1. home
  2. privacy policy
  1. Previous page

Last Updated: 15/05/2023

SCENIC CRUISES INTERNATIONAL GmbH: PRIVACY POLICY

Foreword

We, Scenic Cruises International GmbH, Wallbrunnstrasse 24, 79539 Lörrach (hereinafter: “the company”, “we” or “us”), take the protection of your personal data seriously and would like to take this opportunity here to inform you about data protection in our company.

The entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”) extended our data protection responsibility with the introduction of additional obligations to ensure the protection of the personal data of a data subject (we will address you as the data subject hereinafter also as "customer", "user" and "you") whenever they are processed.

Where we, either alone or jointly with others, determine the purposes and means of data processing, this requires us above all to inform you in a transparent manner about the nature, scope, purpose, period and legal basis for the processing. This notice (hereinafter: “privacy notice”) sets out how we process your personal data.

Our privacy notice comprises several parts. There is a general part (Section A – General provisions) relating to any processing of personal data in the situations that arise any time the website is accessed, an online booking is made and/or you travel on one of our tours and a specific part which deals only with the processing in connection with a specific service or product, in particular, giving details on website visits (Section B – Website visits and online booking) and travelling on one of our tours (Section C – Travelling on a tour).

 

Section A – General provisions


(1) Definitions

In accordance with the model set out in Article 4 of the GDPR, this privacy notice is based on the following definitions:

  • “personal data” (Article 4(1) GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable where he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data, or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity. The identifiability of a person may result also from combining information of that kind or other additional knowledge. The way in which the information is generated as well as its form or embodiment are irrelevant (also photos and image or sound recordings can contain personal data).
  • “processing” (Article 4(2) GDPR) means any operation performed on personal data irrespective of whether or not by automated (i.e. technically assisted) means. This comprises, in particular, collection (i.e. obtaining), recordings, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data as well as changes to the original objective or purpose of the data processing.
  • “controller” (Article 4(7) GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “third party” (Article 4(10) GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal persons in the corporate group.
  • “processor” (Article 4(8) GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of, and in particular, according to the instructions of, the controller (e.g. IT service provider). For the purposes of data protection law, a processor, in particular, does not constitute a third party.
  • “consent” (Article 4(11) GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
(2) Name and address of the controller responsible for the processing

We are the controller, within the meaning of Article 4(7) of the GDPR, that is responsible for the processing of your personal data:
Scenic Cruises International GmbH
Wallbrunnstrasse 24
79539 Lörrach
phone: 0800 554 415
email: cruises@scenic.eu

(3) Contact details of the data protection officer

Your contact person if you have any questions concerning data protection is our internal data protection officer, who can be contacted at any time. His contact details are:
Damien Thomas
Scenic Tours Europe AG
Dammstrasse 21
6300 Zug
Switzerland
Email: cruises@scenic.eu

(4) Legal basis for data processing

According to the law, all processing of personal data is, in principle, prohibited and only permitted if the data processing is covered by one of the following justifications:

  • Article 6(1)(a) GDPR (“consent”): where the data subject has freely and on an informed and unambiguous basis given an indication, by a statement or clear affirmative action, signifying his or her agreement to the processing of the personal data relating to him or her for one or more specific purposes;
  • Article 6(1)(b) GDPR: where the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps (for example to deal with a booking request) at the request of the data subject prior to entering into a contract;
  • Article 6(1)(c) GDPR: where the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory obligation to retain records);
  • Article 6(1)(d) GDPR: where the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Article 6(1)(e) GDPR: where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6(1)(f) GDPR (“legitimate interests”): where the processing is necessary for the purposes of the legitimate (in particular legal or commercial) interests pursued by the controller or by

a third party, except where such interests are overridden by the competing interests or rights of the data subject (in particular where the data subject is a minor).

In relation to the processing operations which we carry out, we specify in the following text the applicable legal basis. Processing can have more than one legal basis.

(5) Erasure of data and retention period

In relation to the processing operations which we carry out, we specify in the following text how long the data will be stored by us and when they will be erased or access will be blocked. Where in the following text no express retention period is stated, your personal data will be erased or access to the data will be blocked as soon as the purpose or legal basis for holding the data ceases to apply. As a rule, your data are only stored on our servers in Germany, subject to the possibility, however, that they may be passed on in accordance with the provisions of Sections A7 and A8.

Storage may continue beyond the period stated, however, in the event of an (impending) legal dispute with you or other legal procedures or where this is required by statutory provisions, which we as controller must comply with (e.g. section 257 of the German Commercial Code (Handelsgesetzbuch) and section 147 of the German Tax Code (Abgabenordnung)). When the retention period required by law expires, the personal data will be erased or access to the data will be blocked unless further storage by us is necessary and a legal basis for such retention exists.

(6) Data security


We make use of appropriate technical and organisational security measures in order to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised third party access (e.g. transport layer security (TLS) encryption for our website) having regard to the state of the art, implementation costs and the nature, extent, context and purposes of the processing and the risks of a data breach that exist (including its likelihood and consequences) for the data subject. Our security measures are improved continually in line with technological developments.

On request we would be pleased to provide you with further details. For these purposes, please contact our data protection officer (see Section A3).

(7) Cooperation with processors


We, in common with other large companies, make use of external service providers, both domestic and foreign, to handle certain aspects of our business (e.g. in the areas of IT, logistics, telecommunications, sales and marketing). These only act in accordance with our instructions and have given a contractual undertaking, as required by Article 28 of the GDPR, to observe the requirements of data protection law.

Where we pass on your personal data to our subsidiaries or these are passed on to us by our subsidiaries (e.g. for marketing purposes), this is done on the basis of existing processing relationships.

(8) Requirements for the transfer of personal data to third countries

In the context of our business relationship, your personal data may be transferred or disclosed to third parties. These may be located outside the European Economic Area (EEA), in other words in third countries. We make use of this kind of processing exclusively for the performance of contractual and commercial obligations and to manage your business relationship with us. We will inform you of the details of such transfer at the relevant points in the following text.

For certain third countries the European Commission has certified by means of an adequacy decision a level of data protection that is comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). In other third countries to which personal data may potentially be transferred, it may be the case, however, because of the absence of a statutory framework, that no consistently high level of protection for personal data exists. Where this is the case, we will make certain that the necessary data protection is sufficiently ensured.

1. Data transfer on the basis of Article 49 GDPR

For the purposes of performing a contract (or steps prior to entering into a contract) between you and SCENIC, we cooperate with third party service providers and we may pass on your personal data to them, e.g. to IT providers who in the context of software or system support may have limited access to your personal data.

When you enter personal data on our website and voluntarily check the box “consent to the transfer of data to the USA and Australia” you will be informed that

(i) your data may be transferred to a third country (USA and Australia);

(ii) the GDPR requirements do not apply in those countries;

(iii) and that the data are necessary for the purposes of IT processing and entering into and implementing a contract.

By checking the box “consent to the transfer of data to the USA and Australia” (and, in the case of additional travellers, where these also check further consent boxes) and sending / transferring the personal data, you (and, where applicable, the additional travellers) give us your consent to transfer the personal data to third countries and acknowledge that the customer data are stored on the US servers of the US providers Amazon Web Services, Acoustic, Sales Force and Microsoft Azure.

The US providers Amazon Web Services, Acoustic, Sales Force and Microsoft Azure are software companies based in the USA with an establishment in the European Union (EU).

Further information on the operations of US providers can be found in the privacy notice on the website of the relevant US providers:

Salesforce: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

Microsoft Azure: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted

Acoustic: https://help.goacoustic.com/hc/en-us/sections/360009719473-General-Data-Protection-Regulation-GDPR-and-California-Consumer-Privacy-Act-CCPA-

Amazon Web Services: GDPR - Amazon Web Services (AWS)

2. Data transfer on another basis

In light of the judgment of the European Court of Justice (ECJ) in the Schrems II case (Case C-311/18), we comply with the recommendations of the European Data Protection Board (EDPB) on the transfer of personal data to countries outside the EEA. We follow and implement the EDPB recommendations as set out below.

(a) We assess and analyse all cases in which we export personal data to non-EEA countries (third countries) and analyse the necessity to disclose data in clear text or in pseudonymised or encrypted form.

(b) We verify which of the transfer tools set out in Chapter V of the GDPR our transfer relies on and whether an adequacy decision pursuant to Article 45 of the GDPR exists in relation to the third country (a detailed list can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

Where the third country is covered by an adequacy decision, the transfer to that third country is made on the basis of Article 45 of the GDPR.

- in other cases -

(c) We assess whether there is anything in the law or practice of the third country at issue concerning the specific transfer of personal data that may impinge on the effectiveness of the appropriate safeguards of the transfer tools on which we rely in the context of the specific transfer. We focus primarily on third country legislation that is relevant to our transfer and the Article 46 GDPR transfer tool on which we rely and that may undermine its level of protection.

(d) We then verify if we can use standard contractual clauses (SCC) for the country concerned (Article 46(2)(c) GDPR). We transfer data to third countries only where it is ensured that the recipient of the data guarantees an adequate level of data protection within the meaning of Chapter V of the GDPR and no other interests worthy of protection militate against the transfer of the data. To ensure that the recipient of the data has an adequate level of protection in place, we use, in particular, the model contractual clauses (SCC) adopted by the European Commission for the transfer of personal data to third countries and, where appropriate, in addition, binding corporate rules (BCR).

(e) We verify whether, using the SCC, we can transfer the data to the country concerned and negotiate additional safeguards for the transfer of the data to that country. These include, in particular, measures to avoid onward transfer or access by others (encryption, agreement that the data will be hosted in the EU or that data will not be transferred to the USA).

(f) In addition, we contact each recipient of data and attempt to negotiate the following amendments to the SCC.

  • An amendment to Clause 4(f) such that the data subject is informed not only when special categories of data are involved but when any form of personal data is involved.
  • An amendment to Clause 5(d)(i) such that the data importer's obligation to notify the data exporter of measures taken by law enforcement authorities is extended also to include prompt notification of the data subject.
  • An amendment of Clause 5(d) to include an additional obligation on the data importer to take legal proceedings against an order to disclose personal data and to resist a request of that kind to disclose personal data until a competent court in final instance orders the disclosure of the personal data.
  • An amendment to Clause 7(1) to delete the option of arbitration.
  • Incorporation of the illustrative indemnification clause set out in Appendix 2 to the SCC.

(g) Where possible we will also implement technical measures such as the use of pseudonymisation, encryption which is also effective against the recipient or the selection of a recipient who is protected under the law of the country to which the personal data is exported.

(h) Finally, we will re-evaluate the measures taken at appropriate intervals and, where necessary, adapt them.

(i) If using the above measures an adequate level of protection comparable to that pursuant to the GDPR cannot be achieved, we will refrain from transferring personal data to recipients in third countries.

Please contact our data protection officer (see Section A3) if you wish to receive further information on this matter.

Depending on the country in which your booking is made and in order to offer you particular services, we pass on, with your consent (see Section A8(1)) or on the basis of an adequacy decision pursuant to Article 45 of the GDPR, information about you to companies in our group which further process your personal data in accordance with the GDPR. Your personal data may be transferred to the following companies within the SCENIC Group:

  • Scenic Tours (USA) Inc, (on the basis of Article 49 GDPR)
  • Mayflower Cruises and Tours LLC USA, (on the basis of Article 49 GDPR)
  • Scenic Tours Pty Ltd Australia, (on the basis of Article 49 GDPR)
  • Scenic Tours (UK) Ltd UK, (on the basis of Article 49 GDPR)
  • ST Touring Canada Ltd Canada (on the basis of the adequacy decision pursuant to Article 45 GDPR).
  • Scenic Tours Europe AG, (auf Grundlage Art. 49 DS-GVO)
  • Scenic Ship Services CH & France, (auf Grundlage Art. 49 DS-GVO)

Within our corporate structure protection of the personal data transferred is ensured also by inter-company agreements, SCC, necessary additional safeguards and binding corporate rules.

(9) No automated decision-making (including profiling)

We do not intend to use personal data obtained from you in automated decision-making procedures (including profiling).

(10) No obligation to provide personal data

We do not make it a condition of entering into a contact with us that you have previously provided us with personal data. For you as a customer, there is in principle no statutory or contractual obligation to provide us with your personal data; it may be, however, that we can provide certain services only on a restricted basis or cannot provide them at all if you do not provide the necessary data. Where, exceptionally, this is the case in relation to the products offered, as set out below, we will draw your attention expressly to this fact.

(11) Statutory obligation to transfer certain data

Under certain circumstances we may be under a specific statutory or legal obligation to provide third parties, in particular, public bodies, with personal data that has been lawfully processed (Article 6(1)(c) GDPR).

(12) Your rights

You may at any time assert your rights, as a data subject, towards us in relation to your personal data using the contact details set out in Section A2. As a data subject you have the right:

  • pursuant to Article 15 of the GDPR, to access your data and obtain information. In particular you have the right to obtain information on the purposes of the processing, the categories of data, the categories of recipient to whom the data have been or will be disclosed, the envisaged storage period, the existence of the right to request rectification, erasure, restriction of the processing or to object to such processing, the existence of the right to lodge a complaint, the source of your data, if we did not collect them from you as well as on the existence of automated decision-making, including profiling, and, where applicable, meaningful information on its details;
  • pursuant to Article 16 of the GDPR, to obtain without undue delay the rectification of inaccurate data or to have your data stored by us completed;
  • pursuant to Article 17 of the GDPR, to obtain the erasure of your data stored by us unless the processing is necessary for exercising the right to freedom of expression and information, for the performance of a legal obligation, for public interest reasons or for the establishment, exercise or defence of legal claims;
  • pursuant to Article 18 of the GDPR, to obtain the restriction of processing of your data, where you contest the accuracy of the data or the processing is unlawful;
  • pursuant to Article 20 of the GDPR, to receive the data you have provided to us in a structured, commonly used and machine-readable format or to obtain their transmission to another controller (“data portability”);
  • pursuant to Article 21 of the GDPR, to object to the processing where the processing is based on Article 6(1)(e) or (f) of the GDPR. This is particularly the case where the processing is not necessary for the performance of a contract with you. Where the objection does not concern direct marketing, we request you to state the reasons, when exercising this right, why we should not process your data in the way we are. In the event that your objection is well founded, we will verify the situation and either cease or adapt the data processing or demonstrate to you our compelling legitimate grounds on which we will continue the processing;
  • pursuant to Article 7(3) of the GDPR, to withdraw in relation to us at any time your consent already given (also before the GDPR became applicable, i.e. before 25 May 2018) – in other words your freely given, informed and unambiguous statement of will expressed by way of a statement or clear affirmative action signifying your agreement with the processing of the personal data concerned for one or more specific purposes – if you have given us consent of that kind. This will mean that for the future we will no longer be permitted to continue with the data processing based on this consent.
  • pursuant to Article 77 of the GDPR, to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data in our company, for example, with the data protection supervisory authority that is competent for us. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner. https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task
(13) Amendments to the privacy notice


Our privacy notice is regularly reviewed in light of developments in data protection law and technological or organisational changes to determine whether amendments or additions are necessary. We will inform you of any amendments in particular on our German website www.scenic.eu or www.emeraldcruises.eu. This privacy notice is current as at April 2021, the date of publication of this notice.

Section B: Website visits and online booking

 

1) Explanation of the function

You can obtain information on our companies and the services we offer in particular at www.scenic.eu or www.emeraldcruises.eu together with all the associated webpages (hereinafter jointly referred to as “website”). When you visit our website and make an online travel booking your personal data may be collected, stored and processed.

(2) Collection and processing of personal data

When you use the website for informational purposes, we collect, store and further process the following categories of personal data:

“protocol data”: when you visit our website, a server log file is stored temporarily and in an anonymous form on our web server. This consists of:

  • the site from which the page was requested (referrer URL)
  • the name and URL of the page requested
  • the date and time the page was accessed
  • a description of the type, language and version of the browser used
  • the IP address of the client, which is shortened so that a connection to a particular user can no longer be established
  • the data volume transferred
  • the operating system
  • the report whether the request was successful (access status / HTTP status code)
  • the time zone difference from GMT

“Contact form data”: if you use a contact form, the data transmitted using the form will be processed (e.g. gender, last name and first name, address, company, email address, and time of the transmission).


In addition to the use of website for purely informational purposes, we offer the opportunity to subscribe to our newsletter, which we use to notify you of our latest offers. If you register for our newsletter, the following “newsletter data” will be collected, stored and further processed by us:

  • the site from which the page was requested (referrer URL)
  • the date and time the page was accessed
  • a description of the type of browser used
  • the IP address of the client, which is shortened so that a connection to a particular user can no longer be established
  • the email address
  • the date and time of the registration and confirmation

We wish to inform you that we analyse your user behaviour in connection with the newsletter we send. For this analysis, the emails sent include web beacons, also known as tracking pixels, which are single pixel image files which are stored on our website. For the analyses, we connect the abovementioned data and the web beacons with your email address and an individual ID. Links included in the newsletter also contain this ID. The data are collected only in an pseudonymised form, i.e. the IDs are not connected to the rest of your personal data, thus preventing the identification of the user.

“booking data”: to book travel online using our website, you must provide us when making the booking with your name (first and last names), contact details, address, post code, country/region/town or city, preferred salutation, email address, gender, phone number and date of birth. You must also provide us, where available, with details of your valid travel documents and visas. In addition, insurance data, relevant medical data, special dietary requests or other requirements on religious grounds or on grounds of a disability, credit card or other payment details may be collected and processed. We also collect and process certain information concerning your chosen cruise, for example, the cabin type.

(3) Purpose and legal basis for the data processing

We process the personal data detailed above in accordance with the provisions of the GDPR and other data protection rules applicable and only to the extent necessary. Where processing of personal data is based on Article 6(1)(f) of the GDPR, the purposes stated also constitute our legitimate interests.

The protocol data are processed for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (the legal basis is Article 6(1)(f) GDPR).

The contact form data are processed in order to deal with customer requests (the legal basis is Article 6(1)(b) or (f) GDPR).

The newsletter data are processed for the purpose of sending out the newsletter. When registering for our newsletter you consent to the processing of your personal data (the legal basis is Article 6(1)(a) GDPR). Registration for our newsletter is based on the double opt-in procedure. This means that following your registration we send an email to the email address provided requesting you to confirm that you wish to receive the newsletter. The purpose of this procedure is to evidence your registration and, should the case arise, to investigate a possible misuse of your personal data. You may withdraw your consent to the sending of the newsletter at any time and cancel the newsletter. You may withdraw your consent by clicking the link included in each newsletter email, by email to cruise@scenic.eu or by sending a message to the contact details stated in the legal notice.

The booking data are processed for the purpose of planning and managing your booking, making available and supplying the products and services you request and to assist you with your orders or any complaints. The booking data are processed on the basis of our contract with you (Article 6(1)(b) GDPR). The data relating to your travel documents and visas are processed to satisfy legal requirements in the ports visited, in other words, on the basis of an existing legal obligation (Article 6(1)(c) GDPR). The use of phone numbers, email address and postal address for customer services purposes, i.e. in particular to provide advice and to answer your questions in connection with the travel booked, is based on your consent (Article 6(1)(a) GDPR) or for the performance of a contract (Article 6(1)(b) GDPR).

(4) Period for which the data are processed

Your data will only be processed for as long as is necessary to achieve the abovementioned processing purposes; in this connection, the legal bases stated in relation to the processing purposes apply mutatis mutandis. In relation to the use of cookies and the period for which they are stored please consult Section A5 and the cookie policy [www.scenic.eu/cookies-policy or www.emeraldcruises.eu/cookies-policy].

Third parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the specific agreement.

For more information on the retention period please see Section A5 and the cookie policy [www.scenic.eu/cookies-policy or www.emeraldcruises.eu/cookies-policy].

(5) Transfer of personal data to third parties; justification

The following categories of recipients, which, as a rule, are processors (see Section A7), may, in certain cases, have access to your personal data:

  • Service providers for the operation of our website and for the processing of the data transferred or stored on the systems (e.g. for computer centre services, payment processing, IT security). In this case, the legal basis for the transfer is Article 6(1)(b) or (f) of the GDPR, unless the recipient is a processor;
  • Public bodies /authorities to the extent this is necessary for compliance with a legal obligation. In this case, the legal basis for the transfer is Article 6(1)(c) of the GDPR;
  • Persons used for the purposes of our business operations (e.g. auditors, banks, insurance companies, legal advisers, supervisory authorities, participants in company acquisitions or the establishment of joint ventures). In this case, the legal basis for the transfer is Article 6(1)(b) or (f) of the GDPR;

On the safeguards in place to ensure an appropriate level of protection where data are transferred to third countries see section A8.

Further, we only transfer your personal data to third parties where you have given us express consent to do so as specified in Article 6(1)(a) of the GDPR.

(6) Use of cookies, plugins and other services on our website

(a) Cookies

We use cookies on our website. Cookies are small text files which are saved on your hard drive identifying your browser using a unique string and which send certain information to the party that has placed the cookie. Cookies cannot run programmes or load viruses on to your computer and are therefore not harmful. They are intended to make the website as a whole more user-friendly and effective, in other words, more comfortable for you.

Cookies may include data which make it possible to recognise the device used. In other cases cookies merely include information on certain settings which are not user related. However, cookies cannot identify a user directly.

A distinction is made between session cookies which are deleted as soon as you close your browser and persistent cookies which are stored beyond an individual session. In terms of their function, a further distinction is made between:

  • Technical cookies: these are essential in order to navigate the website, to use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes nor do they store the pages you have visited.
  • Performance cookies: these collect information about how you use our website, which pages you visit and e.g. if errors occur while using the website; they do not collect any information that could identify you – all the information collected is anonymous and is only used to improve our website and find out what interests our users;
  • Advertising cookies, targeting cookies: the purpose of these is to offer the website user targeted advertising on the website or third party offers and to measure the effectiveness of these offers; advertising and targeting cookies are stored for 13 months at the most.
  • Sharing cookies: the purpose of these is to improve the interactiveness of our website with other services (e.g. social networks); sharing cookies are stored for 13 months at the most.

Any use of cookies which is not technically essential constitutes a processing of data which is only permitted with an express and active consent on your part as specified in Article 6(1)(a) of the GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we only transfer your personal data processed by cookies to third parties where you have given us express consent to do so as specified in Article 6(1)(a) of the GDPR.

(b) Cookie policy

You can find further information on which cookies we use and how you can manage your cookie settings and deactivate certain types of tracking in our cookie policy [www.scenic.eu/cookies-policy or www.emeraldcruises.eu/cookies-policy].

(c) Social media plugins


We do not use social media plugins on our website. Where our website include the symbols of social media providers (e.g. Facebook, Instagram, Youtube, Twitter), we use these only to link passively with the website of the provider concerned.

Section C. Travelling on our tours

 

(1) Explanation of the function

When you travel on a tour and on board ship your personal data may be collected, stored and processed in order to ensure the provision of services in accordance with the contract, safety on board and the performance of additional services used by you the customer.

(2) Collection and processing of personal data

When you travel on a tour and on board ship, we collect, store and further process the following categories of personal data:

When you board the ship and move about on board, we process a photograph of your face as well as photographs of the faces of your fellow travellers. These photographs are taken during the check-in process. In addition, we capture and process the constant image recording made by the security cameras.

When calling at our destination ports we collect and process the notifiable diseases of passengers in each destination port for the purposes of the international maritime declaration of health.

When you purchase goods and services on board, we process personal identification data (e.g. name and cabin number) and payment data (e.g. on board payment card, credit and debit card numbers, name of the credit card, expiry date, CV2 number, title, first, middle and last name, date of birth, gender, address, city/town, country/region/province/town, email address, phone number), details of the products and services purchased, and leisure activities and interests.

We store and process requests and complaints that you make on board in order to deal with your wishes in the best way possible. In addition we may use the content of the request, complaint or comment to improve our service on board.

When travelling in international waters or to countries outside of the Schengen Area, passports will be collected to meet the visa and entry and exit requirements of the country concerned. During your tour we will show your passport to the port authorities, and, where applicable, also to port authorities in countries outside of the European Economic Area, that are responsible for entry and exit for processing.

To ensure security on board, all persons who are present on board will be registered. This is done as a precaution to deal with any crisis situation arising and to ensure the safety of all passengers during the cruise. For these purposes, your name, cabin number, a photograph of you, date of birth, your fellow travellers, port of embarkation, port of disembarkation and information on particular needs which may require special assistance in an emergency will be collected and processed.

Further data processing activities on board: Certain additional information about you may be recorded during the cruise in paper form to allow you to participate in certain activities chosen by you or to deal with requests for certain packages.

(3) Purpose and legal basis for the data processing

We process the personal data detailed above in accordance with the provisions of the GDPR and other data protection rules applicable and only to the extent necessary. Where processing of personal data is based on Article 6(1)(f) of the GDPR, the purposes stated also constitute our legitimate interests.

We must process your personal data to operate your travel, to ensure your safety and that of the other passengers and of the ship, to manage your booking, to make available the products and services you request and to assist you with orders and possible claims for a refund. In detail, these are in particular the following purposes:

Personal data are processed for the purposes of planning and operating the travel you have booked (cruise, river tour, shore excursion) on the basis of the processing for the performance of a contract (Article 6(1)(b) GDPR and, where applicable, in conjunction with Article 49(1)(b) GDPR).

Personal data are processed when using or purchasing products or services on board as well as participating in activities on the basis of processing for the performance of a contract (Article 6(1)(b) GDPR and, where applicable, in conjunction with Article 49(1)(b) GDPR).

Personal data are processed and passed on to entry and exit ports in the context of your booked tour on the basis of the processing for the performance of a contract (Article 6(1)(b) GDPR and, where applicable, in conjunction with Article 49(1)(b) GDPR) or overriding legitimate interests which consist in observing the local requirements to enter the country concerned.

The legal basis for collecting your passport is performance of the obligations under the travel contract made with you as specified in Article 6(1)(b) of the GDPR. Passports will be collected, stored securely and returned to you at the end of the tour. The purpose of this is to satisfy the visa and entry and exit requirements of destination points and to facilitate your entry and exit. Personal data are processed and passed on to hotels and restaurants (in certain cases in third countries outside the EU) on the basis of processing for the performance of a contract (Article 6(1)(b) GDPR and, where applicable, in conjunction with Article 49(1)(b) GDPR).

Personal data are processed and passed on to coach operators and airlines when booking an arrival and/or departure package (in certain cases in third countries outside the EU) on the basis of processing for the performance of a contract (Article 6(1)(b) GDPR and, where applicable, in conjunction with Article 49(1)(b) GDPR) and, where applicable, consent given when providing data concerning health (Article 9(2)(a) GDPR).

Emergency contact details: name, phone number and family relationship are processed and stored on the basis of overriding legitimate interests (Article 6(1)(f) GDPR). The legitimate interest in storing these data is to allow us to notify your relatives of unforeseen emergencies and, where necessary, to make inquiries as well as to implement and/or coordinate measures that are in your interest.


The processing of relevant data as a reaction to and management of safety incidents, disruptions or other similar unforeseen events on board. These can include medical or insurance-related data. Personal data are processed for the purpose of protecting vital interests (Article 6(1)(d) GDPR) and on the basis of overriding legitimate interests (Article 6(1)(f) GDPR). The overriding legitimate interest is the ability to react to unforeseen events during the course of the tour.

Requests and complaints: We process these data in connection with our supply of services to you, in other words, on the basis of the booking contract (Article 6(1)(b) GDPR). Where we use requests and complaints as the basis for service improvements, we restrict as far as possible the use of any data by which you could be personally identified. We process your personal data in accordance with Article 6(1)(f) of the GDPR to develop our services with a view to ensuring that our guests enjoy a pleasant stay on board.

Guaranteeing safety: We process these data on the basis of the need to ensure public safety on board and to manage possible crisis situations. For these purposes, video recording cameras are installed in the entry and exit areas and in all public areas of the ship. In special cases we check your personal data against publicly accessible databases where this is warranted in the interest of the safety of the ship and the passengers on board (Article 6(1)(b) GDPR). In the framework of our customer loyalty programme we collect and process your LOYALTY LEVEL data using an identity number assigned specifically to you, which contains information on your points balance, your LOYALTY MEMBER activities, milestones reached and your current club status. These data are first collected when you join the customer loyalty programme and are updated each time you make a booking or when other activities take place on your customer loyalty account. Where we plan, conduct and provide assistance for a legally valid marriage ceremony, a registered partnership ceremony or a symbolic exchange of marriage vows, the processing of personal data is for the performance of a contract (Article 6(1)(b) GDPR). Further data processing activities on board involving the processing of personal data are carried out on the basis of our contract with you (Article 6(1)(b) GDPR).

(4) Period for which data are processed

Your data will only be processed for as long as is necessary to achieve the abovementioned processing purposes; in this connection, the legal bases stated in relation to the processing purposes apply mutatis mutandis. Third parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the specific agreement. For further information, see Section A5.

(5) Transfer of personal data to third parties; justification

The following categories of recipients, which, as a rule, are processors (see Section A7), may, in certain cases, have access to your personal data:

  • Suppliers, trading partners, concessionaires on board ship, suppliers of services on board ship and on shore (excursions, sightseeing, restaurants and shops, etc), insurance agents (e.g. if it is necessary to claim on your insurance during a cruise). The legal basis for the transfer is Article 6(1)(b) or (f) of the GDPR and, where applicable, in conjunction with Article 49(1)(b), unless the recipient is a processor;
  • Public bodies /authorities and port authorities to the extent this is necessary for compliance with a legal obligation The legal basis for the transfer is Article 6(1)(c) of the GDPR;
  • Persons used for the purposes of our business operations (e.g. auditors, banks, insurance companies, legal advisers, supervisory authorities, participants in company acquisitions or the establishment of joint ventures). In this case, the legal basis for the transfer is Article 6(1)(b) or (f) of the GDPR.

On the safeguards in place to ensure an appropriate level of protection where data are transferred to third countries see Section A8.

Further, we only transfer your personal data to third parties where you have given us express consent to do so as specified in Article 6(1)(a) of the GDPR.