Overview
The protection of personal data and the responsible handling of information that you entrust to us are important and special concerns for us. AIDA Cruises processes personal data only in accordance with the respective legal regulations. These are, in particular, the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). With this privacy notice, we inform you about how, to what extent, and for what purposes we process personal data when you use the AIDA website (including the career portal). In addition, we will also provide you with some basic information on data processing in the event that you book a cruise, apply for a job or if you contact us on business.
1. Controller in the sense of Data Protection Law
AIDA Cruises - German Branch of Costa Crociere S.p.A.
Am Strande 3d, 18055 Rostock, Germany
Tel: +49 381 20 27 06 00
Fax: +49 381 20 27 06 01
Email: info@aida.de
2. Contact Details of the Data Protection Officer
E-Mail: datenschutz@aida.de
Mail: AIDA Cruises, Data Protection Officer, Am Strande 3d, 18055 Rostock, Germany
Representation in Switzerland
Email: datarep@flyinglawyers.ch
Mail: FlyingLawyers, attn. Sophie Winkler, Weinbergstrasse 22, 8001 Zurich, Switzerland
3. Processing of your Personal Data
The subject of data protection is personal data. This is information that can be related to a specific or identifiable person, such as name, address, email address and telephone number. In principle, the processing of personal data is not necessary for the use of this website. Data collection and processing will occur if you voluntarily provide your personal data. This applies to the following situations:
3.1 Booking and execution of a cruise
Legal basis: AIDA Cruises processes your data as described in this section 3.1 for the purpose of booking and executing a cruise. If you are a travel applicant or otherwise a contractual partner of the travel contract, the legal basis for this processing is generally the initiation and execution of the travel contract (see Art. 6(1)(b) GDPR or Art. 31(2) letter a Swiss Data Protection Act - DSG). Insofar as you are a (co-)traveler, but not yourself a contractual partner of the travel contract, the legal basis is basically our legitimate interest in the initiation and execution of the travel contract (see Art. 6(1) letter f GDPR or Art. 31(1) DSG). There may be other legal bases for some of the processing activities mentioned below (e.g. your consent, the fulfillment of a legal obligation or a specific legitimate interest); these are then indicated below in each case.
Collection of your data in the course of booking: AIDA Cruises receives the data of the travelers depending on the respective booking method either directly from the travelers (if they are also travel applicants), from the travel applicant (e.g., when booking via the website) or from a third party through which the booking is processed (e.g., from the travel agency commissioned by the travel applicant).
Execution of the contract: The personal data provided as part of your registration or booking, as well as other travel-related information that you enter via our MyAIDA travel portal or provide to us by other means (e.g., your contact details, information on the method of payment, and the information for the ship manifest) will be processed by us to execute the travel contract. The execution of the contract also includes customer support and the use of services on our websites, such as the travel portal MyAIDA and - if you use them - the AIDA Lounge.
Quality control/market research: We may also use the aforementioned data - with the exception of manifest data - as well as other information that you provide to us voluntarily via this website or by other means (in particular, opinion surveys and the assessment of travel services) to improve our services and for market research. We use the provider Caplena AG (Section 8) to evaluate your responses to opinion and satisfaction surveys. Profiling does not take place. Insofar as we have obtained your consent for this, the legal basis for the processing is your given consent pursuant to Art. 6(1) letter a GDPR or Art. 31(1) DSG. In addition, the legal basis for the processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR or Art. 31(1) DSG in the continuous review of our quality and the consideration of the opinions and wishes of our guests in order to be able to continuously improve our offers tailored to their needs. Information on special needs - e.g. wheelchair accessible room, dietary restrictions - that you provide us with, we process exclusively on the basis of your consent.
Fellow travelers: When booking a cruise, personal data of fellow travelers may also be collected. We would therefore ask you to ensure that this data is provided with the consent of the fellow travelers. Personal data of children and adolescents (under 18 years) will be collected, stored and used exclusively for travel-related processing only.
Bookings for more than one person: When booking a cruise for a group of people, the guests on the group cruise have the option of viewing and changing information relating to the cruise through the myAIDA Vacation Portal. This methode of data collection is in line with the typical interests of travelers in joint bookings. It also serves the data protection principles of transparency (Art. 5(1)(a) GDPR) and accuracy (Art. 5(1)(d) GDPR), according to which AIDA Cruises must take appropriate measures to ensure that personal data is accurate when it is collected and can otherwise be corrected immediately. Access to myAIDA is initially secured by an initial password that each traveler can request (but only once in total); the traveler can then invite the other travelers in the booking to the myAIDA Vacation Portal. If the travelers do not want to enter data together and do not want other travelers to be able to see their data, they should make separate bookings. In this case, the data for separate bookings cannot be viewed or changed in the myAIDA Vacation Portal.
Cruises booked as a Gift: If you book a cruise as a gift for someone else and would like to surprise the recipient, please indicate this when booking. We will then endeavor to communicate the information about the booking to the person concerned as late as possible. We would like to point out, however, that we must ensure that manifest data are collected and travel documents sent in good time in order to organise the cruise and that communication with the guests is required in good time before the start of the cruise. Contact may also be necessary in special cases, such as route changes. Furthermore, AIDA Cruises is obliged to inform the data subject in accordance with Art. 14 GDPR and Art. 19 DSG that personal data has been collected as part of a booking. The processing of the personal data of the person receiving the gift serves the legitimate interest of the donor and AIDA Cruises in the performance of the contract for the service given as a gift. The legal basis is Art. 6(1)(f) GDPR and Art. 31(1) DSG.
Parking lot/parking space: If you reserve a parking lot or parking space via AIDA Cruises, the data required for this will be transmitted to the operator of the parking lot or parking space. You will receive more detailed information during the reservation process. The transmission of data takes place upon your request for the initiation and / or execution of the contract with the operator (Art. 6(1)(b) GDPR or Art. 31(2)(a) DSG).
Visas: For certain destinations, it is necessary to apply for a visa in advance (for more information, please visit the AIDA website). Insofar as we assist you with the application, we process the data required for this purpose. For example, if you wish assistance in applying for a letter of invitation as part of the visa procedure for Russia, we will transmit the information required for this (such as name and passport details) to the agency handling the contact with the authorities on the basis of the ship manifest. The legal basis for the processing is your declared consent pursuant to Art. 6(1)(a) GDPR or Art. 31(1) DSG.
Identity check: During check-in, the identity document carried is checked against the manifest data to ensure the accuracy of the information and to avoid delays in subsequent entry. The legal basis is provided by international agreements and entry regulations on checks in travel (e.g. the SOLAS Convention and Directive 2010/65/EU), maritime regulations on access control to ships (ISPS Code and Regulation (EC) No. 725/2004) and related statutory regulations on the checking of identification documents by carriers (e.g. Section 20(4) German Passport Act - PAuswG). These are legal obligations according to Art. 6 (1)(c) GDPR and Art. 31(1) DSG and the performance of tasks in the public interest by AIDA Cruises according to Art. 6(1)(e) GDPR.
In some cruise regions (e.g. Orient, Asia), AIDA Cruises is required to retain a copy of your passport upon arrival and departure as well as during shore leave. The legal basis for the processing and forwarding of the copy to the respective port authorities is your consent (Art. 6(1)(a) GDPR or Art. 31(1) DSG/Section 18(3) German PAuswG. The copies made will be deleted from AIDA Cruises’ systems immediately after the purpose has been fulfilled, but no later than five days after the end of the cruise.
Check-in photo: Furthermore, a photo of you will be taken at check-in. This serves to control access to and departure from the ship in accordance with the regulations on access control to ships mentioned in the above section "Identity Check" (legal basis according to Art. 6 (1)(c) and (e) GDPR and Art. 31(1) DSG). In addition, the check-in photo is used in the legitimate interest of AIDA Cruises and you to identify you on board when using your boarding pass – especially when making purchases - and thus prevent the misuse of boarding passes (legal basis for this processing is Art. 6(1)(f) GDPR and Art. 31(1) DSG).
In addition, the photo may be used, if necessary, in the context of exercises and emergencies to determine and ensure completeness at the sample stations. The legal basis for this processing is Art. 6(1)(f) GDPR and Art. 31(1) DSG; our legitimate interest lies in the proper and efficient implementation of mandatory emergency drills to ensure the safety of all passengers and therefore also serves your own interest.
Finally, only if you give your express consent to this, the check-in photo will be used for facial recognition as part of the "photo kiosk" in order to be able to offer you specifically those photos from the photos taken by the photo team during the cruise on which you are depicted (see the sections "Video and image recordings" and "Photo kiosk"); the legal basis for this processing is your consent (Art. 6(1)(a) GDPR).
Onboard services
shoreside excursions: If you make use of services on board or as part of the cruise, e.g. participate in excursions, we process the data required for this in each case to perform the contract for the respective service in accordance with Art. 6(1)(b) GDPR and Art. 31(2)(a) DSG. In some cases, it is necessary for tax reasons to pass on your name to the providers of transportation services for land excursions so that they can claim VAT exemptions from the responsible tax authorities; in these cases there is a legitimate interest (Art. 6(1)(f) GDPR and Art. 31(1) DSG) in passing on the data so that we can offer you the service without VAT. If you make use of medical assistance, you will be informed separately about the associated data processing. If you inform us about special restrictions before or during the cruise so that we can check the availability of services such as excursions for you or organize special assistance, the legal basis for the processing of your data is your consent under Art. 6(1)(a) GDPR or Art. 31(1) DSG.
Onboard shop: Payment in the onboard shops is made by means of the board cards; settlement is made via the board invoice. On some ships, the onboard shops are operated by a concessionaire; in these cases, AIDA Cruises and the concessionaire carry out the data processing associated with payment and billing under joint responsibility (Art. 26 GDPR). This concerns the identification and payment by means of the board card via the cash register system of the onboard shop provided by the concessionaire as well as the subsequent billing via the booking systems of AIDA Cruises. You can assert your rights regarding your personal data against AIDA Cruises at the address stated in section 2. If necessary, your request will be forwarded to the concessionaire. If you submit complaints regarding purchases from the on-board shop to AIDA Cruises, AIDA Cruises will also forward these to the concessionaire, if necessary, for reasons of competence. The legal basis for this processing is Art. 6 (1)(b) GDPR and Art. 31(2)(a) DSG.
Art purchases: Personal data from the receipts regarding purchases of art made on board are used to ship the purchased art (via the partner gallery, which can take up to 12 weeks). The legal basis is the execution of the purchase contract (Art. 6(1)(b) GDPR or Art. 31(2)(a) DSG). Furthermore, unless you explicitly exercise your right to object under Art. 21(2) GDPR or Art. 30(2)(b) DSG as described in section 12, we will keep this information for 5 years in order to send you individual purchase and art travel offers. The legal basis for this processing is our legitimate interest in individualized advertising for these services (Art. 6(1)(f) GDPR).
Audio and image recordings: During the cruise, photos as well as video and image recordings may be taken in the public areas of the ship by AIDA Cruises or on our behalf. AIDA Cruises will indicate in the daily program "AIDA Today" at which events and excursions video and image recordings will be made in addition to photos (see camera symbols in the daily program). The recordings will be made with the guest's consent and will be used as described in the terms and conditions and offered for sale to the respective guests. You will find more detailed information in our terms and conditions; we will also remind you at the beginning of the cruise to take pictures.
If you do not wish to be photographed or filmed, please inform the camera teams present or other AIDA Cruises employees. The legal basis for this processing is Art. 6(1)(a) GDPR or Art. 31(1) DSG (insofar as consent has been given under GDPR/DSG) or our legitimate interest in providing these services, taking into account your consent (Art. 6(1)(f) GDPR or Art. 31(1) DSG in conjunction with the principles of the right to one's own image).
Photo kiosk: You can purchase the photos made for sale through a photo kiosk system located on board. To simplify the selection process, you may voluntarily take a reference photo at the photo kiosk for automatic photo matching. The reference photo will be stored in the photo kiosk for the duration of the cruise and will be matched against the photos taken by the photo team based on biometric techniques to present you with the photos that are relevant to you. The reference photos, the biometric data generated from them and the non-ordered photo shots are only stored on board and deleted at the end of the cruise. Ordered photographs will be retained for three months after the end of the cruise for the purpose of processing warranty claims. The taking of a reference photo is voluntary, a purchase of the travel photos is also possible without this procedure. The legal basis for the processing of the reference photo and biometric matching is Art. 6(1)(a) GDPR and Art. 31(1) DSG. The legal basis for the processing of the data in all other respects is our legitimate interest in offering photo shoots (Art. 6(1)(f) GDPR or Art. 31(1) DSG) or the execution of a purchase contract concluded with you, if applicable, or the initiation of such a purchase contract (Art. 6(1)(b) GDPR or Art. 31(2)(a) DSG).
Casino: The casinos on our ships are operated by Carnival Corporation, which is responsible for related data processing. When you use a casino, personal data may be transferred to the United States for fraud and money laundering control purposes and to improve the service offered. For more information, please refer to the Global Casino Operations Privacy Policy.
Video surveillance (CCTV): We use video surveillance systems (CCTV) to ensure access control and public safety at various facilities, including ships. The monitoring is limited to public areas that are marked. The legal basis for the processing is legitimate interests according to Art. 6(1)(f) GDPR and Art. 31(1) DSG. The legitimate interest of AIDA Cruises for the use of video surveillance is access control, protection of property of guests, the company, AIDA employees and public safety. On the ships, the use also serves to prevent incidents, support rescue operations, and generally maintain safety and order within the framework of maritime law. Video recordings are only evaluated by specially authorized persons, only insofar as this is necessary for the stated purposes and this is in accordance with labor and data protection law. The recordings may be made or evaluated by a security service (processor). They will be deleted within the period specified in each case (this is a maximum of 14 days for ships), unless they are needed to clarify incidents, e.g. for criminal or civil prosecution. Insofar as recordings are required for evidentiary purposes, they may be passed on to competent authorities, courts or other involved parties within the scope of a statutory duty to provide information or if there is an overriding legitimate interest. The legal basis for this is either a legitimate interest in clarifying and enforcing legal claims (Art. 6(1)(f) GDPR) or a statutory duty to provide information to the requesting authorities (Art. 6(1)(c) GDPR in conjunction with the respective procedural regulations).
Travel Security Fund: As a tour operator, we are legally required under Section 651r of the German Civil Code (BGB) to take out an insolvency insurance policy with Deutsche Reisesicherungsfond GmbH. In the event of a claim, the Travel Protection Fund requires essential information about your trip in order to fulfill its obligations. Therefore, in the event of a claim, we will provide the Deutsche Resesicherungsfond GmbH with your master data, your booking or trip data, your flight data and transfer data, as well as any information required in the event of repatriation. This data is transmitted to Deutsche Reisesicherungsfonds GmbH (Sächsische Straße 1, 10707 Berlin, e-mail: kontakt@drsf.reise, website: www.drsf.reise). Deutsche Reisesicherungsfonds GmbH is an independent controller under data protection law. Information pursuant to Art. 14 GDPR on data processing by Deutsche Reisesicherungsfonds GmbH can be found at this link.
3.2 Ship visits
AIDA Cruises offers you the opportunity to discover cruise ships as part of a day visit. The safety regulations under maritime law, including the regulations on the safety of port facilities, also apply to this. Therefore, we collect the necessary identification and manifest data (passport/ID card data, name, date of birth, nationality and gender) from all day visitors - be they guests, employees or their relatives, technicians or other third parties. This information is processed on the ship by the responsible employees and, to the extent required by law, passed on to the respective competent authorities (e.g. port authority, harbor master's office) and deleted after 30 days. The legal bases for the processing and transfer are Art. 6(1)(c) and (e) GDPR and Art. 31(1) DSG in conjunction with the respective maritime and port regulations.
3.3 Purchase of vouchers and gifts for third parties
If you purchase vouchers or gifts for third parties that are to be personalized or delivered directly to them, then we may collect and process the email and/or postal address of the third parties for this purpose in accordance with your order. In this case, please ensure that it is assumed that the recipient agrees to the use of his email or postal address for this purpose. The processing of the personal data of the person receiving the gift serves the legitimate interest of the donor and AIDA Cruises in the initiation and execution of the contract for the service given as a gift. The legal basis is Art 6(1)(f) GDPR and Art. 31(1) DSG.
3.4 Marketing you may object to
If you have booked a cruise with AIDA Cruises and have not objected to receiving advertising, we will use your email address to inform you about similar offers from us. Likewise, in the event of a booking or if you participate in a competition organized by AIDA Cruises, we will use your postal address to send you our own product information and individually optimized travel offers, unless you have objected to this. The legal basis for the processing is Art. 6(1)(f) GDPR and Art. 31(1) DSG. Our legitimate interest lies in the dissemination of our offers to our guests and the promotion of customer loyalty, including through competitions. You can object to the use of your email address and/or postal address for advertising purposes at any time, as described in section 12 of this privacy notice and at the end of each newsletter. In addition, you can object in the same way to the storage and use of your information on art purchases on board for advertising purposes (see section 3.1).
3.5 Advertising to which you have consented (e.g. subscription to the e-mail newsletter)
If you would like to receive our newsletter and register for it, we need a working email address assigned to you, which allows us to check that you are the owner of the specified email address. For personalization we ask you for salutation and name. Our newsletter offer is aimed at persons over 18 years of age, so we also ask for the age information. The same applies if you give us permission to contact you by telephone for advertising purposes. The legal basis for the processing is your consent (Art. 6(1)(a) GDPR or Art. 31(1) DSG). You can revoke your consent to the storage of the email address or telephone number and the other personal data you have provided and to their use for advertising purposes at any time with effect for the future (see section 12).
3.6 Marketing by other brands of the Carnival group of companies
When we ask for your consent to send you advertising, we may also ask to share your information with other members of the Carnival group of companies, of which we are a part, so that they may send you information about their cruise products and offerings. These are the following companies, whose brands are indicated in parentheses in each case:
- Carnival Corporation (Carnival Cruise Line)
- Carnival PLC (P&O, Cunard, Princess Asia)
- Costa Crociere S.p.A. (AIDA Cruises and Costa Cruises)
- Holland America Line N.V., general partner of Cruiseport Curacao C.V. (Holland America Line and Seabourn)
- Princess Cruise Lines, Ltd (Princess, Alaska, P&O Australia and Cunard)
- SeaVacations Limited (CCL business in UK)
The legal basis for the processing of your data for advertising purposes by the aforementioned companies is your given consent pursuant to Art. 6(1)(a) GDPR and Art. 31(1) DSG. You can withdraw your consent to advertising any time directly to the respective companies with effect for the future. You can also declare the revocation to AIDA Cruises (see section 12), we will then forward this to the company(ies) concerned.
4. Processing of Data when using the Career Portal and in the Case of an Application
4.1 Submitting a job application
If you decide to apply via our career portal, we ask you to provide personal details (in particular salutation, title, name, postal address, age, nationality), contact details (email and mobile number) and your earliest possible availability. This information is required for an application. Optionally, you can indicate your salary expectations and, in case you are willing to participate in a Microsoft Teams or Skype interview, your account name.
To complete your application, you must go to the "Your Application" tab and upload your resume and relevant certifications. You can also add a cover letter and a photo. If you want to provide relevant links to websites to support your application and give us the opportunity to get to know you better, you can also provide links, e.g. to your website, YouTube channel or profile on XING, LinkedIn, Facebook or Instagram. In this case, we visit the website and consider the information for the application process, if applicable.
Before you submit your application, you can view a summary of all the information you have provided under the "Summary" tab.
You can also apply to us by other means, such as email.
All of the data you provide for the application will be used by us exclusively for the application process. The legal basis in the case of applications for employment relationships under German law is Section 26(1) sentence 1 German Federal Data Protection Act (BDSG).
If your application is successful and we enter into an employment relationship with you, we will include the application data in the personnel file. Otherwise, we will delete it six months after completion of the application process (unless you consent to be included in the applicant pool, see 4.3). Only your name and date of birth will be stored for up to two years; the legal basis for this is our legitimate interest in being able to recognize you in the event of repeated applications (Art. 6(1)(f) GDPR).
You can also voluntarily tell us where you heard about our job offer; we use this information within the scope of our legitimate interest (Art. 6(1)(f) GDPR) for internal administrative purposes to optimize the advertising of our jobs.
4.2 Video interviews
If you are willing to be interviewed via Microsoft Teams or Skype, you can provide us with your Microsoft Teams and Skype account name. Please note that the Microsoft Teams and Skype services are provided by Microsoft Inc. Information on data protection at Microsoft can be found here. We do not record Microsoft Teams or Skype interviews. The legal basis for the processing is the processing for the decision on the establishment of an employment relationship (Section 26(1) sentence 1 BDSG).
If applicable, we may also invite you to a live or recorded interview with another provider (such as Cammio B.V. in Voorschoten, Willem de Zwijgerlaan 68, 2252VS, The Netherlands). In this case, we will ask you separately for your consent to the data processing associated with such an interview. The legal basis for the processing is your voluntary consent pursuant to Art. 6(1)(a) GDPR or Art. 31(1) DSG.
Please note, that there will be no negative impact on your application if you are not available for a video interview.
4.3 Applicant pool
With your consent, we offer to include your application in our applicant pool. This can be helpful if we are currently unable to offer you a position or none of the open positions fit your profile. If you agree to the inclusion of your application in the pool, we will contact you as soon as a suitable vacancy becomes available.
We will store your information in the applicant pool for a maximum of twelve months.
The legal basis for the processing is your consent pursuant to Art. 6(1)(a) GDPR and Art. 31(1) DSG. You can revoke your consent at any time with effect for the future by sending an email to career@aida.de. In this case, we will delete your application from the pool.
5. Processing of your Data when you contact us for Business Purposes
If you contact us as an interested party, supplier, service provider or other business partner, we process their personal data to process your inquiry (legitimate interest under Art. 6(1)(f) GDPR or Art. 31(1) DSG), to initiate or carry out the respective transaction (Art. 6(1)(b) GDPR or Art. 31(2)(a) DSG) and, if necessary, retain the data within the scope of legal retention obligations (based on legal obligations under Art. 6(1)(c) GDPR). The same applies if you are an employee of an interested party, supplier, service provider or other business partner and we receive your data in this context; the legal basis in this case is our legitimate interest in initiating or conducting the business relationship with your employer (Art. 6(1)(f) GDPR or Art. 31(1) DSG).
6. Automatic Collection and Processing of Data when visiting the Website
6.1 Data processing to enable website use
When you visit our website, we collect the data necessary to enable you to use it (usage data). This includes your IP address and data about the beginning, end and subject of your use of the website as well as, if applicable, data for identification purposes (e.g. your login data if you log into a secure area such as in the MyAIDA travel portal or in the AIDA Lounge). In addition, this includes technical data transmitted by your browser, such as browser type, previously visited website (referrer URL), monitor resolution, etc. This data is used for the provision and needs-based design of the service. They are generally deleted as soon as they are no longer required.
6.2 Social Media Wall (Walls.io)
Our website uses plugins from Walls.io to display so-called "social media walls". When you visit these plugins, no information is sent to the social media service providers (such as Facebook, Twitter, etc.) whose messages are displayed on the social media wall. Only the IP address of your Internet connection and session cookie information is sent to Walls.io. Walls.io is operated by Walls.io GmbH in Vienna, Austria. Processing the IP address and the session cookie information is necessary to display the social media wall. The session cookie information is only used to verify that the website user is logged in as an administrator for the social wall. Dor more information about Walls.io GmbH’s data processing practices, please see its privacy policy at https://walls.io/privacy.
6.3 Use of cookies and other tracking technologies
When you visit our website, we display a "cookie banner" to inform you that we use cookies and other tracking technologies to improve the user experience on our website and for the purposes of web analytics and interest-based advertising.
The associated data processing is described in detail in the following information. Via the cookie banner you can choose whether you want to use the website only with the technically necessary cookies or whether you give your consent so that we can also use cookies and similar tracking technologies for statistical purposes, to improve the website and for marketing (for details see our cookie information).
You can withdraw this consent in whole or in part at any time with effect for the future. To do this, you can call up the cookie banner again at any time via the link below.
Google Tag Management
We use the Google Tag Manager. It is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, store any cookies, or perform any independent analysis. It is used only to manage and display the tools it integrates. However, the Google Tag Manager does record your IP address, which may also be transmitted to Google's parent company in the United States (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). This parent company is certified under the EU-U.S. Data Privacy Framework to ensure an adequate level of protection for this data transfer in accordance with Art. 45 GDPR and the decision of the EU Commission of 10.07.2023 (C(2023) 4745). We also have concluded a data processing agreement with Google. The Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the fast and easy integration and management of various tools on its website. If consent for the use of certain tools has been requested and granted, the associated processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) German Telecommunications Digital Services Data Protection Act (TTDSG), insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) in the sense of the TTDSG. Consent can be revoked at any time; for revocation, see the "Cookie settings" section.
Adobe Tag Management
We use the Adobe Tag Manager. It is provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland. Adobe Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies into our website. The Adobe Tag Manager itself does not create any user profiles, store cookies, or perform any independent analysis. It is used only to manage and display the tools it integrates. However, Adobe Tag Manager does record your IP address, which may also be transmitted to Adobe Inc. in the United States (Adobe Inc, 345 Park Avenue San Jose, CA 95110-2704, USA). This company is certified under the EU-U.S. Data Privacy Framework to ensure an adequate level of protection for this data transfer in accordance with Art. 45 GDPR and the decision of the EU Commission of 10.07.2023 (C(2023) 4745). We also have concluded a data processing agreement with Adobe. The Adobe Tag Manager is used on the basis of Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in the quick and easy integration and management of various tools on its website. If consent has been requested and granted for the use of certain tools, the associated processing is carried out solely on the basis of Art. 6(1)(a) GDPR and Section 25(1) German Telecommunications Digital Services Data Protection Act (TTDSG), insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time; for revocation, see the "Cookie settings" section.
Web Tracking and Analysis for Advertising and Market Research Purposes
AIDA Cruises also uses web tracking systems for advertising and market research purposes and to make your use of our website as pleasant as possible. Data about the use of our website is stored if you have given your consent. This enables us to further develop our website and tailor the content even better to your needs. The usage profiles are also used for retargeting. This enables AIDA Cruises to place interesting offers on other websites that you visit and to send you customized offers.
The legal basis for the processing is your consent given via the cookie banner (Art. 6(1)(a) GDPR). You can revoke your consent to the storage of these cookies at any time with effect for the future. To do this, call up your cookie settings in the cookie banner.
Browser settings about cookies
Most browsers are set to accept cookies automatically. You can deactivate the storage of cookies in your browser and also have the option to delete them from your hard drive at any time. We would like to point out that the use of our offers on the website without cookies is only possible to a limited extent. In particular, the booking of a cruise is generally not feasible without cookies, as they are required to verify the booking data.
However, you can also use your browser to prevent only certain cookies from being set (e.g. third-party cookies), for example if you want to prevent web tracking. You can find more information on this in the help function of your browser.
Cookie Settings
Click the following button to adjust your cookie settings: Change cookie settings
Cookie List
Facebook Pixel, Facebook Conversion API
If you consent to the use of marketing cookies via our cookie banner, we use the technologies "Facebook Pixel" and "Facebook Conversion API" on our website. The provider of these services is Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta"), which operates, among other things, the social network Facebook.
The Facebook pixel is a piece of JavaScript code on our website that establishes a connection to Meta's servers and enables Meta to record your interactions with our website in order to improve advertising performance on Facebook and display advertisements tailored to your user behavior. In particular, the time of access, the web pages accessed, your IP address, device information and your user agent and, if applicable, other specific data (e.g. trips purchased, product pages visited, shopping cart values) are recorded.
The Facebook Conversion API enables us to transfer the aforementioned information directly to Meta without the Facebook pixel. We only use the Facebook Conversion API to transfer data to Meta that Meta otherwise collects via the Facebook pixel. We do not transmit any direct identifiers such as your name or contact details.
The use of these Meta services is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG or Art. 31 para. 1 DSG. Consent can be withdrawn at any time (to do so, go to the cookie settings under section 6.3 and deactivate the marketing cookies).
Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Meta, we and Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Meta. The processing carried out by Meta after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Meta is responsible for the data security of the Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Meta directly with Meta. If you assert data subject rights with us in this regard, we are obliged to forward this to Meta.
According to Meta, the data collected is also transferred to the USA and other third countries. This data transfer is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
In Meta's privacy policy, you will find further information on the processing of your data by Meta and the protection of your privacy: https://www.facebook.com/privacy/center.
7. Data Collection by Third-Party Providers / Social Networks
Our website contains links to social networks (e.g. Facebook, XING, Google Plus, LinkedIn, Twitter). These social networks are operated exclusively by third parties. If you follow the links, information may be transmitted to these third parties. The purpose and scope of the data collection by the social networks as well as the further processing and use of your data there as well as your rights in this regard and setting options for protecting your privacy can be found in the respective data protection notices of the operators. You can find these for the providers mentioned via the following links:
8. Transfer of Personal Data to Third Parties
We only pass on the data mentioned in section 3.1 insofar as this is necessary for the provision of the travel service, including invoicing, or is required by law in this context (see Art. 6 (1)(a) and (c) GDPR and Art. 31(1) DSG). For example, we may pass on data on flight bookings to the respective airline (within the framework of the legal requirements regarding passenger data applicable to the respective destination country). This also includes the airline VUELING AIRLINES, S.A. Information on data protection at VUELING AIRLINES S.A can be found here. In addition, we pass on the data from the ship manifest to the respective competent authorities in the ports of call on your cruise; this is based on maritime law requirements (e.g. Directive 2010/65/EU as well as the SOLAS Convention). In this respect, the information for the ship manifest is basically necessary for the fulfillment of the contract; voluntary information is marked as such. If you book through an agency, we may provide the information as to whether you are a new customer to the agency for the purpose of checking the commission statement; this is based on our legitimate interest in commission agreements as a sales measure (Art. 6 (1)(f) GDPR or Art. 31(1) DSG).
Within the scope of the purposes stated in sections 3.1-3.5, the data mentioned there will be forwarded to service providers who work for us and support us in particular in the provision of services (e.g. the port agencies in the respective ports of call and IT service providers). This also includes our internal group call center (AIDA Kundencenter GmbH, Am Strande 4, 18055 Rostock, Germany) and our internal group service provider for ship operations (Carnival Maritime GmbH, Großer Grasbrook 9, 20457 Hamburg, Germany). For opinion and satisfaction surveys (section 3.1), we use the provider Caplena AG, Zweierstrasse 165, 8003 Zurich to evaluate your responses (processor). The data described in section 4 is processed on our behalf by d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg, Germany, to provide the career portal and support our application process; data from resumes in applications may be temporarily processed and prepared on our behalf by Textkernel BV, Niewendammerkade 28/a17, 1022 AB, Amsterdam, The Netherlands.
In the case of ship visits, your data will be passed on to the service provider used to organize the ship visits. In addition to their legal obligation to ensure that we comply with all data protection regulations, these service providers are bound by further contractual data protection requirements. As a rule, this includes an obligation as a processor pursuant to Art. 28 para. 3 GDPR and Art. 9(1) DSG.
As a tour operator, we are required by law (Section 651r BGB) to take out an insurance policy with Deutsche Reisesicherungsfonds GmbH (“Travel Protection Fund”), Sächsische Straße 1, 10707 Berlin, e-mail: kontakt@drsf.reise, website: www.drsf.reise, in the event of insolvency. Therefore, in the event of a claim, we will provide the Travel Protection Fund with your master data, your booking or trip data, your flight data and transfer data, as well as all information required for repatriation. The Travel Protection Fund is the controller under data protection law. The transfer of your personal data to the Travel Protection Fund is carried out to fulfill a legal obligation (Art. 6(1)(c) GDPR or Art. 31(1) DSG). You can find out more about the processing of your data by the Travel Protection Fund at https://drsf.reise/datenschutz.
Apart from that, we only transfer personal data to third parties if this is permitted by law or if you have given your prior consent. You can withdraw the consent you may have given at any time with effect for the future. We will only pass on your data to state authorities within the scope of legal obligations or on the basis of an official order or court decision and only to the extent that this is permitted under data protection law.
9. Payment by Credit Card
When you register your credit card as a means of payment for the on-board invoice (either in your myAIDA account before the departure of the trip or on board the ship at the terminals), your personal data is transmitted directly to the payment service provider Papagena Kartenvertriebs GmbH, Mehringdamm 33, 10961 Berlin. As a technical service provider, Papagena Kartenvertriebs GmbH uses the “Paygate” application from Computop Wirtschaftsinformatik GmbH, Schwarzenbergstr. 4 D-96050 Bamberg. Computop Wirtschaftsinformatik GmbH provides in particular the input mask in which you enter your credit card data. In addition, we use Concardis GmbH, Helfmann-Park 7, 65760 Eschborn, Germany, as a so-called acquirer. The task of Concardis GmbH is to process the payment transfer between your credit card provider, your bank and us.
If you make purchases on board (e.g. in the galleries) and use your EC or credit card for payment, your card data will be read from the payment terminal of your card by Computop Wirtschaftsinformatik GmbH in Point-2-Point encrypted form and transmitted to Concardis GmbH as acquirer, which processes the payment transfer.
If you book excursions or other services via the myAIDA portal, your card data will be transmitted to the acquirer and payment service provider Worldpay B.V., De Entree 248, 1101 EE Amsterdam.
The privacy policy of Papagena Kartenvertriebs GmbH can be found at https://papagena.de/datenschutz/
The privacy policy of Computop Wirtschaftsinformatik GmbH can be found at https://www.computop.com/de/datenschutz/
The privacy policy of Concardis GmbH can be found at https://www.concardis.com/fileadmin/redakteur/Dokumente/Datenschutz/DE_DE_Datenschutz_Information_DSGVO_fuerKarteninhaber.pdf
The privacy policy of Worldpay B.V. can be found at https://www.fisglobal.com/en/privacy.
AIDA Cruises does not store or otherwise process your credit card data, but only receives information on whether open items/invoices have been paid. The legal basis for the use of the above-mentioned providers is Article 6(1)(f) GDPR, namely the legitimate interest of AIDA Cruises in offering payment by credit card to its own customers. The basis for the processing of payment information is Article 6(1)(b) GDPR. The data processing takes place in the context of contract fulfillment.
10. Transfer of Personal Data to Countries outside the EU and Switzerland
As far as necessary for our purposes stated in this privacy notice, we may also transfer your data to recipients outside Switzerland and the EU. This is particularly the case if we have to transfer this data to recipients in ports or countries that are called at as part of a cruise you have booked (e.g., manifest data to local immigration authorities; passenger data to airlines for feeder flights) as part of the processing of the contract or due to legal requirements. In particular, you should expect that your data will be transferred to all countries in which AIDA Cruise or the Carnival group of companies is represented by subsidiaries, branches or other offices, as well as to other countries in Europe, the USA and worldwide where the service providers used by AIDA Cruise are located. Otherwise, we only transfer data to third countries if it is ensured that the recipient of the data guarantees an adequate level of data protection within the meaning of Chapter V of the GDPR or Art. 16 DSG and no other interests worthy of protection speak against the transfer of data. To ensure an adequate level of protection at the recipient of the data, we use in particular the EU Commission's standard contractual clauses for the transfer of personal data to third countries.
We do not transfer any data to recipients outside Switzerland, the EU or the EEA for the purposes described in Section 4. However, if you are based outside Switzerland or the EU and are applying for a position on a ship, we may recommend that you contact a local agency.
11. Deletion of Personal Data
Application data will be deleted as described in Section 4. The pseudonymous user profiles created using Google Analytics (see 5.3.1) are automatically deleted 38 months after the last information was added to the profile. In all other respects, we delete your personal data as soon as it is no longer required for the purposes pursued with the processing and insofar as there are no statutory retention obligations to the contrary. German law - in particular commercial and tax law - contains retention periods of six years (for business letters in any form, e.g. booking requests) and of 10 years (for accounting-related transactions).
12. Data Security
AIDA Cruises has taken adequate technical and organizational measures to protect the personal data you have provided against loss, destruction, manipulation and unauthorized access. All our employees and all persons involved in data processing are obliged to comply with the GDPR, the BDSG, the DSG and other laws relevant to data protection and to handle personal data confidentially. Our employees are trained accordingly. Both internal and external audits ensure compliance with all data protection-relevant processes at AIDA Cruises.
To protect the personal data of our users, we use a secure online transmission method, the so-called "Secure Socket Layer" (SSL) transmission. You can recognize this by the fact that an "s" is appended to the address component http:// ("https://") or a green, closed lock symbol is displayed in the browser. Clicking on the symbol provides you with information about the SSL certificate used. The display of the symbol depends on the browser version you are using. SSL encryption ensures the secure and complete transmission of your data. The SSL connection we use has been certified by the company GeoTrust with regard to its security and confidentiality.
13. Your Rights
Basically, you can request information free of charge about the data stored about you by AIDA Cruises and - insofar as the legal requirements are met - demand its correction, deletion and the restriction of the processing of this data. Insofar as AIDA Cruises processes your data for the pursuit of legitimate interests, in particular for the purpose of advertising, you may exercise your right to object. Whether and to what extent these rights exist in individual cases and which conditions apply to them are determined by law (until May 25, 2018 from the BDSG, from May 25, 2018 also from the GDPR and from September 1, 2023 from the DSG). The GDPR and the DSG also grants you a right to data portability under certain circumstances. Insofar as you have given your consent under data protection law, you may withdraw this consent at any time with effect for the future.
To exercise these rights and for other questions regarding data protection, please contact our data protection officer (see section 2 or, if you are based in Switzerland, you can also contact our Swiss representative)). In order to process your request quickly, we recommend that you provide us with your surname, first name, date of birth and, if available, your email address and, in the event of an objection after receiving advertising, send us a copy of the advertising material.
You also have the right to file a complaint to the competent data protection supervisory authority. However, if you have any questions or complaints regarding data protection at AIDA Cruises, we recommend that you first contact our data protection officer.
14. No Automated Individual Case Decision
We do not use your personal data for automated individual case decisions within the meaning of Art. 22(1) GDPR or Art. 21 DSG.
15. Links to other Websites
The online offer of AIDA Cruises contains links to other websites. Please note that the AIDA Cruises privacy notice does not apply to these other websites.
16. Modification of this Privacy Notice
New legal requirements, business decisions or adaptations to technical developments may require changes to our privacy notice. The privacy notice will then be adapted accordingly. You will always find the latest version on our website.
Status: July 2024