasons. Furthermore, we process Technical data related to online activity to track your access and usage (traffic data) of the internet for our legitimate interest to ensure adequate functioning as well as in case of complaints/claims (for instance, due to technical issues).
Kindly note that the provision of your data for the above purpose is necessary to be able to purchase and use our Wi-Fi service onboard.
n. Onboard medical assistance
In case you visit our medical centre onboard, or have a doctor come to your cabin, we need to collect your Identity and contact data, Booking and travel information and Health data (symptoms, diagnosis, treatment, etc). We process your Health data in order to attend to your medical and safety needs on the basis of your consent.
Depending on the severity of the case, your data may also be collected for security and public health purposes. In case of a medical emergency, or the need to provide ashore medical assistance, we may have to disembark you to ensure that you are properly cared for at an appropriate facility.
Following the visit, we will keep a copy of your medical report for a period of 10 years for insurance and legal compliance purposes.
Kindly note that you are not obligated to share all your personal data with us, however, without it, we will not be able to attend to your medical needs.
o. Onboard Mini-club
If you are a parent or legal guardian and want to enrol your child (up to, and including 11 years old) at the mini-club, we will request you to provide specific information about your child (including Health data, such as any medical issues or specific food preferences or dietary needs that we must consider).
We collect this data only on the basis of your consent as the legal guardian of the child.
Upon embarkation, children under the age of 11 years old will receive a locator bracelet containing a barcode containing their full name, as well as the details of their guardian that is authorized to pick them up. The barcode on the bracelet is scanned at every entrance and exit from the kids’ club.
We process this information on the basis of our legitimate interest to guarantee the safety and to ensure the whereabouts of minors onboard our ship. Kindly note that the provision of data for this purpose is not mandatory, but if you refuse to provide this information, you are not able to provide the Kids Club service, due to security reasons.
p. Handling requests, complaints and comments
We keep track of the comments and complaints that you make on board and/or after disembarkation in order to adequately respond to your requests. We process this data in connection with our provision of services to you, or based on our legitimate interest to protect the interests and rights of our company in case of litigation. You have the option of making an anonymous complaint or comment, but please be aware that in some cases, it will be impossible for us to follow up on the complaint or to provide assistance and support.
In addition, we can use the content of the request, complaint or comment to improve our services onboard. We limit as much as possible the use of data that may identify you personally in this case. This processing is carried out on the basis of our legitimate interests in developing our services in a way that ensures our guests have a pleasant experience onboard.
In the event of a refund request via our website, we will also process your Identity and contact data, Booking and travel information as well as Financial and payment data to approve and issue the refund once processed. We process this data on the basis of our contract with you, which will also be retained for the in order to comply with our legal obligations, such as for taxing and accounting purposes.
q. Ensuring onboard security
We keep track of the people who are on board at all times in order to be able to ensure everyone’s security throughout the cruise and to handle crisis situations. We therefore record your Identity and contact data as well as your Booking and travel information, Security picture and Health data (information about special needs where provided, which may require specific assistance in case of emergencies).
The security photo taken during your check-in process is also linked to your cruise card profile, as such, whenever one of our crew members scans your card, they will be able to view your security photo to ensure that the card indeed belongs to you.
We process these data on the basis of our legitimate interest to ensure public security and to manage potential crisis situations. Please note that the provision of data for this purpose is not mandatory, but if you refuse to provide this information, we may not be able to accommodate you onboard our cruises.
Additionally, when you arrive at the check-in counter at the terminal prior to boarding your ship, you will be asked by our agent whether you have had a series of symptoms in the last 48 hours prior to embarkation in order to ensure everyone’s public health onboard. In the case where you have not had any of the listed symptoms, the agent will proceed with the check-in process. On the contrary, if you or a member on the same booking has had any of the listed symptoms, you will be directed to a designed private area to be assessed by our medical staff. After a secondary screening, the medical staff will approve or deny your boarding. In the instance of the latter, you will be denied boarding due to medical reasons.
We will process your Health data for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Kindly note that the provision of data for this purpose is not mandatory, but if you refuse to provide this information, we may not be able to accommodate you on board our cruises due to security reasons.
Finally, we process some of your personal data with regard to fraud prevention/detection and security purposes. In this case, we rely on our legitimate interest in preventing and detecting fraud to our own detriment.
As the security onboard our cruises is entrusted to our group company located in the UK, as shipowner, we hereby inform you that the data controller for the above-mentioned activities is MSC Cruise Management (UK) Ltd, 5 Roundwood Avenue, London, and the data processor is MSC Cruises. This practically means that decisions on how your personal data is processed to ensure security onboard are taken by the shipowner, MSC Cruise Management (UK).
r. Loyalty Program
When you sign up to our loyalty program (MSC Voyagers Club), we will process your loyalty account details, including Identity and contact data, Travel and booking information, and Preferences, such as your points balance, account activity, cruiser milestones, and loyalty tier. We create these details for you when you join our loyalty program and update them as you credit bookings and other activity to your loyalty account. We process this information on the basis of the contract that we have with you and the terms and conditions that you accept to join our program. Consequently, the above information is needed in order to provide you with exclusive products/services dedicated to our loyalty program members and allow you to have access to specific focus groups and our community.
s. Casino
When you play in the onboard casino using your cruise card, we process you Identity and contact details as well as information of your play and spending in onboard casinos (including amount spent, loyalty reward details, points acquired and gaming patterns) if you decide to register. Otherwise, you can proceed to playing with cash without registration, and thus we will not process your Identity and contact data.
Please also note that in addition to the installation of CCTV cameras on the ship for the purposes outlined under below, these cameras are also set up in the casino to ensure the integrity of the game and prevent against fraud.
Moreover, kindly be informed that in case you wish to be distanced from the casino (for instance due to gambling addictions), you can sign a self-declaration form to enable our crew to identify you and do their best to prevent you from accessing the casino. The provision of this data is based on your consent and is entirely optional.
t. CCTV related data processing activities
We use closed circuit television (“CCTV”) onboard our ships, including at all access points and in all public areas. These CCTV cameras are continuously on and thus, images of you may appear in these recordings. CCTV footage may include sound recordings as well. We perform this activity based on our legitimate interest and use this information for security purposes to recognize, identify and maintain records of incidents, facilitate investigations and remedies, to protect our rights and the rights of our guests, to enable public health measures, to prevent and detect fraud or to comply with other legal or regulatory requirements. As all our ships are equipped with CCTV cameras, the processing of your data for the above purposes is not optional.
Additionally, in the event of a security incident, the security officers shall gather all evidence from the guests and crew involved to draft a report. If you are a witness, suspect or a victim during an incident, please note that the provision of your statement is not mandatory.
In the event of such incident, where CCTV footage is available, the footage may be extracted and can be stored for up to 5 years, and longer if necessary depending on the circumstances of the specific case (for instance, due to investigation by authorities).
Where CCTV footage/ recordings are not extracted or used, they are only stored for up to 30 days of the date of recording.
u. Assigning adequate table seating
We process some personal data about you to assign you to a dinner table at one of our main restaurants during the cruise, to make sure that you are able to enjoy your meal without having to look for an adequate table for yourself and the people you are travelling with. To assign the tables, our Maître D’ takes into account elements such as the size of the group you are travelling with, and your preferred language. You can request a different table at all times by contacting the Maître D’ or the Guest Service on-board. This data processing is conducted on the basis of our contract with you in ensuring that all passengers are assigned adequate dinner seating on-board.
v. Reviewing your data through smart TV
In your cabin, you can also make use of the TV to access the MSC for me App as well as your MSC profile to check all purchases and onboard activities that have been carried out through the cruise card. We process and display this data to you on the basis of our contract with you. This data is only displayed and available on the cabin TV during your stay onboard and will be removed as soon as you check-out.
w. Disciplinary and precautionary measures
Please note that we have the authority to deny embarkation or order disembarkation of a passenger whose presence onboard may be considered as a potential danger to themselves and/or other passengers and/or the ship, or when their behaviour may affect or compromise the comfort and enjoyment of other passengers onboard. To handle such cases, we may process data necessary for this purpose, including Identity and contact information, Booking and travel information, Security pictures, as well as information about the cause of the measure on the basis of our contract with the relevant passenger and our legitimate interest. As the security onboard our cruises is entrusted to our group company located in the UK, as shipowner, we hereby inform you that the data controller for the above-mentioned activities is MSC Cruise Management (UK) Ltd, 5 Roundwood Avenue, London, and the data processor is Explora. This practically means that decisions on how your personal data is processed to ensure security onboard are taken by the shipowner, MSC Cruise Management (UK).
x. Onboard commercial photos
Onboard our ships, there are a number of kiosks managed by our third party partners where you can view, purchase and print all the photographs and videos that have been taken of you throughout the cruise. In case you would like to view your photos at a later stage, you can purchase and download them online after disembarkation at mymscphotos.com, creating an account and using your Internet ID on your cruise card. We process this personal data on the basis of our legitimate interest to display and allow you to purchase your photos. Biometric data, such as through the use of facial-recognition technology, may be used to associate your photos with your account or cabin number. We process your data in this regard in accordance with our contractual relationship with you. In case of special events or commercial photos to be publicly displayed onboard, we will provide you with a specific form to request your consent.
Personal data processed for this purpose will be kept by MSC Cruises and our partners in our digital archives for a period of 3 months, after which, photos available for purchase will be deleted.
y. Additional data processing activities onboard
Some additional information about you may be collected during the cruise on paperback forms in order to enable you to participate in specific activities (for example, the gym or the spa) or to handle the request of specific packages. The data processed varies depending to the specific activity onboard, however, we make sure to only collect the data strictly necessary to achieve the specific purposes. Please refer to the onboard forms given to you prior to your participation in such activities for further details.
4. How long we store the data
In accordance with the principle of storage limitation, the personal data that we collect is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which personal data are collected and processed in each specific case, and in any case no longer than as specified by the relevant applicable laws.
Generally, information relating to the booked services and the contractual relationship that we have with you will be kept for a period no longer than 10 years.
Personal data collected based on your consent, specifically for the purposes of sending marketing and profiling communications will be retained until you withdraw your consent and in any case, not longer than 7 years from the withdrawal of this consent.
In cases where the retention period is not specifically stated above, we have defined a Corporate Data Retention Policy which outlines the timeframe for data processing, at the conclusion of which all copies of personal data are either destroyed or anonymized using appropriate techniques that prevent the re-identification of the individual in question.
For more information on our personal data retention periods and the criteria adopted in determining these periods, please contact our DPO at the email address set out in Section 1.
5. Categories of data recipients and personal data transfer
We store your personal data on servers located in Frankfurt. We may transfer personal data to MSC Cruises Group’s companies, or other reputable third party organizations situated inside or outside Switzerland. Your personal data may also be shared with recipients who are located outside the European Union or the European Economic Area. For all these cases, MSC Cruises ensures that your personal data are transferred to these recipients in accordance with the applicable data protection law. Indeed, transfers can be based on an adequacy decision, the Standard Contractual Clauses approved by the European Commission or another legal transfer mechanism depending on the applicable law.
To ensure greater transparency, we have provided a list below of the main categories of recipients with whom your personal data may be shared:
a. Companies of our group
Depending on the country where the booking is made from, and to provide you with specific services, we share information about you with the companies of our group. All companies are processing the personal data in compliance with the applicable data protection laws.
Depending on the country where the booking is made from, your personal data could be processed by one of the companies of our group, acting as data processors upon instructions from the data controller. The companies of the MSC Cruises group that process personal data of European passengers are: MSC Crociere S.p.A., MSC Cruise Management UK Ltd, MSC Cruises UK Ltd, MSC Procurement & Logistics Division Spa, MSC Kreuzfahrten AG, MSC Cruises Belgium NV, MSC Cruises Scandinavia AB, MSC Kreuzfahrten (Austria) GmbH, MSC Netherlands B.V., MSC Cruises Ltd – Cyprus, Mediterranean Shipping Cruises Cruceros Sau and MSC Kreuzfahrten GmbH.
In limited cases, the above-mentioned companies could act as data controllers in relation to a specific data processing activity (for example, in the case of security onboard our ships as described in this notice). In such cases, we will provide you with a separate privacy information notice in relation to that specific activity.
b. Commercial partners
Some services that you book with us are provided by our commercial partners. For example, shore excursions or experiences may be provided by local tour guides that have been carefully selected by MSC Cruises for their knowledge and experience. In some cases, we need to communicate your data to such partners. However, rest assured that we only share the data that is strictly necessary, and we have established agreements with our commercial partners to ensure that the shared data is used exclusively for fulfilling your request. In cases where these commercial partners act as autonomous data controllers, we recommend consulting their specific privacy policies for comprehensive information on how they process your personal data.
Our commercial partners operate in the following industries:
- Tourism (e.g. tour operators, local tour guides);
- Transportation services (e.g. bus, train, airplane or other means of transportation depending on type of service required on a case by case basis);
- Insurance companies (e.g. when there is a need to activate your insurance package during a cruise);
- Restaurants and shops (e.g. where you sign up for a lunch, dinner or for special offers); in some cases, where lunch/dinner is included in a package offered by us and provided by one of our commercial partners, we communicate data about allergies or food preferences that may reveal health information about you. We take utmost care to only reveal your identity when this is strictly necessary and, where possible, we work with anonymous data.
- Service providers (such as IT service providers, consultants, etc.), including persons authorized to process the personal data needed to carry out activities strictly related to the provision of the services, who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality;
- Only if you are based in the United States, we may also shared your personal data with marketing partners (e.g., advertising platforms such as Google, Facebook, and Instagram, and third-party marketing agencies).
c. Data sharing with port agents and authorities
As a travel operator, we need to share some information about our passengers with local port agents and authorities for immigration purposes. The sharing of data with these agents and authorities can trigger the transfer of data outside the EU/EEA if these entities are based abroad, outside the EU/EEA. These data are shared and transferred based on the legal obligation that MSC Cruises has in relation to the provision of information to the relevant authorities, and only the strictly necessary data is communicated.
6. Your data subject rights
The applicable data protection law provides for enhanced rights and MSC Cruises is committed to giving you the appropriate control of your own personal data.
- Please be aware that you can only exercise this right in relation to your own data or to the data of a minor or another vulnerable person, where you evidence of parental authority or legal responsibility. MSC Cruises reserves the right to ask for proof of identity, as well as refuse to provide the personal data if the identity or relevant connection to the data subject cannot be proven.
In particular, you have the following rights in connection to your personal data:
a. The right to access your personal data and obtain specific information about how we process it.
b. The right to rectify your personal data, including by means of providing a supplementary statement.
c. The right to obtain the erasure of personal data concerning you, unless the data are necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which MSC Cruises is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; for reasons of public interest in the area of public health, or for the establishment, exercise or defense of legal claims.
d. The right to obtain the restriction of the processing of your personal data. This right may be exercised in the following cases:
- Temporary restriction, where you are contesting the accuracy of the personal data; in this case, we will restrict the processing of your data for a period enabling us to verify the accuracy of your data and we will provide feedback to you as to the lifting of the restriction;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- MSC Cruises S.A. no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
- Where you have objected to processing, it will be restricted pending the verification of whether our legitimate grounds override your rights as data subject.
e. The right to data portability. You may exercise this right in those cases where the processing is based on your consent or on your contractual relationship with MSC Cruises S.A. or one of the companies of our group, and the processing is carried out by automated means.
f. The right to object, at any time, to the processing of the personal data concerning you. You may exercise this right where the processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or where the processing is based on our legitimate interests.
g. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. You may exercise this right unless the processing is necessary for entering into, or performance of, a contract between you and MSC Cruises S.A. or one of the companies of our group; or if authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or if the processing is based on the your explicit consent.
h. The right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
Please find the list of all European Data Protection Supervisory Authorities at the following link: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
To exercise your data subject rights, you can send your request to the Data Controller at the e-mail address dpo@msccruises.com.
Requests may also be sent in writing to MSC Cruises S.A., Avenue Eugène-Pittard 16, Geneva, Switzerland; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.
7. Website Cookies and other Tracking Technologies
Cookies are small text files that the websites visited send to you and store on your computer or mobile device, and which will be returned to these same websites on each new visit. Thanks to these cookies, the website remembers your actions and preferences (for example connection data, preferred language, font dimensions, other display settings, etc.) so that you do not have to need to specify them again when you return to the website.
Cookies are used for electronic authentication, session tracking and the storage of information on the activities of users visiting the website. They may also contain a unique identifier allowing a system to monitor your browsing activities on the website, for statistical or advertising purposes. When browsing a website, you may also receive cookies from websites or web servers other than the website being visited (i.e., “third-party cookies”).
There are various types of cookies, depending on their characteristics and functions, which may be stored on your computer for different periods of time: “session cookies”, which are automatically deleted when you close your browser, and “persistent cookies”, which will remain on your device until their pre-set expiration period passes.
According to the law which may be applicable to you, your consent may not always be necessary for cookies to be used on a website. In particular, “technical cookies” – i.e., cookies which are only used to send messages through an electronic communications network, or which are needed to provide services you request – typically do not require this consent. This includes browsing or session cookies (used to allow users to login) and function cookies (used to remember choices made by a user when accessing the website, such as language or products selected for purchase).
On the other hand, “profiling cookies” – i.e., cookies used to create profiles on users and to send advertising messages in line with the preferences revealed by users while browsing websites – typically require specific consent from users, although this may vary according to the applicable law.
The website uses the following types of cookies:
- Technical cookies, which are strictly necessary for the website’s operation, and/or to allow you to use the website’s content and Services;
- Analytics cookies, which allow for the understanding of how users make use of the website, and to track traffic to and from the website.
- Marketing/ profiling cookies, which are used to send advertisement content or to create profiles on users and to send advertising messages in line with the preferences revealed by users while browsing websites.
“Pixels” are small pieces of code embedded on a website that allows website owners and third parties to track user behavior and gather information about how users interact with the website. Pixels can track actions such as page views, clicks, and other related activities and are often used for personalized ads and website analytics.
We may use pixels on the Website to associate personal data with your device or IP address and to track and measure your engagement with the Website, our mobile apps, and/or personalized ads.
For example, the Website and mobile app utilize Meta Pixel, which allows us to track and analyze the effectiveness of our advertising campaigns on Facebook and Instagram. This pixel enables us to measure the success of our advertisements by understanding the actions users take on our Website or app after viewing our Facebook and Instagram ads. The data collected through the Meta Pixel may be used for marketing and analytical purposes to enhance our understanding of user preferences and to improve our advertising strategies. You can manage Meta Pixel data sharing settings within the Settings section of Facebook and Instagram.
8. Policy Regarding Children’s Information
Our privacy practices and this Privacy Notice are designed to comply with the laws governing the collection, use, disclosure, and retention of the personal data of children, such as the Children's Online Privacy Protection Act (COPPA) applicable to residents within the United States. We do not knowingly collect personal information from children without verifiable parental consent.
Parental Consent and Control
As detailed in this Privacy Notice, we collect certain information about minor passengers (“Children’s Information”) in order to provide our cruises and related services. However, with the exception of video and audio recordings and biometric data that are collected from all passengers on the ship (e.g., CCTV footage, use of facial recognition technology at embarkation and debarkation in certain ports), we do not collect personal data directly from children. Instead, we collect Children’s Information when the parent or legal guardian (in each case, the “parent”) provides it directly to us. For example, our Website and mobile app (“App”) is not directed to children and only users who are the age of majority may use the Website or App or create Bookings.
We never collect Children’s Information before obtaining verifiable parental consent. We obtain parental consent when a parent acknowledges the terms of this Privacy Notice, completes a form or waiver for the child, and/or when a parent voluntarily communicates information about the child to us, such as when speaking with our customer service agents. To the extent we process Children’s Information, we do so for the purposes described in the consent request and to provide the requested services.
Data Collected
As detailed above in this Privacy Notice, we collect certain data about minor passengers in order to provide our cruises and related services to them and their parents and to maintain security on our ships. The categories of personal data collected include:
. Identity and contact data—specifically, contact information (name and age of child and parent’s contact and account information) and government-issued identification;
i. Booking and travel Information—specifically, transaction information (parent’s cabin assignment, and information related to kids club, teen club, onboard activities, and offshore excursions for which the parent registers the child);
ii. Data about religious or philosophical beliefs—specifically, protected class information communicated to us by the parent regarding the child, such as dietary accommodations the child may require;
iii. Pictures and video and audio recordings—specifically, CCTV footage and photographs captured featuring the child, or photographs taken or provided by the parent during check-in;
iv. Biometrics—specifically, biometric information collected or created during the use of facial recognition technology at embarkation, debarkation, and by our third-party photographer to ensure family photographs are delivered to the parent’s cabin and account;
v. Health data—specifically, health data expressly communicated by the parent to us, such as the child’s food allergies;
vi. Geolocation—specifically, precise geolocation data collected and shared with the parent when the parent enrolls the child in our Mini-Club.
Purpose of Data Collection
Children’s Information is collected and used for business purposes—specifically, the business purposes identified in this Privacy Notice. Our use of Children’s Information is limited to what is necessary to supply the specific good or service for which the data was collected. We do not use Children’s Information for commercial purposes or in conjunction with personalized ads.
Data Security Measures
We have implemented industry-standard security measures to protect the confidentiality, security, and integrity of the Children’s Information collected, stored, and processed.
Third-Party Disclosure
Children’s Information is disclosed to Third Parties as identified in this Privacy Notice. Our disclosure of Children’s Information to Third Parties is limited to what is necessary to fulfill the business purpose for which the data was collected.
Parent Rights
Parents can exercise the same rights applicable in section 6 with regards to their children. If you are based in the United States, please refer to section 12 for sectoral specific laws and which rights are applicable to you as a parent or legal guardian of the child.
Contact Information
If you have reason to believe that we have collected personal data from a child in connection with our cruises and services without adequate involvement from the child’s parent or guardian, please let us know by contacting us via the methods described in this Privacy Notice.
Additional Disclosure Requirements Applicable to United States Residents
9. Financial Incentives
We may offer incentives related to the collection, retention, or sharing of personal data that may be deemed a “financial incentive” or “price or service difference.” For example, we may offer you a coupon or promo code in exchange for signing up to receive marketing emails or text messages from us. The perks of membership in our loyalty program may also be considered a financial incentive under some privacy laws. If you opt in to such an offering pursuant to the terms described at the time of signup, we may collect information such as contact information, transactional information and inferences, internet or other network activity, and device information.
Participating in any of our financial incentive programs is always optional and you can opt-out (e.g., by unsubscribing to email or closing your loyalty program account). When you do so, you will forego any additional financial incentives through these programs.
Any difference in price or rate, such as a discount, will be directly related to the value of the data. We estimate the value of the data by considering the time and cost associated with procuring such data versus the expenses related to the provision of the financial incentive. From time to time, we may provide additional terms that apply to a particular financial incentive, which will be presented to you at the time you sign up for the financial incentive.
10. Sale of Personal data
MSC Cruises does not sell personal data.
As discussed above, MSC Cruises participates in targeted advertising or personalized ads, which is also called interest-based or online behavioural advertising and may include cross-contextual advertising. Under some privacy legislation, personalized ads may constitute the “sale” or “sharing” of personal data, such as for business purposes (e.g., providing our cruises and related services) and commercial purposes (e.g., marketing). To opt out of these practices, please see the section above about revoking consent or visit our Do Not Sell or Share My Personal Information page.
11. Tracking and Privacy Controls
"GPC” is short for Global Privacy Control settings in your browser or extension. Our Website recognizes GPC signals. This means that if your browser has GPC enabled, our Website will automatically recognize your GPC signal and opt you out of the sale of your personal information, if any. For more information about GPC, please click here: https://globalprivacycontrol.org/
12. Jurisdiction-Specific Rights
In addition to the privacy rights set forth in Section 6 of this Privacy Notice, if you are a resident of any of the following jurisdictions within the United States, the corresponding privacy rights apply to you:
For California Residents
The “right to access” includes the right to request the following:
vii. what personal data we have collected, used, disclosed and “sold” about you, including the categories of personal data;
viii. the categories of sources from which the personal data is collected;
ix. the business or commercial purpose(s) for collecting, selling, or sharing personal data;
x. the categories of Third Parties to which personal data has been disclosed
xi. the specific pieces of personal data we have collected about you.
Please note that we are only required to honor “right to access” requests twice in a 12-month period.
The “right to rectify” includes the right to correct inaccuracies, considering the nature of the personal data and the purposes of the processing.
The “right to obtain erasure” is not absolute and we will, in some cases, retain personal data as allowed by applicable laws and to support essential functionality, such as maintaining your subscription.
You may also designate an authorized agent to make a privacy rights request on your behalf.
In addition, California law requires us to identify, for the 12-month period prior to the date of this Privacy Notice, what information we may have “sold” or “shared” about you. For the 12-month period prior to the date of this Privacy Notice, we have only sold or shared personal data about customers as expressly described in this Privacy Notice.
The Shine the Light law permits you to request and obtain from us, once per calendar year, information about any of your personal data shared with third parties for their own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To request this information and for any other questions about our privacy practices and compliance with California law, please contact us as described in Section 1.
For Virginia, Colorado, Connecticut, and Utah Residents
The “right to access” means you have the right to confirm whether we process your personal data and access your personal data.
Please note that we are only required to honor “right to access” requests twice in a 12-month period.
The “right to rectify” includes the right to correct inaccuracies, considering the nature of the personal data and the purposes of the processing.
The “right to obtain erasure” is not absolute and we will, in some cases, retain personal data as allowed by applicable laws and to support essential functionality, such as maintaining your subscription.
You have the right to opt out of the processing of your personal data for purposes of personalized advertising, the sale of personal data, and/or profiling in furtherance of decisions that produce legal or similarly significant effects. Please see our Do Not Sell or Share My Personal Information page for information on exercising this right.
Please note that we do not process your personal data using machine learning and/or profiling methods in ways that would impact you in a legal or similarly significant manner.
If we deny your privacy request, you have the right to appeal our decision. To appeal a decision we have made regarding your request, you may contact us as instructed below. We will respond to appeals within 45 days.
You may also designate an authorized agent to make a privacy rights request on your behalf.
13. Changes to this Information Notice
Each version of the information notice takes effect from the moment it is published on the website. Significant changes to the processing of your personal data will require your acknowledgment, in accordance with the applicable legislation.
You are responsible for reviewing this document from time to time in order to make sure that you are aware of the current version. If you would like to obtain a prior version of the information notice, please contact us using our contact details provided in Section 1 of this Notice.
14. Contact Us
Last updated on 8 April 2024.