Subject: Privacy Notice pursuant to Art. 13 del Regulation (EU) 2016/679 of April 27, 2016 (the GDPR).
Cruise Ships Catering and Services International N.V. (`CSCS`), in its capacity as Controller of the processing (hereinafter the Controller), hereby supplies you with the following information regarding processing of the personal data that you, in your capacity as the Data Subject (hereinafter the Data Subject), provided to us in order to initiate and execute your Contract of Employment (hereinafter the Contract of Employment).
The processing of your personal data and those of your family members (hereinafter the Data), including special categories of such data, is carried out for the following purposes and in accordance with the following legal basis:
  • Management of the Contract of Employment. The Data provided for the Contract of Employment will be processed in order to:
    • fulfill obligations arising from the Contract of Employment and associated legal obligations (e.g. payment of wages, payment of social security contributions, preparation of paychecks, management of annual leave, documents justifying absences, etc.);
    • carry out the organizational management of your work, as well as for the Company`s operational/management demands, such as creation of job descriptions for the corporate Intranet, collection and retention of information that is useful for your career advancement (e.g. your educational record, training courses attended, knowledge of foreign languages, previous work experience), internal auditing and risk management activities etc.
  • Security and protection of Company assets. The Data will also be processed for security purposes, protection of Company and/or third-party principals (e.g. Costa Crociere S.p.A) property (including intellectual property) and crime prevention, partly by means of inspections (e.g. internal audits) as well as tools for reporting misconduct by employees to the competent corporate bodies (e.g. compliance website and hotline).
  • Purposes related to the use of your facial image. With your consent, the Controller may use your facial image (e.g. in photographs), for the following purposes:
    • security purposes: your photograph will appear on your Company security pass. These passes are used to monitor access so as to enable the ready identification of all persons on the premises;
    • organizational and operational purposes: your photograph may be posted on the corporate Intranet, for the ready identification of job descriptions;
    • advertising: your photograph may be published in Company and/or third-party principals (e.g. Costa Crociere S.p.A) magazines and promotional material in connection with and/or during events in which you may take part.
For the above-mentioned purposes, the data processed may also include special categories of personal data pursuant to Articles 9 & 10 of Regulation (EU) 2016/679, namely data revealing:
  • racial or ethnic origin, which may be revealed by personal details or by photographs processed for organizational or operational reasons (e.g. Company security pass), religious beliefs, if you have requested to observe religious holidays other than Catholic holidays, in accordance with the law;
  • trade union membership, if you have requested the Company to withhold trade union membership fees from your wages or you hold, or are a candidate for, a position as a trade union officer;
  • membership of a political party, if you hold a publicly elected office or work at a polling station as a party-appointed scrutineer;
  • philosophical beliefs, with specific regard to conscientious objection to military service;
  • the Data Subject's state of health, e.g. medical certificates, other certificates justifying absences for medical examinations, certificates of fitness to work, certificates pursuant to Legislative Decree no. 81/2008 (occupational health and safety), maternity certificates and maternity leave, documents regarding injuries and industrial accident insurance;
  • the Data Subject's health status as determined by the contracted physician and by the Company's health facilities, in any event managed by doctors bound by professional secrecy, and generally used for example to ensure compatibility between personal health - including that of your family members - and assigned duties;
  • criminal convictions, offenses and pending criminal charges, where required by the law for the purposes of employment and for management of the Contract of Employment or for assessment of the Data Subject's professional aptitude.

The provision of the Data as per 1 a) & b) above is necessary to finalize and execute the Contract of Employment and to comply with the associated contractual and legal requirements. Failure to provide the Data may make it impossible to execute the Contract of Employment or to fulfill some or all of the associated contractual and legal requirements.

With regard to the purposes stated in 1 c) above, use of your facial image is not mandatory since it is not necessary for the purpose of execution of your Contract of Employment; accordingly, we ask you here to give your consent to such use.

More specifically:

  • we request you in this form to give your consent to use of your facial image for the Company security pass;
  • as regards the corporate Intranet, if you wish you may upload your facial image to the system yourself. When you upload your photo, you will be deemed to have given your explicit consent to processing.

It is understood that if you choose not to give your consent or not to upload your photo, this will have no detrimental effect on the execution of your Contract of Employment, but will merely prevent the use of your facial image for the aforementioned purposes.

Furthermore, it is specified that as far as concerns the publication of personal data and images in Company magazines and for promotional purposes, you will be informed in advance that a particular Company event may be photographed or filmed and also informed of the purposes of this, thus allowing you to make an informed decision as to whether or not to attend. Indeed, there may be some occasions on which photography and/or filming are an intrinsic part of the event and for which the Company would be unable to act in compliance with your refusal (if any) to allow the processing of your personal data. In such cases you can decide not to take part in the event. It follows that also in this case, if you do participate, this will be interpreted to mean that you have given your explicit consent and agree to the processing described.

The Data will be disclosed to the following categories of recipients, for the purposes mentioned above:
  • Data Processors designated from time to time;
  • Costa Crociere Group and/or Carnival Group companies, including affiliates located outside the European Union;
  • firms and professionals retained by the Controller in order to fulfill the obligations for execution of your Contract of Employment or legal requirements, or to safeguard its rights (e.g. accountants, lawyers, tax consultants, auditors, auditing or due diligence consultants, etc.);
  • third party service providers for Costa Crociere (e.g. port agents, etc.);
  • banks, financial institutions and insurance companies;
  • technical management companies for networks and IT systems;
  • public bodies such as INPS (National Institute of Social Insurance), INAIL (National Institute for Insurance against Industrial Injuries), local health authorities, Ministry of Labor and Social Policy and its branch offices, contracted physicians and the relevant authorities when reporting any industrial accidents;
  • trade unions collecting union membership fees;
  • legally authorized public authorities in the event of audits, investigations and/or inspections;
  • public port authorities;
  • public institutions and other national or international bodies to which you may be seconded.

The Data may also be transferred abroad, to countries inside or outside the European Union, but only to other Costa Crociere Group and/or Carnival Group companies and/or to third party service providers, and only for the aforementioned purposes.

In the event of transfer of the Data outside the European Union, the country concerned must guarantee an appropriate level of protection based on a specific decision by the European Commission or, otherwise, the recipient will be contractually obliged to ensure an appropriate level of data protection comparable to that laid down in the GDPR.

The Data will be stored for the duration of the Contract of Employment and subsequently:
  • for no longer than the applicable time limit. In the event of an injunction extending the time limit, the retention period will also be extended as a result;
  • for no longer than the specific time limits laid down by the relevant data retention requirements (e.g. for tax returns), in order to comply with any legal obligations;
  • for the period required to safeguard the Controller's rights with regard to the defense of any legal claims.
If you have provided us with your facial image, this will be stored for the duration of the Contract of Employment, unless you withdraw your consent to use thereof. In such case, where possible, we will erase all the relevant image data.
As regards the CCTV system, you are informed that the security checks and other means of monitoring entrances to the Company`s head office, ships and other premises as well as associated inspections, internal auditing and reporting of misconduct will be carried out in full compliance with the principle of necessity and, where applicable, with the prohibition on the use of such cameras to monitor the work of employees, in accordance with the provisions of the Statute of Employees, and that the image data will only be processed by persons expressly authorized to this end and only be stored for the time strictly necessary for the aforementioned security purposes, or for any longer periods laid down in specific trade union agreements or stipulated by judicial authorities.

If you are entrusted for Company business with any kind of IT tools or other means of communication, you will be responsible for these items of equipment, which must be used solely for work-related purposes in strict accordance with the instructions received for collection and safeguarding of data. Detailed instructions are given to employees in the procedures governing the use of the Company`s IC&T resources.

Use of the aforementioned tools for personal reasons must be clearly reasonable and in accordance with common sense as well as with the specific instructions set out in the above procedures. In any event such use must be limited and infrequent and not such as to interfere with your work and/or create additional costs for the Company.

To this end you undertake to comply with the corporate procedures regarding access to and use of IC&T resources (Policy Read me first - P7 IO01.01 - IT Security and Access Control), as well as with the Privacy Policy.

As specified in the policy document All.4 P7 - Use of I&CT Resources - Personal Responsibility, in accordance with current legislation and subject to the guarantee of confidentiality, the Company reserves the right to conduct checks on the use of the foregoing work tools for specific reasons.

Any usage of Company IT resources that does not comply with the above may result in disciplinary action in accordance with the applicable rules and regulations.

The Data Controller is Cruise Ships Catering and Services International N.V. (`CSCS`), headquartered in Ara Hill Top Building A-10, Pletterijweg Oost 1, Curaçao, and permanent establishment in Italy, 16121 Genoa, Via XII Ottobre 2..
The Data Protection Officer is based in Piazza Piccapietra 48, 16121 Genova, email address
As the Data Subject you have the right to:
  • request access to and rectification or erasure of your personal data as well as restriction of processing;
  • object to the processing of your personal data;
  • where possible, data portability, i.e. the right to receive your personal data which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, also by means of direct transmission, if this is technically feasible;
  • where possible, withdraw your consent to the processing of the Data, if processing is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
  • lodge a complaint with the Information Commissioner;
  • request information regarding:
    • the purposes of processing;
    • the categories of personal data;
    • the recipients or categories of recipients of the personal data, and in particular whether it is intended to transfer the data to a third country or international organization;
    • the data retention period;
    • the right to lodge a complaint with a supervisory authority;
    • from which source the personal data originate, if they were not provided by the Data Subject.
CRUISE SHIPS CATERING AND SERVICES INTERNATIONAL N.V. ("CSCS"), with registered office in Curacao and operative office in Genoa Piazza Piccapietra 48, pursuant to Regulation (EU) no. 679 dated April 27, 2016 (the General Data Protection Regulation, hereinafter "the GDPR"), hereby authorizes you to process personal data for CSCS as a personal data protection officer in compliance with Article 29 of the GDPR. We hereby wish to specify that:
  • "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data;
  • "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • "Special Categories of Personal Data" means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
  • "Judicial Data" means data revealing criminal background checks - e.g. judicial records register, police certificate, register of offense-related administrative sanctions, certificate of pending criminal charges or investigations.

During the course of your working activity within the framework of your assigned functions and duties, you will find yourself collecting and processing personal data including special categories of personal data and judicial data controlled by CSCS.

You may therefore carry out all the personal data processing operations and have access to the databases necessary and appropriate for the correct fulfillment of your duties, in compliance with the instructions given to you by the Data Controller or the Data Owner.

During the course of your activities you will, in any event, be required to act with the utmost discretion so as to ensure the confidentiality and protection of the aforementioned data, in accordance with the following general instructions:

  • process personal data lawfully and fairly;
  • collect and record personal data only for purposes and according to procedures related to the databases;
  • verify that the personal data are relevant and complete and do not go beyond the aims for which they were collected and subsequently processed;
  • verify, where possible, that the data are accurate, and update them if necessary;
  • store the data, in compliance with the security measures put in place by the Company;
  • communicate or disclose personal data or transfer data abroad only to persons authorized to receive them, for the purposes for which the data were collected and, in any event, in compliance with the instructions received;
  • do not disclose any personal data to anyone outside the work environment or in breach of the instructions received;
  • comply with the policies, procedures and security measures already put in place by the Company and with any others introduced at a later date;
  • contact the Data Protection Officer (DPO) and or the Data Owner when the data processing is carried out with new technologies.
Unless you have written authorization from the Data Controller and/or Data Owner, it is forbidden to:
  • commence new personal data processing activity within the Company;
  • use the Data Controller's means and equipment to carry out processing of data that is not relevant to the work;
  • communicate, disclose or make available to others, whether they are the Data Controller's employees or third parties, personal data processed on behalf of the Data Controller; this also applies where such communication or disclosure is not part of your professional duties and, at any rate, only within the limits of those duties;
  • transmit personal data to persons not previously authorized by CSCS.
  • remove copies of databases or specific personal data that are unrelated to the terms of your appointment.
Moreover, in relation to your authorization to process special categories of personal data and judicial data, you will be required to:
  • only access archives and/or databases that are strictly related to the fulfillment of your duties;
  • store documents containing special categories of personal data or judicial data in a special locked container during any periods in which you are not at your workstation;
  • return any documents containing special categories of personal data or judicial data to the archive that you took them from, immediately after the processing operations;
  • ommunicate special categories of personal data and/or judicial data only to persons specifically authorized, even within CSCS.

In the event of a personal data breach (i.e. accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed), you shall notify the DPO and/or to the Data Owner, pursuant to the "Data Breach Guidelines".

If a data subject requests one of the operations described in Art. 15 to 22 of the GDPR (Rights of data subjects), you shall act in compliance with the "Data Subject Request" policy.

If you are absent from your workstation, even for a brief period, you shall ensure that unauthorized third parties cannot access any personal data being processed at the time, including hard copy.

Lastly, we would invite you to promptly inform the Processing Supervisor if you need to carry out personal data processing operations for purposes or using methods other than those outlined in the instructions given, as well as of any request to access personal data by the data subjects and of any other circumstances that go beyond the instructions received.

You are informed that any processing operation carried out with methods or for purposes that are not compliant with those indicated above, including the disclosure of data to persons other than those authorized, may constitute a breach of your commitment to the Company and could give rise to liability pursuant to the GDPR.

It is hereby acknowledged that your appointment as a processing officer will have the same duration as your contract of employment with our Company. Subsequent to termination of that contract, you will no longer be authorized to carry out any type of processing of personal data that you are in possession of or have knowledge of through your previous contractual duties; following termination of your contract of employment with our Company, you will still be required to comply with your obligations regarding the confidentiality of personal data and your undertaking not to disclose or disseminate such data without the specific authorization of the Company.

For any information and/or doubts about data processing during the course of your working activity do not hesitate to contact the DPO and/or the Data Owner.

DPO contact information:
Genoa, 26/02/2018