Confidentialité : traitement des données personnelles

Information statement on the processing of personal data

Pursuant to Article 13 and 14 of Regulation (EU) 679/2016 (‘GDPR’), this privacy policy is provided to users who access the www.snav.it (the ‘Site’), use the SNAV mobile application (the “App”) or who interact with the related social media pages (Facebook, Instagram, Twitter, LinkedIn, Pinterest, TikTok), with the contact center, or with other SNAV S.p.A. services, including for the purpose of sending messages (including through instant messaging channels such as WhatsApp), emails, or complaints, as well as to all passengers and customers and those who register for the SNAV Easy Life program.

This notice is provided solely for the Website, the App, and the social media pages, and not for other websites or mobile applications that may be accessed by the user via links.

For more detailed information on specific topics (e.g., subscriptions, reporting of unlawful conduct, etc.), users are invited to consult the dedicated privacy notices available in other sections of our Website.

Data Controller: the data controller is SNAV S.p.A., with registered office in Naples, Stazione Marittima Molo Angioino, tax and V.A.T. number 00081630832, privacy@snav.it (hereinafter « SNAV » or « Controller« ).

Data Protection Officer: the Controller has appointed a Data Protection Officer (D.P.O.). The Controller may be contacted by writing to: protezionedati@marinvest.it.

Categories of data: Data Controller shall process the following data:

1. Browsing data: there are data that the computer systems and software procedures used to operate the Site acquire in normal operation and that are then implicitly transmitted in the use of Internet communication protocols. This information is not collected to be associated with identified data subject, but by its very nature could, through processing and association with data held by third parties, allow users to be identify (e.g. IP addresses, domain names of computers used by users who connect to the Site, time of the request, numeric code indicating the status of the response given by the server; the addresses in URI notation – Uniform Resource Identifier – of the requested resources) and other parameters related to the user’s operating system and computer environment. These data, which are not associated with directly identifiable users, are processed, for the time strictly necessary, for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its regular functioning.
2. Cookie: for the processing of data though cookies, please read the relevant policy, available at the following link: https://www.snav.it/cookie
3. Data voluntarily provided by the user and/or communicated by third parties: Data provided directly by the data subject and/or by third parties (such as travel agencies) when purchasing a ticket, requesting a service or enrolling in the SNAV Easy Life program, and include:
   1. name, surname, gender, age and date of birth, nationality, details of ID, fiscal code or VAT number, billing address and location, copy of ID, etc;
   2. information contained in the self-certifications issued pursuant to Italian Presidential Decree no. 445/2000 that are collected to enable interested parties to take advantage ore receiving discount dedicates to residents;
   3. Data related to the vehicle boarded (e.g., license plate number, vehicle make and model);
   4. Data related to membership in professional categories or loyalty programs signed with third-party companies;
   5. Contact information (phone number, e-mail);
   6. data relating to the passenger’s health status (falling under the « special categories of data » referred to in Article 9 of the GDPR);
   7. information that the data subject provides by communicating by telephone to our contact center, by e-mail, or through the Site;
   8. data entered by means of messaging functionality, posting of messages and information transmitted through such channels;
   9. IP address used to connect to the Wi-Fi network;
   10. interaction data on SNAV’s social media pages (e.g., through posting comments, sending messages, etc.).

4. Third-party data: through the Site, SNAV may also collect and process personal data belonging to third parties. For this reason, the Data Controller provides the following information with reference to the processing of the data of these subjects, or of passengers on whose behalf the customer makes a reservation, purchases a ticket, or submits a complaint, or those exercising parental responsibility for passengers under the age of 14 or 18.

These data include:

• • personal data (name, surname, gender, age or date of birth, nationality, fiscal code or vat number, etc.);
  • e-mail address;
  • copy of a valid identity document;
  • if applicable, data relating to the Passenger’s state of health (falling within the « special categories of data » referred to in Art. 9 of the GDPR);
  • in the case of passengers under the age of 14 or 18, personal data (name, surname, gender, date of birth, nationality, etc.) and a copy of an identity document of the person exercising parental responsibility.

The provision of third party data is optional; however, in the case that the third party’s personal data is not provided, SNAV may not be able to guarantee the performance of the provision or service (e.g., ticket purchase, complaint handling).

In the event that the customer provides data of minor under the age of fourteen or eighteen, the same guarantees SNAV that, he/she is exercise of parental responsibility (it being understood that SNAV may take the measures it deems reasonable in order to verify the age of fourteen or eighteen).

The customer guarantees SNAV that he/she has the right to communicate such data and will take care to inform third party about the processing of his/her personal data, with particular reference to the type of data processed, the purposes and the time of storage of data, the subjects who have access to such information, and the exercise of the rights provided for the GDPR, also by providing the third party with a copy of this policy or an indication of the web page where this policy is made available.

In the case of passengers with reduced mobility or special dietary requirements, the customer guarantees to SNAV that he/she has obtained express consent from passengers to the processing of personal data relating to his/her state of health necessary for the provision of any on-board assistance or a specific service. In any case, SNAV reserves the right to request proof of the consent given, even by requesting it directly from the passenger.

Purposes, legal bases of processing and duration of storage: The processing of the data takes place for the purposes and based of the assumptions indicated below.

1. Management and operation of the Site and the App. The browsing data are collected and processed to allow the operation of the Site and the App. Legal basis of the processing: the legitimate interest of the Data Controller. Data retention period: browsing data will be stored in accordance with the Cookie Policy available at www.snav.it/cookie.
2. Booking and ticket purchase, as well as for all purposes related to the obligations arising from the maritime transport contract (supply of products and services on board the ship, sending logistical communications, organization of events on board the ship, use of any discounted rates, etc…). The telephone number will be used exclusively for service communications relating to the ticket purchased and/or booked trip, in accordance with applicable regulations. Legal basis of the processing: fulfillment of contractual obligations or execution of pre-contractual activities requested by the data subject. In absence of such data, it will be impossible to execute the contract or provide what the customer/passenger requires. Data retention period: duration of the contractual relationship with the customer and/or passenger, subject to storage for further purposes as set out below.
3. Passenger acceptance on board. The data provided for the purchase of the ticket, including those related on health status, will also be used in order to allow the passenger to be accepted on board. Legal basis for processing: compliance with the obligations set out in Council Directive 98/41/EC of 18 June 1998 on the registration of persons sailing on board passenger ships operating to or from ports of the Member States of the Community, as amended by Directive (EU) 2017/2109 of the European Parliament and of the Council of 15 November 2017, and implemented by Legislative Decree No. 38 of 11 May 2020 and subsequent implementing decrees. Data retention period: for the duration required by applicable legislation.
4. Management of special food requests. In the case of passengers with special dietary requirements (e.g., those who select the gluten-free menu). Legal basis of the processing:  express consent of the data subject. This consent can be expressed at the time of booking by ticking the box « passengers with reduced mode » or by selecting the option « Gluten-free menu » (which could also only indirectly, reveal data relating to your health status) or by directly communicating such information to the Controller by e-mail or call center. In the event that such data is communicated via email or call center, the data subject is aware of and expressly agrees that, by providing their data — including data belonging to special categories — they are giving their consent to its processing. Data retention period: for the time necessary to process the request, without prejudice to further retention for legal protection purposes.
5. Management of requests for special care and/or assistance and processing of health-related. The data acquired at the time of booking or during the trip will be processed to provide requested assistance and to comply with laws and regulations and for communication to the Unique National Interface or Automatic Identification System (« AIS »). Legal basis for the processing: important public interest as well as for health care purposes, pursuant to Article 9 paragraph 1 letter (g) and (h) GDPR, in accordance with Legislative Decree No. 38 of 11 may, 2020, which implements Directive (EU) 2017/2109 in Italy. On the basis of the same regulations, the data acquired will also communicated- by entering them into the Unique National Interface or through AIS – to the General Command of the Port Authority Corps-Coast Guard, which will process such data as data controller pursuant to Article 4 of the Decree of the Ministry of Infrastructure and Sustainable Mobility dated September 28, 2022. Retention period: the data will be kept for the time strictly necessary and, in any case, until the end of the journey and the inclusion of the same into the Unique National Interface or AIS in accordance with the provisions of Article 12 of Legislative Decree No. 38 of May 11, 2020.
6. Fulfillment of legal obligations including tax, workplace safety, environmental, anti-money laundering, banking and public safety. Legal basis of the processing:  the need to comply with legal obligations incumbent on the Controller. Data retention period: duration imposed by law.
7. Management of requests from users of the Website and/or the App and/or customers/passengers, including the management of any suggestions, messages, and/or emails received through the communication channels and contact options provided on the Website (including instant messaging channels such as WhatsApp). If the user provides their phone number in the “Contact” section as an optional field to be contacted, it may be used by the Data Controller to handle certain requests more efficiently. Legal basis for processing: the processing is based on the fulfillment of contractual obligations or the execution of pre-contractual activities requested by the data subject, as well as on the legitimate interest of the Data Controller in properly managing relationships with passengers and users in general, including for the purpose of improving the services offered. Data retention period: the time necessary to process the request or to respond to any suggestions/messages, without prejudice to further retention for legal protection purposes.
8. Management of any emergencies on board one of our ships: in particular these data will be stored pursuant to Article 12 of Legislative Decree 38/2020, as amended, until the voyage of the vessel in question is safely completed and the data have been declared in the Single National Interface or in the event of an emergency or following an accident, until the completion of an investigation or judicial proceeding. Legal basis of the processing: fulfillment of the specific applicable legal obligations. Retention period: duration imposed to the applicable law.
9. Management of any complaints sent by customers or passengers. Legal basis of the processing: fulfillment of obligations imposed by Regulation (EU) 1177/2010 on the rights of passengers traveling by sea and inland waterway. Data retention period: duration imposed by the same regulation.
10. Enrollment to the SNAV Easylife program: the data will be processed to allow to use the service. Legal basis of the processing: the processing is based on the fulfillment of contractual obligations or execution of pre-contractual activities requested by the data subject. Data retention period: the data will be kept for the duration of enrollment in the SNAV Easy life program.
11. Judicial protection purposes, including the purpose of verifying the truthfulness of information contained in the self-certifications pursuant to Italian Presidential Decree 445/2000, to prevent or prosecute offences. Legal basis of the processing: legitimate interest of the Data Controller to protect its rights. Data retention period: equal to the time necessary to assert the rights of the Controller. In the case of self-certifications pursuant to Italian Presidential Decree no. 445/2000, these will be kept for the time strictly necessary to verify the veracity of the information and, in any case, for a maximum period of 6 months. This is without prejudice to further storage in the event of false declarations to prevent or persecute deceitful use.
12. Sending communications and updates regarding the Data Controller’s services and activities. Legal basis for processing: the Data Controller’s legitimate interest in sending updates and maintaining contact with its customers. Data retention period: 24 months from the date of the last booking, unless the data subject objects before the end of this period.
13. Newsletter subscription: the email address, first and last name, and phone number may be processed for the purpose of sending newsletters. Legal basis for processing: the processing is based on the data subject’s explicit consent. Data retention period: the data will be processed for 24 months from the time it is provided.
14. Section “ Call me back”: the first name, last name, and phone number may be processed to get back in touch with the user that fills out the form. Legal basis for processing: the processing is based on the performance of pre-contractual activities requested by the data subject. Data Retention period: the time required to process the request.
15. Access to the Wi-Fi network: the Data Controller shall process the IP address of the connection to the Wi-Fi network if the customer requests to use the service.
    Legal basis for processing: fulfillment of contractual obligations or execution of pre-contractual activities requested by the data subject. Furthermore, the Data Controller may process the acquired data if necessary to comply with a legal obligation, as well as – based on its legitimate interest – in order to monitor and ensure the security of the IT infrastructure or to defend its rights.
    Data retention period: the data shall be retained for 7 days and, where required by law and/or to pursue the legitimate interest of the Data Controller in safeguarding its rights, for a maximum period of 10 years.
16. Account Creation and Operation: first name, last name, and email address will be processed to allow the user to create an account for accessing the reserved area on the Website and within the App. For security reasons, account creation and subsequent access will only be permitted following the entry of a temporary OTP (one-time password), which will be sent each time via email. Legal basis for processing: the processing is based on the performance of contractual obligations or the execution of pre-contractual measures requested by the data subject. Retention period: for the entire duration of the account’s activity, which in any case will be deactivated 24 months after the account creation or the last purchase made through the account. The Website and the App offer the option to register and log in using social login services, such as Facebook, Google, and other identity providers (e.g., Apple for users of the iOS operating system). When using these options, the Data Controller may collect and process certain personal information from the user’s social account, such as name, email address, profile picture, and other details shared by the social login provider, as listed in the specific pop-up window. These data are used to facilitate the registration and authentication process, as well as to enhance the user experience. We invite you to consult the privacy policies of the social login providers to understand how they process your personal data. Apart from authentication, there will be no connection between your account on the Website and your social network account.
17. Social Media Page Management: the Data Controller will process the data of users who interact with content on SNAV’s social media pages or who provide their information through comments, messages, or other social media interactions. Such data may include, for example, the user’s name, username, and profile picture, depending on their social media account settings. This information is used by SNAV to respond to inquiries, engage with users, and protect the company in the event of abuse. Legal basis for processing: the processing is based on the performance of contractual obligations or the execution of pre-contractual measures requested by the data subject.
    Data retention period: data will be retained no longer than until the closure of the respective social media page, without prejudice to any data retained directly by the platform providers as independent data controllers in accordance with their own privacy policies, or by other parties who may have acquired data and images in the meantime.

Nature of the provision of personal data.

The provision of data for the purposes set out in the previous letters a), b), c), e), f), g), h), i), j), n), o), and p) is necessary for us to execute the contract and/or respond to your requests and/or provide the requested service, as well as to comply with legal obligations. Any refusal to provide such data would prevent the data subject from communicating with the Data Controller and would make it impossible for the latter to execute the contract in place with the data subject and/or to fulfill their requests and/or provide the requested service and/or keep them informed about its services.

The provision of data for the purpose referred to in letter d) above is optional and voluntary, and subject to the explicit consent of the data subject. However, refusal to provide such data will make it impossible for the Data Controller to process requests related to passengers’ specific dietary needs.

The provision of data for the purposes referred to in letters l) and m) above is also optional and voluntary, and subject to the explicit consent of the data subject. Refusal will not have any consequence on the execution of the contract and/or the provision of the requested service. The data subject may object to such processing at any time, without affecting in any way the lawfulness of processing carried out by the Data Controller prior to such objection.

Likewise, the provision of data for the purpose referred to in letter q) is optional and voluntary; however, if such data is not provided, the Data Controller may not be able to interact with users or respond to specific requests.

Disclosure of data: for the purposes outlined above, the data may be disclosed to our collaborators and employees, within the scope of their assigned duties and based on specific authorization to process personal data, in accordance with the purpose of the processing. The data may also be disclosed to all natural and/or legal persons who are legally entitled to receive the data as data processors pursuant to Article 28 of the GDPR or as independent data controllers (e.g., companies leasing naval units, consulting firms in charge of managing and maintaining the website, providers of contact center and online payment services, external consultants, maritime agencies, terminal operators and port authorities, entities providing financing, etc.).

In addition, the data may be communicated to commercial partners with whom SNAV has entered into an agreement, in order to recognize or have granted benefits to customers and/or passengers and to other companies of the MSC Group. These parties will process any data acquired as independent data controllers.

In case of ticket purchase through the Trenitalia’s ticketing platform, the personal data provided therein will be received by SNAV in order to issue the relevant ticket and processed in accordance with this policy. In such cases, it will be possible to consult the information on the processing of personal data on the Site, as well as by clicking on the link made available by Trenitalia in its privacy policy. The information will also be available at ticket offices and on board the ships.

Rights of Data Subjects

We would like to inform you that, as a interested party, you can exercise the rights referred to in Articles 15-22 GDPR, including access to personal data, rectification, erasure of personal data or restriction of processing, opposition to processing as well as request for data portability; for processing based on consent, it will be possible to revoke the consent given at any time (this will not affect the lawfulness of the processing based on the consent given before the withdrawal). The exercise of these rights can be carried out  by sending an e-mail to the e-mail addresses privacy@snav.it and/or protezionedati@marinvest.it or by sending a registered letter with acknowledgement of receipt to the registered office of the Controller at « Stazione Marittima Molo Angioino CAP 80133 Naples ».

A complete and up to date list of data processor can be obtained from the same above addresses.

At the same addresses, you may request the complete and updated list of the data processors.

The interested party may at any time get opposition to the sending of communications related to commercial and marketing activities by selecting the option « If you prefer not to receive any more of our communications, click here » at the bottom of the e-mail containing the newsletter.

In addition, you can exercise your rights, in relation to the processing of personal data carried out through our social pages, by contacting each of these social pages in accordance with the provisions of their respective privacy policies.

We also inform you that if you believe that the processing violates your rights, you can file a complaint with the Data Protection Authority – www.garanteprivacy.it.

Updated version dated May 20^th 2025