Register Book a trip

RAGUSA XPRESS LIMITED

PRIVACY NOTICE

This Privacy Notice is dated 28th February 2024.

1. Introduction

We, RAGUSA XPRESS LIMITED, are a company registered in Malta, with company registration number C- 82662, of Ta’ Clara Farmhouse, Ramla Road, Maghtab, Naxxar, NXR 6544, Malta (the “Company”, “we”, “us” or “our”). We currently provide and operate a passenger ferry service between Malta and Ragusa, Sicily, although we may in the future expand this to include other routes (the “Services”).

This Privacy Notice (the “Notice”) is addressed to our customers (or passengers) such as yourself and explains how we collect and process personal data about them.

Where you provide us with personal data relating to other passengers included in your booking, please ensure that you draw their attention to this Notice, as it is also relevant to them. By providing us with such details, you are also confirming that you have informed the passenger that you have shared his or her personal data with us, and that the passenger has both received this Notice and understands that we will collect and process that personal data in accordance with, and for the purposes set out, in this Notice.

PLEASE READ this notice carefully and share with any passengers included in your booking.

2. Controller

We are providing this Notice as the controller of your personal data. We process all personal data in an appropriate and lawful manner, in accordance with the Data Protection Act, Chapter 586 of the laws of Malta (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).

This Notice aims to ensure that you are fully informed on how we will process your personal data. It informs you about the items of personal data which we will collect about you and describes how we will handle it (regardless of the way you interact with us, whether by email, phone, social media platforms, through a travel agent or otherwise). It also provides information on how to exercise your rights as a data subject.

It is important that you read this Notice, together with any other notice that we may provide on specific occasions when we are processing personal data about you, so that you are fully aware of how and why we are using your personal data. This Notice supplements any other notices and is not intended to override them.

If you have any questions relating to this Notice, including any requests to exercise your legal rights (which are outlined in Section 12), please contact us by email or in writing, using the contact details set out below:

Contact details:

  • Full name of legal entity: RAGUSA XPRESS LIMITED
  • Email address: info@ragusaxpress.com
  • Postal address: Ta’ Clara, Ramla Road, Maghtab L/O Naxxar, Malta

Please use the words ‘Data Protection Matter’ in the subject line of your communication to us.

3. Key Definitions

Set out below are key definitions of certain terms which appear in, and apply to, this Notice:

  • “data subjects” means living, natural persons about whom we process personal data;
  • “data controller” or “controller” means any entity or individual who determines the purposes for which, and the manner in which, any personal data is processed;
  • “data processor” or “processor” means any entity or individual that processes data on our behalf and on our instructions (we being the data controller);
  • “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679);
  • “legitimate interest” means our interest to conduct and manage our business appropriately and responsibly, to protect the reputation of our business, and to provide the best possible services. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests;
  • “personal data” means data relating to a living individual (i.e., natural person) who can be identified from the data we possess about him or her. This includes, but is not limited to, your name and surname, address, date of birth, contact details. The term “personal information”, where and when used in this Notice, shall have the same meaning as personal data;
  • “processing” means any activity or set of operations that involves use of personal data. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties; and
  • “sensitive personal data” or “special categories of personal data” includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life or his or her biometric data.

4. Personal Data Which We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and disclose different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data: includes your name, surname, gender, nationality, country of birth, age and date of birth, identity card or passport document number and expiry date, visa or permit number;
  • Contact Data: includes your e-mail address, physical address, mobile or phone number, emergency contact details (including name, surname, relation, mobile or phone number);
  • Booking Data: includes information about your booking, such as the other passengers included in your booking and their age group, dates and time of your booking and travel, vehicle type, vehicle registration number and country/region of registration, ferry seating class, ferry seating choice/number;
  • Payment Data: payment amount, method of payment, billing address; and
  • Marketing Data: includes your preferences to receive marketing materials from us (and in what format), communications about our loyalty scheme and your communication preferences.

If you fail to provide personal data

Where we need to collect personal data about you in order to process your brooking or otherwise provide our Services, and you fail to provide that data when requested, we may have to refuse your booking or otherwise cancel it and refuse to provide the Services. We will duly notify and inform you if this is the case at the time.

Sensitive Personal Data

Passenger safety is highly important to us.

When placing a booking with us, we will ask whether you or anyone travelling with you requires any special assistance so that we can ensure that you/they are able to use and enjoy our ferry service safely and comfortably. We only collect and process this data to provide the particular assistance required.

Providing this information is entirely voluntary and we will only process it with your consent or, as the case may be, the consent of the other passenger. You are not obliged to inform us that you or anyone travelling with you requires such assistance or disclose further details about it. Note however that, without it, we might not be in a position to provide or make available the special assistance which you require or else provide it effectively.

There may be other occasions where we may need to process your sensitive personal data, most particularly to:

  • deal with any issues or complaints relating to the special assistance requested or provided to you;
  • establish, exercise, or defend any legal claims relating to or otherwise involving you.

We only process personal data about minors (i.e., persons under 18) in the situations described below:

  • Where a minor uses our Services (i.e., travels with us), whether accompanied or unaccompanied; and
  • Where a minor requires special assistance to use our Services.

We will only however do so upon confirmation from a person with parental responsibility over the minor.

5. How is Your Personal Data Collected?

This personal data we process about you is collected and generated from a variety of sources, as follows:

  • From our direct interactions with you: This includes personal data you provide when you submit / place a booking with us, which can be placed or inputted through our website. Additionally, when you purchase any of our products or services aboard the ferry, subscribe to our marketing communications and/or loyalty scheme, enter any competition or promotion which we organise, complete any survey or questionnaire about our Services, submit any feedback or complaints, create an account with us, or otherwise communicate with us in person, or correspond with us via phone, email, text messaging, post, our website, our social media or otherwise.
  • From third parties: This includes business partners, travel agents or corporate customers who place group bookings with us and include you in that booking.

6. How We Use Your Personal Data

We have set out below, in table format, a description of all the ways we plan to use your personal data, and the legal bases in terms of the GDPR which we rely upon to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data pursuant to more than one lawful ground or basis, depending on the specific purpose for which we are using your personal data.

Purpose/ActivityType of data Lawful basis for processing, including legitimate interest

Bookings:

  • To process and manage your bookings and issue tickets;
  • To administer and provide you with the services requested in your bookings;
  • To charge you and, where appropriate, issue refunds;
  • To communicate important information and/or updates about your booking with you.
  • Identity Data;
  • Contact Data;
  • Booking Data;
  • Payment Data.
  • Necessary for the performance of a contract with you;
  • Necessary for our legitimate interests (namely to use your data in order to fulfil and manage your booking arrangements, and to operate our business as a ferry service provider).

Passenger Lists:

  • To create, record and maintain passenger lists / registers;
  • To report passenger registration data to applicable authorities.
  • Identity Data;
  • Contact Data;
  • Booking Data.
  • Necessary to comply with a legal obligation (namely, requirements / rules relating to counting and registration of persons on board passenger ships).

Accounting:

  • For legal, tax and accounting purposes (e.g. reporting to tax and regulatory authorities, and accounting record requirements);
  • To collect and recover debts owed to us (debt recovery);
  • For billing, invoice and internal record keeping requirements.
  • Identity Data;
  • Contact Data;
  • Booking Data;
  • Payment Data.
  • Performance of a contract with you.
  • Necessary to comply with a legal obligation (namely, accounting and other record-keeping requirements).
  • Necessary for our legitimate interests (in particular, to be able to enforce our rights and recover debts due to us).

Marketing:

  • To receive direct marketing, communications about our loyalty scheme(s), and news, offers, coupons, and any promotions from us including via mail, email and/or text messages.
  • To allow you to participate in any surveys, competitions or other promotional activities which we may organise from time to time.
  • Identity Data;
  • Contact Data;
  • Marketing Data.
  • Data subject consent (we will ask for your consent to subscribe to our marketing, loyalty scheme, and other promotional communications from us).

Passenger Special Assistance

  • To provide you with the special assistance which you request.
  • Identity Data;
  • Contact Data;
  • Booking Data; and
  • Sensitive Data (health information – only as required to provide you with the requested special assistance).
  • Explicit consent; or
  • Where necessary to protect your vital interests in an emergency and provided you are incapable of giving consent.

Relationship Management

  • To manage our relationship with you, including to:
  • notify you of changes to this Notice or our terms of service;
  • notify you of any operational changes, including but not limited to our Services or to our website;
  • respond to and address any queries, feedback, complaints, or issues you may raise with us;
  • respond to any social media reviews, posts, or other public comments you make about us.
  • Identity Data;
  • Contact Data;
  • Booking Data;
  • Payment Data;
  • Marketing Data; and
  • Sensitive Data (health information – only as required to deal with feedback/complaints about specific issues relating to special assistance).
  • Performance of a contract with you.
  • Necessary for our legitimate interests (to keep track of our services to you, including their status, and to be able to revisit such matters if new issues arise).
  • Sensitive Data:
    - Necessary to protect your vital interests; and/or
    - Necessary to establish, exercise or defend legal claims.

Legal Claims and Enforcement

  • To exercise our legal rights and/or pursue any legal remedies available to us, including to limit any damages that we might sustain.
  • ALL DATA
  • Necessary for our legitimate interests - namely to establish, exercise or defend legal claims.

If we need to use your personal data for any other purpose, we will notify you and we will explain the legal basis which allows us to do so.

7. Marketing

We will only send marketing communications to you where we have received your consent to do so. Even where you have given us your consent, you can then at any time stop receiving these communications by:

  • clicking on the ‘unsubscribe’ link located at the bottom of our marketing communications; or
  • contacting us and informing us of your intention to unsubscribe.

Unsubscribing will only apply to our marketing communications. We may still continue to send service communications to you, such as booking confirmations and updates (e.g. changes in departure time).

8. Disclosures

We use a third-party payment gateway provider to process and facilitate payments made for bookings. They act as our data processor and are subject to appropriate contractual conditions. We only permit them to process your personal data for specified purposes and in accordance with our documented instructions. In addition, we may also have to grant access to, disclose or share your personal data with the parties set out below, for the purposes in section 6:

  • suppliers and external agencies that we engage to process information on our/your behalf, including to provide you with any information which you may have requested from us;
  • our professional advisers, such as our auditors, accountants, financial advisers and legal counsel;
  • government bodies and tax authorities when required to do so by applicable laws or regulations;
  • any relevant party, claimant, law enforcement agency or court, to the extent necessary for any legal claims or criminal offences involving or otherwise relating to you.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this Notice.

We may also transfer or otherwise disclose your data if we are under a duty to disclose or share your personal data to comply with any legal obligation, judgment or where under an order from a court, tribunal or public or police authority. This may include exchanging your information with applicable tax authorities, regulatory bodies or public authorities or agencies in Malta or overseas (such as, in the case of Malta, the Registrar-General / Merchant Shipping Directorate). We may also disclose your data to enforce our contractual terms with you or your entity, or to protect our rights, property, or safety, that of our partners or other customers.

9. International Transfers

We do not generally transfer your personal data to entities outside the European Economic Area (“EEA”) except where necessary to: (i) provide the Services, (ii) fulfil our contractual obligations or exercise our contractual rights against you, (iii) comply with our legal or regulatory obligations or (iv) assert, file or exercise a legal claim. Where we do need to transfer your personal data outside the EEA (whether for these stated purposes or any other purpose listed in section 6), we will ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards applies or is otherwise implemented:

  • a) the country to which the personal data is transferred ensures an adequate level of protection for the data subject’s rights and freedoms recognized under EU data protection law;
  • b) in the absence of an adequacy decision, the data transfer is regulated by specific contracts approved by the European Commission which give personal data the same standards of protection which it has in Europe (referred to as standard contractual Sections or model Sections).
  • c) failing the above, the transfer of personal data is necessary:
  • for the performance of your relationship with us;
  • for the performance of a contract concluded in your interests between us and another person;
  • for any important reasons of public interest;
  • in order to comply with a legal or regulatory obligation to which we are subject; or
  • for the filing, exercise or defence of legal claims.

10. Joint Controller

We want to ensure that we provide our Services to you as effectively and efficiently as possible.

This is achieved, in part, through the assistance of another entity, 3rd Floor, 6 Wellington Place, Leeds, England LS14AP (“Snowfall”) Snowfall is the operator of software-as-a-service travel technology platform and has been contracted to manage the creation and issuance of passenger tickets for us. This will involve your personal data being provided to Snowfall in the United Kingdom (which, as a territory, has been recognised by the European Commission – through an adequacy decision – as offering a comparable level of protection for personal data).

In that regard, we and Snowfall have determined that we act as joint controllers under the GDPR in relation to the personal data which is collected and processed for these ticket issuance services. This means that we, jointly with Snowfall, work together to decide why and how this personal data is processed. The details of this arrangement and how we and Snowfall will disclose, share, or otherwise make available your personal data to one another, are set out in a joint controllership arrangement, details of which can be obtained upon request.

In all other instances, we are and act as an independent controller of your personal data.

11. Data Retention

For how long will we use your personal data? To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm to it from unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, as well as any applicable legal requirements. In the case of customers or passengers, we will only retain your personal data for as long as necessary to fulfill and perform the booking (usually upon the completion of the ferry service), and afterwards:

  • to satisfy any legal, accounting, tax or reporting obligations to which we may be subject; and/or
  • to the extent that we may also need to retain your personal data to be able to assert, exercise or defend possible future legal claims against or otherwise involving you.

By and large, our retention of your personal data will not exceed a period of five (5) years from the fulfilment of your booking and requested services (which allows us to cater for applicable prescriptive periods for legal claims). Payment information may however need to be retained for a period of up to ten (10) years to comply with applicable accounting and tax laws (this will primarily consist of payment information relating to your bookings).

Note that we may need to retain your personal data, or some of it, for longer period(s), such as in relation to threatened or commenced claims or litigation, ongoing or pending investigations, requests made by competent authorities or to abide by court orders or as dictated by the nature of the business relationship.

In some circumstances, you can ask us to delete your data. See erasure below for more information.

Kindly contact us at info@ragusaxpress.com for further details about the retention periods that we apply.

12. Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data:

  • Request access to your personal data.
  • Request correction (rectification) of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us at info@ragusaxpress.com

No fee is usually charged.

You will not have to pay a fee to exercise these rights.

However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may simply refuse to comply with your request in such circumstances.

What we may need from you.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond.

We try to respond to all legitimate requests within a period of one month from the date of receiving your request. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to:

i. Request Access

You have the right to request access to your personal data (known as a “data subject access request”). This enables you to request information on whether your personal data is being processed by us and to request a copy of the information (if any) that we hold.

You may send an email to info@ragusaxpress.com requesting information as the personal data which we process. Generally, you shall receive one copy free of charge via email of the personal data which is undergoing processing. Any further copies of the information processed will typically incur a charge of €10.00.

This right to access your personal data is without prejudice to the confidentiality of the personal data of other persons. You are only entitled to request access to personal data that relates to you.

ii. Right to Information

You have the right to information when personal data is collected about you from publicly accessible or third-party sources. When this takes place, we will inform you, within a reasonable and practicable timeframe, about the source from whom we have collected your personal data.

iii. Request Correction (Rectification)

You have the right to request correction or rectification of the personal data that we hold about you.

This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data which you provide to us.

iv. Request Erasure

You have the right to request erasure of your personal data.

This enables you to ask us to delete or remove your personal data where:

  • there is no good reason for us continuing to process it;
  • you have successfully exercised your right to object to processing (see below);
  • we may have processed your information unlawfully; or
  • we are required to erase your personal data to comply with local law.

Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

These may include instances where the retention of your personal data is necessary to:

  • comply with a legal or regulatory obligation to which we are subject; or
  • establish, exercise, or defend a legal claim.

v. Object to Processing

You have the right to object to the processing of your personal data where we are relying on a legitimate interest or those of a third party, and there is something about your particular situation that makes you want to object to that processing as you feel that it impacts on your fundamental rights and freedoms.

Please refer to the table set out in section 6 to understand those situations where we rely on a legitimate interest to process your personal data.

In such cases, we will cease processing your personal data for the objected purposes, unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms of the data subject, or if it is needed for the establishment to exercise or defend legal claims.

You also have the right to object where we are processing your personal data for direct marketing purposes (as, for instance, described under the ‘Marketing’ in section Error! Reference source not found. above).

vi. Restrict Processing

You have the right to request the restriction of our processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

  • if you want us to establish the data's accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold onto the data even if we no longer requires it, as you need it to establish, exercise or defend legal claims; or
  • where you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.

vii. Data Portability

You have the right to request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we have used the information to perform a contract with you.

viii. Withdrawal of Consent

You may withdraw your consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing which we carried out before you withdrew your consent. Any processing activities that are not based on your consent will remain unaffected.

Once we have been made aware that you have withdrawn your consent, we will no longer process your data for the purpose you originally agreed to, unless we have another legitimate basis for doing so.

Kindly note that none of these data subject rights are absolute or unreservedly guaranteed and must generally be weighed against our own legal obligations and legitimate interests.

If a decision is taken to override your data subject request, you will be informed of this by our data protection team along with the reasons for our decision.

Complaints

You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the ”IDPC” ):

We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

14. Changes to this Notice

This Notice may be updated from time to time.

If you have any questions regarding this Notice, or if you would like to send us your comments, please contact us using the Contact Details indicated in this Notice.