EFFECTIVE DATE: May 25, 2018
Crystal Cruises, LLC (“Crystal Cruises” or “we”) recognizes the importance of protecting the privacy of all information provided by users of crystalcruises.com (the “Site”)
or Crystal Cruises in general. We created the following policy guidelines with a fundamental respect for our users' right to privacy and because we value our relationships with our users.
For other key definitions please refer to the Appendix A- Key Terms section of this Policy.
II. HOW DATA IS COLLECTED
Information you provide to us
Crystal Cruises will collect personal data from you when you interact with our Site(s), contact our Agents, use our services, or purchase our products, as further described below.
Information we obtain indirectly
We may receive personal data about you from our third-party affiliates or partners and from marketing companies that provide us with such information as a part of their relationship with us. More information is set out below.
We may combine this with data that we already have collected about you. Such collected data could include contact details (such as email address) and previous purchase history or interests.
Information collected automatically
Crystal Cruises feels strongly about protecting the privacy of children. No personal data should be submitted to Crystal Cruises by users under the age of 13. Children under the age 13 may not access those sections of the Site that require registration.
III. CATEGORIES OF GUEST PERSONAL DATA AND PURPOSE FOR PROCESSING
Crystal Cruises collects and processes the following categories of Guest Personal Data, for the purposes specified below:
|Categories of Guest Personal Data||Purpose of processing|
• Communicate, interact and identify you and customize the content, products and services that are offered to you;
• Conduct our business and improve our Sites and services, develop new products and services, provide information and support, to better understand your needs and interests, personalize communications and advertising, and generally
promote a quality experience for you.
• Process transactions you enter into with us (e.g., purchase of goods and services, refunds, discounts and offers)
• Perform certain automated decision-making, including profiling, which is used for direct marketing
• Comply with legal requirements
• Verify your authority to enter and use our Site and other services
• Health information prior to embarkation
• Casino third parties related to marketing and background checks
• Measure, analyze and improve our products and services, the effectiveness of our websites, and our advertising and marketing
The type of Guest Personal Data collected by Crystal Cruises may vary from country to country, and in some countries Crystal Cruises might not collect all of the categories of Guest Personal Data listed above.
If you are a resident of the State of California and would like to learn how your “personal information” (as defined in the Shine the Light Law, Cal. Civ. Code § 1798.83) is shared with third parties, what categories of personal information that we have shared with third parties in the preceding year, as well as the names and addresses of those third parties, please e-mail us at: firstname.lastname@example.org; call us at: 786-971-1170; or send us mail to: Crystal Cruises, Attention: Website Privacy Questions, 1501 Biscayne Boulevard, Suite 501, Miami, FL 33132.
Crystal Cruises is committed to only collecting and processing the minimum amount of data from you that is necessary to the purposes of our data processing activities, and to retaining such data only if required to fulfill such purposes. Where applicable, if Crystal Cruises intends to further process the personal data for a purpose other than that for which the personal data was initially collected, Crystal Cruises shall, prior to such processing, provide you with any relevant information on such additional purpose, and, to the extent required by applicable law, obtain your consent for this.
IV. THE LEGAL GROUNDS FOR PROCESSING GUEST PERSONAL DATA
In most instances, we process your personal data under the legitimate interests of providing you products and services related to your voyage. In other instances, we obtain your consent to process your personal data where we are required to do so
by applicable law – for example, where we want to use your contact details for marketing purposes or where the personal data we are collecting from you is sensitive personal data (defined below) and we are not lawfully permitted to process your
personal data on any other legal grounds. Where we rely on your consent for processing your personal data, you may withdraw your consent at any time, by contacting us at email@example.com.
Please note, however, that withdrawing your consent will not affect the lawfulness of processing based on the consent you gave prior to withdrawal.
Where we process your personal data for direct marketing purposes, we will log your objection to and stop such processing of your data, and we will not contact you again if requested. You may object to such direct marketing by clicking the unsubscribe link in each such direct marketing message or contacting us at firstname.lastname@example.org or by using the contact details below.
While we always want you to be aware of how we are using your personal information, this does not necessarily mean in every instance that we are required to ask for your consent before we can use it. There may be instances where we process your personal data for our legitimate interests (furthering our business relationship with you) or on the basis of other lawful grounds (i.e., because we have established a relationship with you and need to process your personal data in order to provide you with the information and/or services you have requested), without having obtained your consent. We do not seek your consent in such cases largely so that we can provide you with services in an efficient way (or where in some cases it might not be possible for us to seek your consent because we must process personal data, for example, for the detection of fraud). Before processing your personal data, we will consider your rights and freedoms and will only commence such processing where we do not think your rights will be infringed.
Except as otherwise provided in this Policy, only a limited number of individuals within Crystal Cruises’ legal, finance, IT, accounting and customer care departments, as well as certain managers (i.e., only persons with assigned responsibility or managerial responsibility for a Guest or groups of Guests) will receive access to Guest Personal Data when necessary in connection with their job responsibilities.
If you provide Crystal Cruises with personal data about members of your family and/or other dependents (e.g., for emergency contact or benefits administration purposes), it is your responsibility to inform them of their rights relating to the processing of their personal data for these purposes. You are also responsible for obtaining the explicit consent of these individuals (unless you are authorized to provide such consent on their behalf) to the processing (including disclosure and transfer) of that personal data for the purposes set out in this Policy.
V. DISCLOSURES OF GUEST PERSONAL DATA TO THIRD PARTIES
Disclosures to third parties
We do not sell your personal data to third parties for their own marketing purposes. We may share or disclose your personal data as follows:
• To affiliated and unaffiliated service providers for the sole purpose of enabling them to provide services to us in connection with providing our services to you;
• Based on a good faith belief that such disclosure is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violation of our policy, as evidence in litigation in which we are involved, or to otherwise protect the rights or safety of any person or entity;
• Based on a good-faith belief that disclosure is necessary to respond to judicial process, valid government inquiry, or is otherwise required by law;
• If we are acquired by or merged with another entity, if all or part of our assets are acquired, or in response to a bankruptcy proceeding, we may transfer your information to the acquiring entity;
• When posted by you or an authorized third-party, to our wikis, forums, blogs, message boards, chat rooms and other social networking environments or Sites;
• We also may share aggregate or non-personally identifiable data about users with third parties for marketing, advertising, research, analytics or similar purposes; and
• To other third parties for purposes you have allowed or consented to.
Transfers out of the EEA and Switzerland
Some service providers and other recipients may be located in countries outside of the European Economic Area (EEA) or Switzerland; the data protection laws in such countries may not provide a level of protection to Guest Personal Data equivalent to that provided by a Guest’s home country.
Wherever such a transfer is made, Crystal Cruises will (i) exercise appropriate due diligence in the selection of such third party service providers, (ii) ensure that Guest Personal Data is adequately protected via appropriate contractual measures (which
shall include the European Commission Model Clauses where Guest Personal Data is transferred out of the EEA), and (iii) place such third party service providers under such contractual obligations as are required under applicable law (including that
Guest Personal Data be processed only as instructed by Crystal Cruises and for no other purposes than those identified in this Policy). Guests may request and obtain a copy of the contractual measures taken by Crystal Cruises to ensure appropriate
safeguards when personal data is transferred outside of the European Union or Switzerland.
Crystal Cruises may also disclose Guest Personal Data to governmental agencies and regulators (e.g., tax authorities), external advisors (e.g., lawyers, accountants, and auditors), courts and other tribunals, and government authorities or in the context
of any sale or transaction involving all or a portion of the business, all to the extent required or permitted by applicable legal obligations.
Location of data processing and security measures
If you choose to provide us with your personal data, you understand that we are transferring it to Crystal Cruises’ locations and systems in the United States or to the locations and systems of Crystal Cruises’ service providers around the world. Crystal Cruises has safeguards and security controls in place to protect your personal data. This includes appropriate technical and organizational measures to protect the personal data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data. Crystal Cruises obtains written assurances from any third-party data processors given access to your data so as to require them to adopt standards that ensure an equivalent level of protection for data as that adopted by Crystal Cruises.
Social Media Websites / Interactive Services
If you engage in any interaction with us or other end-users or any third-party on any social media websites on which we have a page/account (e.g., Facebook®, Instagram®, Pinterest®, Twitter® and YouTube®) or any interactive features on the Site (e.g., comments sections, customer ratings), you should be aware that: (a) the personal data that you submit by and through such social media websites or interactive features, as applicable, can be read, collected and/or used by other users of these social media websites (depending on your privacy settings associated with your accounts with the applicable social media website) or our interactive features, and could be used to send you unsolicited messages or otherwise to contact you without your consent or desire; and (b) where we respond to any interaction on such social media websites, your account name/handle may be viewable by any and all members/users of our social media accounts. We are not responsible for the personal data that you choose to submit on any social media websites or interactive features on the Site. The social media websites operate independently from us, and we are not responsible for their interfaces or privacy or security practices. We encourage you to review the privacy policies and settings of those social media websites with which you interact to help you understand their privacy practices. If you have questions about the security and privacy settings of such social media websites, please refer to their applicable privacy notices or policies.
Third Party Websites
This Site may contain links to third-party owned and/or operated websites including, without limitation, the social media websites described above. We are not responsible for the privacy practices or the content of such websites. In some cases, you may be able to make a purchase through one of these third-party websites. In these instances, you may be required to provide certain information to register or complete a transaction at such website. These third-party websites have separate privacy and data collection practices and we have no responsibility or liability relating to them.
VI. YOUR DATA SUBJECT RIGHTS
You can contact us directly any time at the address below to update your personal data or make another type of request regarding the data you know or believe Crystal Cruises holds about you. You, as a data subject with Guest Personal Data held by Crystal Cruises as the controller, have the right to request from Crystal Cruises:
(1) Access to your Guest Personal Data
You may contact Crystal Cruises at any time in order to request access to the personal data Crystal Cruises holds about you. Crystal Cruises will provide details of the categories of personal data processed and the reasons for our processing. Crystal Cruises can also provide you with a copy of your personal data on request.
(2) Rectification or Erasure of your Guest Personal Data
If you notify us, or we otherwise become aware, that the personal data we hold is inaccurate, Crystal Cruises will not use it, and will not allow others to use it, until it is verified. You can ask Crystal Cruises to correct or complete our record of your personal data by contacting us at any time. To the extent possible, Crystal Cruises will inform anyone who has received your personal data of any corrections.
You may, in certain limited circumstances where the processing is not necessary in the context of your cruise or other services we provide to you, ask to have the personal data Crystal Cruises directly or indirectly processes deleted or removed. If the request is founded, Crystal Cruises will try to do so promptly, and, to the extent possible, will inform anyone who has received your personal data of your request.
(3) Restriction of Processing
It may be possible to require Crystal Cruises to limit the way in which it processes your personal data (i.e., require Crystal Cruises to continue to store your personal data, but cease certain processing activities with regard to it) where (i) you contest the accuracy of the personal data we have for you, (ii) you believe our processing of your personal data is unlawful (but you oppose the erasure of your personal data and prefer that our processing be restricted instead), (iii) we no longer need your personal data but you require such personal data for the establishment, exercise or defense of legal claims or (iv) you have objected to our processing pending the verification of our legitimate grounds for processing.
(4) Halting of Processing based on an objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. If Crystal Cruises can show sufficiently compelling legitimate grounds for processing your personal data, or Crystal Cruises needs your data to establish, exercise or defend legal claims, Crystal Cruises may continue to process it. Otherwise, Crystal Cruises will stop using your personal data.
(5) Personal data portability – The ability to move Guest Personal Data to another controller
You have the right to data portability in certain limited circumstances, where a) you provided the data to Crystal Cruises, b) our processing is based on your consent or is necessary to fulfill a contract with you, and c) our processing is automated. Crystal Cruises may refuse your request if these criteria are not met.
(6) To withdraw your consent to Crystal Cruises’ Processing of your Guest Personal Data
Where we have relied on your consent as the legal grounds for processing, you may with draw your consent at any time. Withdrawal does not invalidate the consent-based processing that occurred prior to withdrawal.
(7) To complain
You may contact us at any time where you believe that we are in breach of data protection laws or where you wish to make a complaint about our data processing. Furthermore, if you are located in the EEA and you believe that our processing of your personal data is in breach of data protection laws, you have the right to lodge a complaint with the relevant data protection supervisory authority in the country where you are based or any place in the EEA where you believe the infringement has occurred (or where you believe that we have not resolved an issue you have raised with us).
Responding to your requests
Crystal Cruises shall provide you with a response to any request you make in connection with your rights without undue delay and in any event within one month of receipt of the request. That period may be extended by up to two additional months where
necessary, taking into account the complexity and number of the requests. Crystal Cruises shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic
means, the data shall be provided by electronic means where possible, unless otherwise requested by you.
If, after evaluating the legitimacy of the request, Crystal Cruises does not take action on the request, Crystal Cruises shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not
taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
VII. SECURITY & RETENTION
Crystal Cruises maintains technical and organizational security measures to protect against unauthorized or unlawful processing of Guest Personal Data and accidental or unlawful loss, alteration, disclosure, destruction or damage of, or access to, Guest Personal Data.
Please be advised, however, that while we take reasonable security measures to protect your data, such measures cannot be guaranteed to be 100% secure.
Crystal Cruises will retain Guest Personal Data no longer than is necessary to carry out the purposes listed in this Policy and/or as required by applicable law or in connection with actual or prospective legal proceedings.
We reserve the right to change, modify, add or remove portions of this statement from time to time and at our sole discretion, but will alert you that changes have been made either by email or other indication on our Site. We will always include on this
Policy the date of its effectiveness (see Effective Date above). Where required to do so by law, Crystal Cruises may need to re-obtain your consent for certain processing activities for material changes to this Policy or our data processing activities.
IX. QUESTIONS & CONCERNS
Guests who have questions, comments or access requests related to the transfer of their Guest Personal Data to the United States can also contact the Crystal Cruises Global Privacy Team at:
1501 Biscayne Boulevard
Miami, FL 33132
APPENDIX A – KEY TERMS
Controller: a natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.
Processing: Almost any use of personal data, such as collecting, organizing, analyzing, storing, altering, disclosing, transferring, or archiving data.
Data subject: An individual whose personal data is being processed.
Personal data: Any data by which a natural person can be identified, directly or indirectly, or located. Any information that in combination with other non-personal data can reasonably be used to identify a natural person. Data that is anonymized or de-identified for statistical evaluations or studies are not subject to this definition.
Sensitive personal data: A subset of personal data, which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic
data or biometric data.
A cookie is a small data file that websites place on your hard drive when you visit. A cookie file can contain information such as a user ID that tracks the pages you’ve visited within that site. The cookies on this Site are primarily used to recognize
Types of Cookies We Use
Strictly Necessary Cookies: These are essential to navigate around our Site and use its features. Without them, you would not be able to use basic services like account registration. These cookies do not collect information about you that could be used for marketing or tracking.
Functionality Cookies: These are used to recognize you when you return to our Site, enabling us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Tracking Cookies: These cookies enable us to collect information such as number of visitors to the Site and pages visited in order to analyze user behavior. This information is collected in an anonymous format and will be collated with similar information received from other users. We use these cookies to determine the usefulness of the information we supply to you and other users, to track your purchases from this site, and to see how effective our navigation is in helping users reach that information.
If you prefer not to receive cookies through the Site, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You also can refuse all cookies by turning them off in your browser. You do not need to have cookies turned on to use any pages within our Site. However, if you chose to not accept cookies, some functionality will be limited. For more information about cookies, including how to set your browser to reject cookies, visit www.allaboutcookies.org.
Some of the cookies we use will remain on your computer after the browser is closed. Until removed, the cookies will become active again when the Site is reopened. Cookies can be deleted by you, at any time, and will not collect any information when you are not accessing the Site.
Other Tracking Technologies
In addition to cookies, our Site also utilizes the following tracking technologies:
• Web beacons: Our Site contain electronic images known as web beacons (also called single-pixel gifs and transparent graphic images). We use web beacons/ pixels to understand aggregate traffic to our website pages. Third parties use tracking pixels according to their
• Embedded script: An embedded script is programming code that is designed to collect information about your interactions with the Site, such as the links you click on. The code is temporarily downloaded onto your device from our web server or a third-party service provider, is active only while you are connected to the Site and is deactivated or deleted thereafter. We use web embedded scripts to understand aggregate traffic to our website pages.
• Web server & application logs: Our servers automatically collect certain information to help us administer and protect the services we provide, analyze usage, and improve users’ experience. The information collected includes the following:
- IP address and browser type;
- Device operating system and other technical facts;
- The city, state and country from which you access the Website;
- Pages visited, and content viewed and stored;
- Information or text entered;
- Links and buttons clicked (i.e., IP address information such as the referring and destination URL).
Crystal Cruises, LLC
Update Ver. 05.31.18