Legal
Crystal Cruises' Global Privacy Policy
EFFECTIVE DATE: January 1, 2020
I. INTRODUCTION
Crystal Cruises, LLC (“Crystal Cruises” or “we”) recognizes the importance of protecting the privacy of all information provided by users when they use crystalcruises.com (the “Site”)
or otherwise interact with Crystal Cruises in general. We created the following policy guidelines with a fundamental respect for our users' right to privacy and because we value our relationships with our users.
Crystal Cruises acts as a controller with respect to the collection, use, and other processing of personal identifying information which can be used to identify, directly or indirectly, or locate guests (“Guest Personal Data”) in connection
with the guest/customer relationship, as described in more detail in this Crystal Cruises Global Privacy Policy (“Policy”).
This Policy is written in the English language. We do not guarantee the accuracy of any translated versions of this Policy. To the extent any translated versions of this Policy conflict with the English language version, the English language version of
this Policy shall control.
II. HOW DATA IS COLLECTED
Information you provide to us
Crystal Cruises will collect personal data from you when you interact with our Site(s), contact our Agents, use our services, or purchase our products.
Information we obtain indirectly
We may receive personal data about you from our third-party affiliates or partners and from marketing companies that provide us with such information as a part of their relationship with us.
We may combine this with data that we
already have collected about you. Such collected data could include contact details (such as email address) and previous purchase history or interests.
Information collected automatically
When you use our Site we collect
certain information about you automatically through our use of cookies and similar technologies. Please see below for our cookie policy.
Children’s Privacy
Crystal Cruises feels strongly about protecting the privacy of children. Crystal Cruises’ Site is not targeted for use by children under the age of 18 (“children”). Crystal Cruises does
not knowingly collect personal information from children in connection with the features of our websites without the consent of a parent or guardian. Crystal Cruises request that all children who may visit the Site not disclose or provide any personal
data. Children may not access those sections of the Site that require registration. Upon notification that a child has provided us with personally identifiable information, we will delete the child’s personally identifiable information from
our records. If you believe we might have any information from a child, please email us at privacy@crystalcruises.com or call us at 786-971-1170.
III. CATEGORIES OF GUEST PERSONAL DATA AND PURPOSE FOR PROCESSING
Crystal Cruises collects and processes the following categories of Guest Personal Data, for the purposes
specified below:
| Categories of Guest Personal Data | Purpose of processing |
| • Communicate, interact and identify you and customize the content, products and services that are offered to you; |
| • Conduct our business and improve our Sites and services, develop new products and services, provide information and support, to better understand your needs and interests, personalize communications and advertising, and generally
promote a quality experience for you. |
| • Process transactions you enter into with us (e.g., purchase of goods and services, refunds, discounts and offers) |
| • Perform certain automated decision-making, including profiling, which is used for direct marketing |
| • Comply with legal requirements |
| • Verify your authority to enter and use our Site and other services |
| • Health information prior to embarkation |
| • Casino third parties related to marketing and background checks |
| • Measure, analyze and improve our products and services, the effectiveness of our websites, and our advertising and marketing |
The type of Guest Personal Data collected by Crystal Cruises may vary from country to country, and in some countries Crystal Cruises might not collect all of the categories of Guest Personal Data listed above.
Crystal Cruises is committed to only collecting and processing the minimum amount of data from you that is necessary to the purposes of our data processing activities, and to retaining such data only if required to fulfill such purposes. Where applicable, if Crystal Cruises intends to further process the personal data for a purpose other than that for which the personal data was initially collected, Crystal Cruises shall, prior to such processing, provide you with any relevant information on such additional purpose, and, to the extent required by applicable law, obtain your consent for this.
IV. THE LEGAL GROUNDS FOR PROCESSING GUEST PERSONAL DATA
In most instances, we process your personal data under the legitimate interests of providing you products and services related to your voyage. In other instances, we obtain your consent to process your personal data where we are required to do so
by applicable law – for example, where we want to use your contact details for marketing purposes or where the personal data we are collecting from you is sensitive personal data, including racial or ethnic origin, political opinions, religious
or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data, and we are not lawfully permitted to process your personal data on any other legal grounds. Where we rely
on your consent for processing your personal data, you may withdraw your consent at any time, by contacting us at privacy@crystalcruises.com. Please note, however, that withdrawing your consent
will not affect the lawfulness of processing based on the consent you gave prior to withdrawal.
Where we process your personal data for direct marketing purposes, we will log your objection to and stop such processing of your data,
and we will not contact you again if requested. You may object to such direct marketing by clicking the unsubscribe link in each such direct marketing message or contacting us at privacy@privacy@crystalcruises.com or by using the contact details below.
While we always want you to be aware of how we are using your personal information, this does not necessarily mean in every instance that we are required to ask for your consent before
we can use it. There may be instances where we process your personal data for our legitimate interests (furthering our business relationship with you) or on the basis of other lawful grounds (i.e., because we have established a relationship
with you and need to process your personal data in order to provide you with the information and/or services you have requested), without having obtained your consent. We do not seek your consent in such cases largely so that we can provide you with
services in an efficient way (or where in some cases it might not be possible for us to seek your consent because we must process personal data, for example, for the detection of fraud). Before processing your personal data, we will consider your
rights and freedoms and will only commence such processing where we do not think your rights will be infringed.
Except as otherwise provided in this Policy, only a limited number of individuals within Crystal Cruises’ legal, finance,
IT, accounting and customer care departments, as well as certain managers (i.e., only persons with assigned responsibility or managerial responsibility for a Guest or groups of Guests) will receive access to Guest Personal Data when necessary in connection
with their job responsibilities.
If you provide Crystal Cruises with personal data about members of your family and/or other dependents (e.g., for emergency contact or benefits administration purposes), it is your responsibility
to inform them of their rights relating to the processing of their personal data for these purposes. You are also responsible for obtaining the explicit consent of these individuals (unless you are authorized to provide such consent on their
behalf) to the processing (including disclosure and transfer) of that personal data for the purposes set out in this Policy.
V. DISCLOSURES OF GUEST PERSONAL DATA TO THIRD PARTIES
Disclosures to third parties
We do not sell your personal data to third parties for their own marketing purposes. We may share or disclose your personal data as follows:
• To affiliated and unaffiliated service providers for the sole
purpose of enabling them to provide services to us in connection with providing our services to you;
• Based on a good faith belief that such disclosure is necessary to investigate, prevent, or take
action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violation of our policy, as evidence in litigation in which we are involved, or to otherwise protect the rights or safety of
any person or entity;
• Based on a good-faith belief that disclosure is necessary to respond to judicial process, valid government inquiry, or is otherwise required by law;
• If
we are acquired by or merged with another entity, if all or part of our assets are acquired, or in response to a bankruptcy proceeding, we may transfer your information to the acquiring entity;
• When
posted by you or an authorized third-party, to our wikis, forums, blogs, message boards, chat rooms and other social networking environments or Sites;
• We also may share aggregate or non-personally
identifiable data about users with third parties for marketing, advertising, research, analytics or similar purposes; and
• To other third parties for purposes you have allowed or consented to.
Transfers out of the EEA and Switzerland
Some service providers and other recipients may be located in countries outside of the European Economic Area (EEA) or Switzerland; the data protection laws in such countries may not
provide a level of protection to Guest Personal Data equivalent to that provided by a Guest’s home country.
Wherever such a transfer is made, Crystal Cruises will (i) exercise appropriate due diligence in the selection of such third party service providers, (ii) ensure that Guest Personal Data is adequately protected via appropriate contractual measures (which shall include the European Commission Model Clauses where Guest Personal Data is transferred out of the EEA), and (iii) place such third party service providers under such contractual obligations as are required under applicable law (including that Guest Personal Data be processed only as instructed by Crystal Cruises and for no other purposes than those identified in this Policy). Guests may request and obtain a copy of the contractual measures taken by Crystal Cruises to ensure appropriate safeguards when personal data is transferred outside of the European Union or Switzerland.
Crystal Cruises may also disclose Guest Personal Data to governmental agencies and regulators (e.g., tax authorities), external advisors (e.g., lawyers, accountants, and auditors), courts and other tribunals, and government authorities or in the context of any sale or transaction involving all or a portion of the business, all to the extent required or permitted by applicable legal obligations.
Location of data processing and security measures
If you choose to provide us with your personal data, you understand that we are transferring it to Crystal Cruises’ locations and systems in the United States or to the locations
and systems of Crystal Cruises’ service providers around the world. Crystal Cruises has safeguards and security controls in place to protect your personal data. This includes appropriate technical and organizational measures to protect the personal
data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data. Crystal Cruises obtains written assurances from any third-party data processors given access to your data so as to require
them to adopt standards that ensure an equivalent level of protection for data as that adopted by Crystal Cruises.
Social Media Websites / Interactive Services
If you engage in any interaction with us or other end-users or any third-party on any social media websites on which we have a page/account (e.g., Facebook®, Instagram®, Pinterest®,
Twitter® and YouTube®) or any interactive features on the Site (e.g., comments sections, customer ratings), you should be aware that: (a) the personal data that you submit by and through such social media websites or interactive features,
as applicable, can be read, collected and/or used by other users of these social media websites (depending on your privacy settings associated with your accounts with the applicable social media website) or our interactive features, and could be used
to send you unsolicited messages or otherwise to contact you without your consent or desire; and (b) where we respond to any interaction on such social media websites, your account name/handle may be viewable by any and all members/users of our social
media accounts. We are not responsible for the personal data that you choose to submit on any social media websites or interactive features on the Site. The social media websites operate independently from us, and we are not responsible for their
interfaces or privacy or security practices. We encourage you to review the privacy policies and settings of those social media websites with which you interact to help you understand their privacy practices. If you have questions about the security
and privacy settings of such social media websites, please refer to their applicable privacy notices or policies.
Third Party Websites
This Site may contain links to third-party owned and/or operated websites including, without limitation, the social media websites described above. We are not responsible for the privacy practices or the content
of such websites. In some cases, you may be able to make a purchase through one of these third-party websites. In these instances, you may be required to provide certain information to register or complete a transaction at such website. These third-party
websites have separate privacy and data collection practices and we have no responsibility or liability relating to them.
VI. DATA SUBJECT REQUESTS
You can contact us directly any time at the address below to update your personal data or make of the following requests regarding the data you know or believe Crystal Cruises holds about you:
(1) Access to your Guest Personal Data
You may contact Crystal Cruises at any time in order to request access to the personal data Crystal Cruises holds about you. Crystal
Cruises will provide details of the categories of personal data processed and the reasons for our processing. Crystal Cruises can also provide you with a copy of your personal data on request.
(2) Rectification or Erasure of your Guest Personal Data
If you notify us, or we otherwise become aware, that the personal data we hold is inaccurate, Crystal Cruises will not use it, and will not allow others to use it, until it is verified. You can ask Crystal Cruises to correct or complete our
record of your personal data by contacting us at any time. To the extent possible, Crystal Cruises will inform anyone who has received your personal data of any corrections.
You may, in certain limited circumstances where the processing
is not necessary in the context of your cruise or other services we provide to you, ask to have the personal data Crystal Cruises directly or indirectly processes deleted or removed. If the request is founded, Crystal Cruises will try to do
so promptly, and, to the extent possible, will inform anyone who has received your personal data of your request.
(3) Restriction of Processing
It
may be possible to require Crystal Cruises to limit the way in which it processes your personal data (i.e., require Crystal Cruises to continue to store your personal data, but cease certain processing activities with regard to it) where (i) you contest
the accuracy of the personal data we have for you, (ii) you believe our processing of your personal data is unlawful (but you oppose the erasure of your personal data and prefer that our processing be restricted instead), (iii) we no longer need your
personal data but you require such personal data for the establishment, exercise or defense of legal claims or (iv) you have objected to our processing pending the verification of our legitimate grounds for processing.
(4)
Halting of Processing based on an objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. If Crystal Cruises can show
sufficiently compelling legitimate grounds for processing your personal data, or Crystal Cruises needs your data to establish, exercise or defend legal claims, Crystal Cruises may continue to process it. Otherwise, Crystal Cruises will stop using
your personal data.
(5) Personal data portability – The ability to move Guest Personal Data to another controller
You have the right to
data portability in certain limited circumstances, where a) you provided the data to Crystal Cruises, b) our processing is based on your consent or is necessary to fulfill a contract with you, and c) our processing is automated. Crystal
Cruises may refuse your request if these criteria are not met.
(6) To withdraw your consent to Crystal Cruises’ Processing of your Guest Personal Data
Where we have relied on your consent as the legal grounds for processing, you may with draw your consent at any time. Withdrawal does not invalidate the consent-based processing that occurred prior to withdrawal.
(7)
To complain
You may contact us at any time where you believe that we are in breach of data protection laws or where you wish to make a complaint about our data processing. Furthermore, if you are located
in the EEA and you believe that our processing of your personal data is in breach of data protection laws, you have the right to lodge a complaint with the relevant data protection supervisory authority in the country where you are based or
any place in the EEA where you believe the infringement has occurred (or where you believe that we have not resolved an issue you have raised with us).
Responding to your requests
Crystal Cruises shall provide you with a response to any request you make in connection with your rights without undue delay and in any event within one month of receipt of the request. That period may
be extended by up to two additional months where necessary, taking into account the complexity and number of the requests. Crystal Cruises shall inform you of any such extension within one month of receipt of the request, together with the reasons
for the delay. Where you make the request by electronic means, the data shall be provided by electronic means where possible, unless otherwise requested by you.
If, after evaluating the legitimacy of the request, Crystal Cruises does not take action on the request, Crystal Cruises shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Special Notice for California Residents
In compliance with California law, we provide California residents with certain information upon request (“Consumer Request”). This Policy outlines how California residents can
request the information and what you can receive.
If you would like to submit a Consumer Request, you can contact Crystal Cruises at privacy@crystalcruises.com. You can also call Crystal Cruises, toll-free, at 786-971-1170. If you choose to submit a Consumer Request you must provide us with enough information to identify you and enough specificity on the requested data. Crystal Cruises will only use the information it receives to respond to your request. Crystal Cruises will not be able to disclose information if it cannot verify that the person making the Consumer Request is the person about whom we collected information, or someone authorized to act on such person’s behalf.
1. Request to Access. You may submit a Consumer Request to obtain a copy of or access to the personal information that Crystal Cruises has collected on you.
2.
Request to Know. You may submit a Consumer Request to receive information about Crystal Cruises’ data collection practices. You may request information on the categories of personal information (as defined by California
law) Crystal Cruises has collected about you; the categories of data collection sources; Crystal Cruises’ business or commercial purpose for collecting or selling personal information; the categories of third parties with whom Crystal Cruises
shares personal information, if any; and the specific pieces of personal information we have collected about you.
Please note that the categories of personal information and sources will not exceed what is contained in this Policy. Additionally, Crystal Cruises is not required to retain any information about you if it is only used for a one-time transaction and would not be maintained in the ordinary course of business. Crystal Cruises is also not required to reidentify personal information if it is not stored in that manner already, nor is it required to provide the personal information to you more than twice in a twelve-month period.
3. Request to Delete. You may request that Crystal Cruises delete your personal information. Subject to certain exceptions set out below we will, on receipt of a verifiable Consumer Request, delete your personal information from our records and direct any service providers to do the same.
Please note that we may not delete your personal information if it is necessary to:
• complete the transaction for which the personal information was collected;
• provide
a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
• detect security incidents,
protect against malicious, deceptive activity, and take all necessary and appropriate steps to mitigate current and future risk;
• debug and repair internal information technology as necessary;
• undertake internal research for technological development and demonstration;
• exercise free speech, ensure the right of another consumer to exercise his
or her right of free speech, or exercise another right provided for by law;
• comply with the California Electronic Communications Privacy Act;
• engage
in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair
the achievement of such research, provided we have obtained your informed consent;
• enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
• comply with an existing legal obligation; or
• otherwise use your personal information, internally, in a lawful manner that is compatible with the context
in which you provided the information.
Crystal Cruises may not, and will not, treat you differently because of your Consumer Request activity. As a result of your Consumer Request activity, we may not and will not deny goods or services
to you; charge different rates for goods or services; provide a different level quality of goods or services; or suggest any of the preceding will occur. However, we can and may charge you a different rate, or provide a different level of quality,
if the difference is reasonably related to the value provided by your personal information.
Special Notice for Nevada Residents
Crystal Cruises does not sell, rent, or lease your personally identifiable information to third parties. However, if you are a resident of Nevada and would like to submit a request not to sell your personally identifiable information, you may do so by emailing us at privacy@crystalcruises.com or calling us at 786-971-1170.
VII. SECURITY & RETENTION
Crystal Cruises maintains technical and organizational security measures to protect against unauthorized or unlawful processing of Guest Personal Data and accidental or unlawful loss, alteration, disclosure, destruction or damage of, or access to, Guest Personal Data.
Please be advised, however, that while we take reasonable security measures to protect your data, such measures cannot be guaranteed to be 100% secure.
Crystal Cruises will retain Guest Personal Data no longer than is necessary to carry out the purposes listed in this Policy and/or as required by applicable law or in connection with actual or prospective legal proceedings.
VIII. CHANGES TO THIS PRIVACY POLICY
We reserve the right to change, modify, add or remove portions of this statement from time to time and at our sole discretion, but will alert you that changes have been made either by email or other indication on our Site. We will always include on this
Policy the date of its effectiveness (see Effective Date above). Where required to do so by law, Crystal Cruises may need to re-obtain your consent for certain processing activities for material changes to this Policy or our data processing activities.
IX. QUESTIONS & CONCERNS
Guests who have questions, comments or access requests related to the transfer of their Guest Personal Data to the United States can also contact the Crystal Cruises Global Privacy Team at:
privacy@crystalcruises.com
786-971-1170
1501 Biscayne Boulevard
Suite 501
Miami, FL 33132
CRYSTAL CRUISES ONLINE COOKIE POLICY
Crystal Cruises, LLC, and our third-party providers set and use cookies and similar technologies in order to distinguish you from other users of our Site, to provide a better experience when you browse our Site, and to improve the Site’s performance and usefulness.
The use of cookies and similar technologies is standard across websites and applications through which information is collected about your online activities.
A cookie is a small data file that websites place on your hard drive when you visit. A cookie file can contain information such as a user ID that tracks the pages you’ve visited within that site. The cookies on this Site are primarily used to recognize that a user has visited the website previously and to track user traffic patterns. In addition, we use cookies to present relevant content and establish customer profiles. We do not share this information or sell it to any third party.
Types of Cookies We Use
Following is a list of cookies with brief descriptions, to better inform our users why we use cookies on our site. For your convenience, we have split them into three categories.
Strictly Necessary Cookies: These are essential to navigate around our Site and use its features. Without them, you would not be able to use basic services like account registration. These cookies do not collect information about you that could be used for marketing or tracking.
Functionality Cookies: These are used to recognize you when you return to our Site, enabling us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Tracking Cookies: These cookies enable us to collect information such as number of visitors to the Site and pages visited in order to analyze user behavior. This information is collected in an anonymous format and will be collated with similar information received from other users. We use these cookies to determine the usefulness of the information we supply to you and other users, to track your purchases from this site, and to see how effective our navigation is in helping users reach that information.
Managing Cookies
If you prefer not to receive cookies through the Site, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You also can refuse all cookies
by turning them off in your browser. You do not need to have cookies turned on to use any pages within our Site. However, if you chose to not accept cookies, some functionality will be limited. For more information about cookies, including how
to set your browser to reject cookies, visit www.allaboutcookies.org.
Cookie Expiration
Some of the cookies we use will remain on your computer after the browser is closed. Until removed, the cookies will become active again when the Site is reopened. Cookies can be deleted by you, at any time, and will not collect
any information when you are not accessing the Site.
Other Tracking Technologies
In addition to cookies, our Site also utilizes the following tracking technologies:
• Web beacons: Our Site contain electronic images known as web
beacons (also called single-pixel gifs and transparent graphic images). We use web beacons/ pixels to understand aggregate traffic to our website pages. Third parties use tracking pixels according to their terms of use.
• Embedded
script: An embedded script is programming code that is designed to collect information about your interactions with the Site, such as the links you click on. The code is temporarily downloaded onto your device from our web server or a third-party
service provider, is active only while you are connected to the Site and is deactivated or deleted thereafter. We use web embedded scripts to understand aggregate traffic to our website pages.
• Web
server & application logs: Our servers automatically collect certain information to help us administer and protect the services we provide, analyze usage, and improve users’ experience. The information collected includes the following:
- IP address and browser type;
- Device operating system and other technical facts;
- The city, state and country from which you access the Website;
- Pages visited, and content viewed and stored;
- Information or text
entered;
- Links and buttons clicked (i.e., IP address information such as the referring and destination URL).
Global Privacy Policy/Notice
Crystal Cruises, LLC
Update Ver. 01.09.20