EFFECTIVE DATE: January 1, 2020
Crystal Cruises, LLC (“Crystal Cruises” or “we”) recognizes the importance of protecting the privacy of all information provided by users when they use crystalcruises.com (the “Site”)
or otherwise interact with Crystal Cruises in general. We created the following policy guidelines with a fundamental respect for our users' right to privacy and because we value our relationships with our users.
This Policy is written in the English language. We do not guarantee the accuracy of any translated versions of this Policy. To the extent any translated versions of this Policy conflict with the English language version, the English language version of
this Policy shall control.
II. HOW DATA IS COLLECTED
Information you provide to us
Crystal Cruises will collect personal data from you when you interact with our Site(s), contact our Agents, use our services, or purchase our products.
Information we obtain indirectly
We may receive personal data about you from our third-party affiliates or partners and from marketing companies that provide us with such information as a part of their relationship with us.
We may combine this with data that we already have collected about you. Such collected data could include contact details (such as email address) and previous purchase history or interests.
Information collected automatically
Crystal Cruises feels strongly about protecting the privacy of children. Crystal Cruises’ Site is not targeted for use by children under the age of 18 (“children”). Crystal Cruises does not knowingly collect personal information from children in connection with the features of our websites without the consent of a parent or guardian. Crystal Cruises request that all children who may visit the Site not disclose or provide any personal data. Children may not access those sections of the Site that require registration. Upon notification that a child has provided us with personally identifiable information, we will delete the child’s personally identifiable information from our records. If you believe we might have any information from a child, please email us at email@example.com or call us at 786-971-1170.
III. CATEGORIES OF GUEST PERSONAL DATA AND PURPOSE FOR PROCESSING
Crystal Cruises collects and processes the following categories of Guest Personal Data, for the purposes specified below:
|Categories of Guest Personal Data||Purpose of processing|
• Communicate, interact and identify you and customize the content, products and services that are offered to you;
• Conduct our business and improve our Sites and services, develop new products and services, provide information and support, to better understand your needs and interests, personalize communications and advertising, and generally
promote a quality experience for you.
• Process transactions you enter into with us (e.g., purchase of goods and services, refunds, discounts and offers)
• Perform certain automated decision-making, including profiling, which is used for direct marketing
• Comply with legal requirements
• Verify your authority to enter and use our Site and other services
• Health information prior to embarkation
• Casino third parties related to marketing and background checks
• Measure, analyze and improve our products and services, the effectiveness of our websites, and our advertising and marketing
The type of Guest Personal Data collected by Crystal Cruises may vary from country to country, and in some countries Crystal Cruises might not collect all of the categories of Guest Personal Data listed above.
Crystal Cruises is committed to only collecting and processing the minimum amount of data from you that is necessary to the purposes of our data processing activities, and to retaining such data only if required to fulfill such purposes. Where applicable, if Crystal Cruises intends to further process the personal data for a purpose other than that for which the personal data was initially collected, Crystal Cruises shall, prior to such processing, provide you with any relevant information on such additional purpose, and, to the extent required by applicable law, obtain your consent for this.
IV. THE LEGAL GROUNDS FOR PROCESSING GUEST PERSONAL DATA
In most instances, we process your personal data under the legitimate interests of providing you products and services related to your voyage. In other instances, we obtain your consent to process your personal data where we are required to do so
by applicable law – for example, where we want to use your contact details for marketing purposes or where the personal data we are collecting from you is sensitive personal data, including racial or ethnic origin, political opinions, religious
or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data, and we are not lawfully permitted to process your personal data on any other legal grounds. Where we rely
on your consent for processing your personal data, you may withdraw your consent at any time, by contacting us at firstname.lastname@example.org. Please note, however, that withdrawing your consent
will not affect the lawfulness of processing based on the consent you gave prior to withdrawal.
Where we process your personal data for direct marketing purposes, we will log your objection to and stop such processing of your data, and we will not contact you again if requested. You may object to such direct marketing by clicking the unsubscribe link in each such direct marketing message or contacting us at privacy@email@example.com or by using the contact details below.
While we always want you to be aware of how we are using your personal information, this does not necessarily mean in every instance that we are required to ask for your consent before we can use it. There may be instances where we process your personal data for our legitimate interests (furthering our business relationship with you) or on the basis of other lawful grounds (i.e., because we have established a relationship with you and need to process your personal data in order to provide you with the information and/or services you have requested), without having obtained your consent. We do not seek your consent in such cases largely so that we can provide you with services in an efficient way (or where in some cases it might not be possible for us to seek your consent because we must process personal data, for example, for the detection of fraud). Before processing your personal data, we will consider your rights and freedoms and will only commence such processing where we do not think your rights will be infringed.
Except as otherwise provided in this Policy, only a limited number of individuals within Crystal Cruises’ legal, finance, IT, accounting and customer care departments, as well as certain managers (i.e., only persons with assigned responsibility or managerial responsibility for a Guest or groups of Guests) will receive access to Guest Personal Data when necessary in connection with their job responsibilities.
If you provide Crystal Cruises with personal data about members of your family and/or other dependents (e.g., for emergency contact or benefits administration purposes), it is your responsibility to inform them of their rights relating to the processing of their personal data for these purposes. You are also responsible for obtaining the explicit consent of these individuals (unless you are authorized to provide such consent on their behalf) to the processing (including disclosure and transfer) of that personal data for the purposes set out in this Policy.
V. DISCLOSURES OF GUEST PERSONAL DATA TO THIRD PARTIES
Disclosures to third parties
We do not sell your personal data to third parties for their own marketing purposes. We may share or disclose your personal data as follows:
• To affiliated and unaffiliated service providers for the sole purpose of enabling them to provide services to us in connection with providing our services to you;
• Based on a good faith belief that such disclosure is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violation of our policy, as evidence in litigation in which we are involved, or to otherwise protect the rights or safety of any person or entity;
• Based on a good-faith belief that disclosure is necessary to respond to judicial process, valid government inquiry, or is otherwise required by law;
• If we are acquired by or merged with another entity, if all or part of our assets are acquired, or in response to a bankruptcy proceeding, we may transfer your information to the acquiring entity;
• When posted by you or an authorized third-party, to our wikis, forums, blogs, message boards, chat rooms and other social networking environments or Sites;
• We also may share aggregate or non-personally identifiable data about users with third parties for marketing, advertising, research, analytics or similar purposes; and
• To other third parties for purposes you have allowed or consented to.
Transfers out of the EEA and Switzerland
Some service providers and other recipients may be located in countries outside of the European Economic Area (EEA) or Switzerland; the data protection laws in such countries may not provide a level of protection to Guest Personal Data equivalent to that provided by a Guest’s home country.
Wherever such a transfer is made, Crystal Cruises will (i) exercise appropriate due diligence in the selection of such third party service providers, (ii) ensure that Guest Personal Data is adequately protected via appropriate contractual measures (which shall include the European Commission Model Clauses where Guest Personal Data is transferred out of the EEA), and (iii) place such third party service providers under such contractual obligations as are required under applicable law (including that Guest Personal Data be processed only as instructed by Crystal Cruises and for no other purposes than those identified in this Policy). Guests may request and obtain a copy of the contractual measures taken by Crystal Cruises to ensure appropriate safeguards when personal data is transferred outside of the European Union or Switzerland.
Crystal Cruises may also disclose Guest Personal Data to governmental agencies and regulators (e.g., tax authorities), external advisors (e.g., lawyers, accountants, and auditors), courts and other tribunals, and government authorities or in the context of any sale or transaction involving all or a portion of the business, all to the extent required or permitted by applicable legal obligations.
Location of data processing and security measures
If you choose to provide us with your personal data, you understand that we are transferring it to Crystal Cruises’ locations and systems in the United States or to the locations and systems of Crystal Cruises’ service providers around the world. Crystal Cruises has safeguards and security controls in place to protect your personal data. This includes appropriate technical and organizational measures to protect the personal data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data. Crystal Cruises obtains written assurances from any third-party data processors given access to your data so as to require them to adopt standards that ensure an equivalent level of protection for data as that adopted by Crystal Cruises.
Social Media Websites / Interactive Services
If you engage in any interaction with us or other end-users or any third-party on any social media websites on which we have a page/account (e.g., Facebook®, Instagram®, Pinterest®, Twitter® and YouTube®) or any interactive features on the Site (e.g., comments sections, customer ratings), you should be aware that: (a) the personal data that you submit by and through such social media websites or interactive features, as applicable, can be read, collected and/or used by other users of these social media websites (depending on your privacy settings associated with your accounts with the applicable social media website) or our interactive features, and could be used to send you unsolicited messages or otherwise to contact you without your consent or desire; and (b) where we respond to any interaction on such social media websites, your account name/handle may be viewable by any and all members/users of our social media accounts. We are not responsible for the personal data that you choose to submit on any social media websites or interactive features on the Site. The social media websites operate independently from us, and we are not responsible for their interfaces or privacy or security practices. We encourage you to review the privacy policies and settings of those social media websites with which you interact to help you understand their privacy practices. If you have questions about the security and privacy settings of such social media websites, please refer to their applicable privacy notices or policies.
Third Party Websites
This Site may contain links to third-party owned and/or operated websites including, without limitation, the social media websites described above. We are not responsible for the privacy practices or the content of such websites. In some cases, you may be able to make a purchase through one of these third-party websites. In these instances, you may be required to provide certain information to register or complete a transaction at such website. These third-party websites have separate privacy and data collection practices and we have no responsibility or liability relating to them.
VI. DATA SUBJECT REQUESTS
You can contact us directly any time at the address below to update your personal data or make of the following requests regarding the data you know or believe Crystal Cruises holds about you:
(1) Access to your Guest Personal Data
You may contact Crystal Cruises at any time in order to request access to the personal data Crystal Cruises holds about you. Crystal Cruises will provide details of the categories of personal data processed and the reasons for our processing. Crystal Cruises can also provide you with a copy of your personal data on request.
(2) Rectification or Erasure of your Guest Personal Data
If you notify us, or we otherwise become aware, that the personal data we hold is inaccurate, Crystal Cruises will not use it, and will not allow others to use it, until it is verified. You can ask Crystal Cruises to correct or complete our record of your personal data by contacting us at any time. To the extent possible, Crystal Cruises will inform anyone who has received your personal data of any corrections.
You may, in certain limited circumstances where the processing is not necessary in the context of your cruise or other services we provide to you, ask to have the personal data Crystal Cruises directly or indirectly processes deleted or removed. If the request is founded, Crystal Cruises will try to do so promptly, and, to the extent possible, will inform anyone who has received your personal data of your request.
(3) Restriction of Processing
It may be possible to require Crystal Cruises to limit the way in which it processes your personal data (i.e., require Crystal Cruises to continue to store your personal data, but cease certain processing activities with regard to it) where (i) you contest the accuracy of the personal data we have for you, (ii) you believe our processing of your personal data is unlawful (but you oppose the erasure of your personal data and prefer that our processing be restricted instead), (iii) we no longer need your personal data but you require such personal data for the establishment, exercise or defense of legal claims or (iv) you have objected to our processing pending the verification of our legitimate grounds for processing.
(4) Halting of Processing based on an objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. If Crystal Cruises can show sufficiently compelling legitimate grounds for processing your personal data, or Crystal Cruises needs your data to establish, exercise or defend legal claims, Crystal Cruises may continue to process it. Otherwise, Crystal Cruises will stop using your personal data.
(5) Personal data portability – The ability to move Guest Personal Data to another controller
You have the right to data portability in certain limited circumstances, where a) you provided the data to Crystal Cruises, b) our processing is based on your consent or is necessary to fulfill a contract with you, and c) our processing is automated. Crystal Cruises may refuse your request if these criteria are not met.
(6) To withdraw your consent to Crystal Cruises’ Processing of your Guest Personal Data
Where we have relied on your consent as the legal grounds for processing, you may with draw your consent at any time. Withdrawal does not invalidate the consent-based processing that occurred prior to withdrawal.
(7) To complain
You may contact us at any time where you believe that we are in breach of data protection laws or where you wish to make a complaint about our data processing. Furthermore, if you are located in the EEA and you believe that our processing of your personal data is in breach of data protection laws, you have the right to lodge a complaint with the relevant data protection supervisory authority in the country where you are based or any place in the EEA where you believe the infringement has occurred (or where you believe that we have not resolved an issue you have raised with us).
Responding to your requests
Crystal Cruises shall provide you with a response to any request you make in connection with your rights without undue delay and in any event within one month of receipt of the request. That period may be extended by up to two additional months where necessary, taking into account the complexity and number of the requests. Crystal Cruises shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic means, the data shall be provided by electronic means where possible, unless otherwise requested by you.
If, after evaluating the legitimacy of the request, Crystal Cruises does not take action on the request, Crystal Cruises shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Special Notice for California Residents
In compliance with California law, we provide California residents with certain information upon request (“Consumer Request”). This Policy outlines how California residents can request the information and what you can receive.
If you would like to submit a Consumer Request, you can contact Crystal Cruises at firstname.lastname@example.org. You can also call Crystal Cruises, toll-free, at 786-971-1170. If you choose to submit a Consumer Request you must provide us with enough information to identify you and enough specificity on the requested data. Crystal Cruises will only use the information it receives to respond to your request. Crystal Cruises will not be able to disclose information if it cannot verify that the person making the Consumer Request is the person about whom we collected information, or someone authorized to act on such person’s behalf.
1. Request to Access. You may submit a Consumer Request to obtain a copy of or access to the personal information that Crystal Cruises has collected on you.
2. Request to Know. You may submit a Consumer Request to receive information about Crystal Cruises’ data collection practices. You may request information on the categories of personal information (as defined by California law) Crystal Cruises has collected about you; the categories of data collection sources; Crystal Cruises’ business or commercial purpose for collecting or selling personal information; the categories of third parties with whom Crystal Cruises shares personal information, if any; and the specific pieces of personal information we have collected about you.
Please note that the categories of personal information and sources will not exceed what is contained in this Policy. Additionally, Crystal Cruises is not required to retain any information about you if it is only used for a one-time transaction and would not be maintained in the ordinary course of business. Crystal Cruises is also not required to reidentify personal information if it is not stored in that manner already, nor is it required to provide the personal information to you more than twice in a twelve-month period.
3. Request to Delete. You may request that Crystal Cruises delete your personal information. Subject to certain exceptions set out below we will, on receipt of a verifiable Consumer Request, delete your personal information from our records and direct any service providers to do the same.
Please note that we may not delete your personal information if it is necessary to:
• complete the transaction for which the personal information was collected;
• provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
• detect security incidents, protect against malicious, deceptive activity, and take all necessary and appropriate steps to mitigate current and future risk;
• debug and repair internal information technology as necessary;
• undertake internal research for technological development and demonstration;
• exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
• comply with the California Electronic Communications Privacy Act;
• engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
• enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
• comply with an existing legal obligation; or
• otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
Crystal Cruises may not, and will not, treat you differently because of your Consumer Request activity. As a result of your Consumer Request activity, we may not and will not deny goods or services to you; charge different rates for goods or services; provide a different level quality of goods or services; or suggest any of the preceding will occur. However, we can and may charge you a different rate, or provide a different level of quality, if the difference is reasonably related to the value provided by your personal information.
Special Notice for Nevada Residents
Crystal Cruises does not sell, rent, or lease your personally identifiable information to third parties. However, if you are a resident of Nevada and would like to submit a request not to sell your personally identifiable information, you may do so by emailing us at email@example.com or calling us at 786-971-1170.
VII. SECURITY & RETENTION
Crystal Cruises maintains technical and organizational security measures to protect against unauthorized or unlawful processing of Guest Personal Data and accidental or unlawful loss, alteration, disclosure, destruction or damage of, or access to, Guest Personal Data.
Please be advised, however, that while we take reasonable security measures to protect your data, such measures cannot be guaranteed to be 100% secure.
Crystal Cruises will retain Guest Personal Data no longer than is necessary to carry out the purposes listed in this Policy and/or as required by applicable law or in connection with actual or prospective legal proceedings.
We reserve the right to change, modify, add or remove portions of this statement from time to time and at our sole discretion, but will alert you that changes have been made either by email or other indication on our Site. We will always include on this
Policy the date of its effectiveness (see Effective Date above). Where required to do so by law, Crystal Cruises may need to re-obtain your consent for certain processing activities for material changes to this Policy or our data processing activities.
IX. QUESTIONS & CONCERNS
Guests who have questions, comments or access requests related to the transfer of their Guest Personal Data to the United States can also contact the Crystal Cruises Global Privacy Team at:
1501 Biscayne Boulevard
Miami, FL 33132
Types of Cookies We Use
Strictly Necessary Cookies: These are essential to navigate around our Site and use its features. Without them, you would not be able to use basic services like account registration. These cookies do not collect information about you that could be used for marketing or tracking.
Functionality Cookies: These are used to recognize you when you return to our Site, enabling us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Tracking Cookies: These cookies enable us to collect information such as number of visitors to the Site and pages visited in order to analyze user behavior. This information is collected in an anonymous format and will be collated with similar information received from other users. We use these cookies to determine the usefulness of the information we supply to you and other users, to track your purchases from this site, and to see how effective our navigation is in helping users reach that information.
If you prefer not to receive cookies through the Site, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You also can refuse all cookies by turning them off in your browser. You do not need to have cookies turned on to use any pages within our Site. However, if you chose to not accept cookies, some functionality will be limited. For more information about cookies, including how to set your browser to reject cookies, visit www.allaboutcookies.org.
Some of the cookies we use will remain on your computer after the browser is closed. Until removed, the cookies will become active again when the Site is reopened. Cookies can be deleted by you, at any time, and will not collect any information when you are not accessing the Site.
Other Tracking Technologies
In addition to cookies, our Site also utilizes the following tracking technologies:
• Embedded script: An embedded script is programming code that is designed to collect information about your interactions with the Site, such as the links you click on. The code is temporarily downloaded onto your device from our web server or a third-party service provider, is active only while you are connected to the Site and is deactivated or deleted thereafter. We use web embedded scripts to understand aggregate traffic to our website pages.
• Web server & application logs: Our servers automatically collect certain information to help us administer and protect the services we provide, analyze usage, and improve users’ experience. The information collected includes the following:
- IP address and browser type;
- Device operating system and other technical facts;
- The city, state and country from which you access the Website;
- Pages visited, and content viewed and stored;
- Information or text entered;
- Links and buttons clicked (i.e., IP address information such as the referring and destination URL).
Crystal Cruises, LLC
Update Ver. 01.09.20