Published on 28/08/2020
1. Who are we?
In this Privacy Notice (the "Notice"), the terms "we", "our", and "us" are used to refer to CalMac Ferries Limited of The Ferry Terminal, Gourock, PA19 1QP, company number SC302282.
You can contact us with any queries regarding this Notice using the details set out in section 14 of this Notice.
We are a controller of your data which means that we are responsible for looking after it. We are duly registered as a Data Controller with the UK Supervisory Authority, The ICO and our registration number is Z9867026.
This Notice sets out how we use and protect any personal data that you provide to us, whether by phone call, text, email, social media, paper form, through using our website or when you attend one of our community stakeholder events.
We are committed to protecting the privacy of users when using our services. Any personal data that is collected will be used fairly, lawfully and in a way which is transparent, and in accordance with:
- The General Data Protection Regulation;
- The Data Protection Act 2018;
- And any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union - (the "Data Protection Laws").
3. What personal data we may collect about you
We may collect, store and use the following types of personal data:
- Your full name, gender and date of birth;
- Your full postal address;
- Contact information such as phone numbers, email address or social media identifiers;
- Data relating to your travel booking and itinerary;
- Information regarding any additional boarding assistance needed, and other information related to your needs and preferences such as dietary requirements;
- Vehicle details and registration number;
- Demographic information, which may include your postcode, preferences and interests;
- Job application details including CVs;
- CCTV image data collected at ports, on vessels and (on some routes) via Bodycams;
- Data collected through your access to, and use of, the CalMac public Wi-Fi service on vessels and in ports (your e-mail address, hardware device MAC address, and the date and time you connect to the CalMac WIFI Service); information about other passengers in your booking;
- Advance Passenger Information (where required by legislation). This information includes your full name, your nationality, your date of birth and your gender, and
- Communications you exchange with us (for example, your emails, letters, texts, phone calls, social media interactions with us, or your participation and interaction at community stakeholder events.)
The personal data you provide is used for service and operational purposes, for example making reservations, processing payments, producing tickets, alerting of service interruptions, confirming orders, fulfilling your requests, protection of yourself and others.
4 How we collect the personal data
Where we collect your data from is set out in more detail in this section.
Information that you give us
You may share your personal data about yourself and your circumstances when you:
- Make a reservation with us, including telephone reservations where the personal information is placed into our reservations system;
- Sign up for any of our services or activities;
- Request a brochure or newsletter;
- Enter a competition;
- Respond to a survey;
- Create a customer account;
- Purchase an adventure and/or good using our online sales platform
- Provide passenger information to comply with maritime regulations;
- Participate in our recruitment processes;
- Provide feedback or otherwise interact with us, including via social media, email, phone call, text or at Community stakeholder events, or
- Make a complaint or passenger claim.
Information that we collect about you
We will only request and collect personal data which is necessary or reasonable in order to provide you with our services, for further details on how we use your personal data please see section 5 below.
You do not have to provide your personal data to us. However, if you do not provide your personal data to us when we need you to, we may not be able to provide our services to you or respond to your queries. For example, under Merchant Shipping (Counting and Registration of Persons on Board Passenger Ships) Regulations 1999, we are required to produce, for maritime safety, a passenger list for our longer sailings. If you do not provide this required data then you would not be eligible to travel on these routes.
Our legal basis for using your personal data
We will only process your personal data where we have legal grounds to do so. The legal grounds will depend on the purpose of the personal data collected and its processing requirements.
The legal grounds on which we rely to use your personal data are:
- To allow us to perform our contract with you. When you purchase services from us, a contract between you and us will have been entered into. In order for us to fulfil our obligations under such contract, we will need to collect and process your personal data, including payment information. Failure to provide the requisite personal information on sign-up and payment information on entering into the contract or objecting to this type of processing/exercising your deletion rights will mean that we cannot provide our services to you;
- To allow us to exercise our legitimate interests as a data controller. We rely on legitimate interests as a data controller to process the personal data that you provide to us when using our services. It is in our legitimate interests as a business to process the above personal data in order to administer our website, to ensure that content from our website is presented to you effectively and securely, to run contests, other promotional features and ensure the safety of our vessels, passengers and staff;
- In certain circumstances we will need to use your personal data to comply with a legal obligation;
- On the basis that you have consented to us storing and using your information for purposes;
- To protect your vital interests or those of another person.
5 How we will use the personal data we collect
We will use your personal data in order to:
- Manage your travel bookings and/or provide you with the services you request;
- Manage the boarding process;
- Send status updates and service communications to you.;
- Support your safety and wellbeing when you sail with us and to meet specific maritime regulations with which we must comply;
- Communicate with you about your account or transactions with us and send you information about our products and services;
- Communicate with you regarding e-magazine subscriptions you have opted-in to;
- Support specific management and administrative purposes;
- Analyse and improve the services offered on our website;
- Enhance passenger experience, we want to ensure that you receive the best service possible therefore we may share your personal data with a 3rd party to gain customer feedback on your journey
- Comply with our legal obligations;
- Undertake our company administrative purposes, such as billing, accounting, invoice processing, concession processing, service and targeted marketing campaign analysis, and systems development; and,
- Investigate any allegations of complaints or abusive behaviour before, during or after using our services or crossings and impose any relevant sanctions or travel bans as is required to protect our vessels, other passengers and staff. This may also include holding a record of these incidents within our reservations and customer care systems.
Consistent with your choices, and subject to your consent, we may send you information regarding offers and promotions. You can alter your choices and withdraw your consent at any time using the process set out in section 8.
We will not share your personal data with third parties for marketing purposes without your explicit consent. You have right to withdraw your consent to processing of this nature at any time using the process set out in section 12.
6 Security of your personal data
We are committed to implementing appropriate technical and organisational measures in order to prevent your personal data from being accidentally or unlawfully destroyed, lost, altered or accessed or otherwise used in an unlawful manner.
The personal data that you provide to us will be held in our systems, which are located on our premises or those of an appointed third party.
We will only transfer your data outside of the European Economic Area ('EEA') if it is necessary in order to comply with a legal obligation or to provide our products and services.
Where personal data is transferred outside of the EEA, we will ensure that it is protected at least to the same standards as if it was being processed within the EEA. To ensure this, we will apply at least one of the following data security provisions:
- Only transfer the personal data to a non-EEA country with privacy laws that give the same protection as the Data Protection Laws in the EEA; or
- Ensure that any appointed processor is only engaged through a contract which incorporates a set of contractual provisions approved by the European Commission for use when establishing contractual safeguards that meet the data protection compliance standards that are imposed under the Data Protection Laws in the EEA; or
- Transfer the personal data to organisations that are certified under a data protection regime specific to the country to which the personal data is being transferred (an example being the US Privacy Shield arrangement, administered by the International Trade Administration within the U.S. Department of Commerce which sets an EU Commission-approved privacy standard for data transferred between the US and EU countries).
For further details regarding these data security provisions please refer to the European Commission and Information Commissioner's Office (ICO) websites.
7 When and why we disclose your details to anyone else
Ordinarily, we will not share your personal data except where disclosure is required or permitted by law.
If we are investigating any complaint, abusive or violent behaviour, information may be collected from any source(s) disclosed in Sections 3 and 4 above and disclosed to Police Scotland, The Local Authority / Council and/or Council Departments, Scottish Fire & Rescue Service and others involved in any complaint, whether investigating the complaint or otherwise;
We are a member of the David MacBrayne Group of companies (referred to in this Notice as "DML Group"). In common with many businesses that operate as part of a group, different members of DML Group carry out certain administrative tasks that need to be undertaken in order to allow us to provide our services to you. In order to allow those tasks to be carried out, we may share your personal data with other DML Group members, but we will only do so where it is necessary in order to allow us to provide our services to you. Any sharing of your personal data with another DML Group member will always be carried out in accordance with the terms of this Notice and we will be responsible to you for the data processing activity that is carried out.
In addition to the DML Group arrangements referred to above, we do, on occasion, use carefully selected third parties to process personal data on our behalf, such as our payment service provider and insurer. We will only share your personal data with these third parties where it is necessary for them to provide us with the services that we rely upon to operate our business. We tightly control that processing activity, requiring that the third parties concerned only process personal data on our behalf securely, in accordance with the Data Protection Laws and then only for the purposes that we have set out.
8 Your choices regarding the personal data you provide to us
The security, integrity and confidentiality of your personal data is extremely important to us and we take all reasonable precautions to prevent the loss, destruction, misuse or alteration of your personal data.
You may choose to restrict the collection or use of your personal data in the following ways:
- Whenever you are asked to fill in a form on the website, you will have the option of ticking the box that indicates you are satisfied for your personal data to be used for marketing purposes. If you do not tick that box, we will not use your personal data for marketing purposes.
- If you have previously agreed to us using your personal data for direct marketing purposes, you may change your mind at any time by emailing us at: email@example.com
We will not sell, distribute or lease your personal data to third parties. With your permission, we may use your personal data to send you promotional information about third parties which we consider may be of interest to you.
Cookies tell us how often you visit our website, which helps us learn what information interests you. In this way, we can give you more of the content you like and less of the content you don't.
Cookies let you store preferences and user names, register products and services, and personalise pages.
Most web browsers automatically accept cookies but you can usually modify your web browser settings to decline or delete cookies if you prefer, this may however prevent you from taking full advantage of our website
This is used to store whether you have agreed to receive cookies.
Persistent for one year.
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
The Anonymise IP feature within Google Analytics Universal has been enabled to ensure that your IP address is not tracked from the calmac.co.uk website. Please refer to https://support.google.com/analytics/answer/2763052 for further information.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
10 Links and Third Party Websites
This Notice applies to this website only.
This website may include links to other websites, including our e-commerce provider, the Orb Group. Once you have used these links to leave our website, you should note that Calmac have no control over the other website(s). We cannot, therefore, be responsible for the protection and privacy of any data you supply to other parties whilst visiting their websites. We advise you to familiarise yourself with the individual privacy notices and terms & conditions for each linked website prior to submitting your personal data to that site.
11 Changes to this Privacy Notice
From time to time we may change this Notice to accommodate industry practices, new regulatory requirements, or for other purposes. Any changes will be effective when posted and your continued use of this website will indicate your acceptance of these changes. If we make significant changes to our Privacy Notices, we may alert you to these either via a specific 'bulletin' notice on our home page, or by email and/or post.
This Notice was last reviewed and updated on 28 August 2020.
12 Your rights
You have a number of rights under the Data Protection Laws in relation to the way we process your personal data, which are set out below. You may contact us using the details in section 14 of this Notice to exercise any of these rights.
Alternatively, you can use our Subject Data Request to assist you through this process.
In some instances, we may be unable to carry out your request, in which case we will write to you to explain why.
1. You have the right to request access to your personal data
You have the right to request confirmation that your personal data is being processed, access to your personal data (through us providing a copy) and other information about how we process your personal data.
2. You have the right to ask us to rectify your personal data
You have the right to request that we rectify your personal data if it is not accurate or not complete.
3. You have the right to ask us to erase your personal data
You have the right to ask us to erase or delete your personal data where there is no reason for us to continue to process your personal data. This right would apply if you object to the way we process your personal data (see right 6 below).
4. You have the right to ask us to restrict or block the processing of your personal data
You have the right to ask us to restrict or block the processing of your personal data that we hold about you. This right applies where you believe the personal data is not accurate, you would rather we block the processing of your personal data rather than erase your personal data, where we don't need to use your personal data for the purpose we collected it for but you may require it to establish, exercise or defend legal claims.
5. You have the right to port your personal data
You have the right to obtain and reuse your personal data from us to reuse for your own purposes across different services. This allows you to move personal data easily to another organisation, or to request us to do this for you.
6. You have the right to object to our processing of your personal data
You have the right to object to our processing of your personal data on the basis of our legitimate business interests, unless we are able to demonstrate that, on balance, our legitimate interests override your rights or we need to continue processing your personal data for the establishment, exercise or defence of legal claims.
7. You have the right not to be subject to automated decisions
You have the right to object to any automated decision making, including profiling, where the decision has a legal or significant impact on you.
8. You have the right to withdraw your consent
You have the right to withdraw your consent where we are relying on it to use your personal data.
13 How long do we keep personal data?
Any personal data collected and stored by us will be retained as per our records and retention schedule and will only be used for the purposes for which it was collected. For example, we will store data needed to process and manage your booking, so we can fulfil the specific travel services you have reserved. After you have travelled, we will store the personal data provided only for the required period within which we may be required to manage any complaints, queries or claims related to the booking.
Where data is held for longer, for example to provide longer term statistical and trends analysis on our services, then the data will be anonymised to the extent that no personal data remains in that dataset.
14 Contacting us
If you have any questions or comments about this Notice, or our treatment of your personal data, please write to us by post or by email at:
By post: By email:
Records Manager firstname.lastname@example.org
CalMac Ferries Ltd.
15. If you're unhappy
You also have the right to complain to the Information Commissioner where you believe any alleged infringement of data protection laws occurred. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner so please contact us (in accordance with section 14 above) in the first instance.
If you still believe that we have not handled your personal data properly or have not complied with your rights, you can complain to the Information Commissioner.
Contact details are available at: www.ico.org.uk