Data Protection Statement Customer
§ 1 - INTRODUCTION
The protection of your personal data is very important to us, Scandlines Danmark ApS, Scandlines Gedser – Rostock ApS, Scandlines Catering ApS, Scandlines Deutschland GmbH, Scandlines Bordershop Rostock GmbH and Scandlines Bordershop Puttgarden GmbH (hereinafter “Scandlines”). Scandlines has therefore taken steps to ensure the protection of your personal data and to comply with applicable data protection laws, including the EU Data Protection Regulation (“GDPR”). Each reference to the EU Data Protection Regulation shall also be understood as reference to the national data protection laws, as applicable.
Scandlines is the data controller with respect to processing your personal data, i.e. in case you enter into an agreement, your respective contract partner; and in case you visit one of our websites, the stated operator of the website; as well as for the SMILE-program, Scandlines Danmark ApS. You can find contact details for Scandlines at the bottom of this page. For Scandlines Deutschland GmbH, Scandlines Bordershop Puttgarden GmbH and Scandlines Bordershop Rostock GmbH, an external data protection officer is appointed. Also these contact details can be found at the bottom of this page.
This data protection statement specifies which personal data will be collected when you order tickets or other services, sign up for Scandlines’ loyalty program, SMILE, and when you use the websites we operate within Scandlines. As of 15 February 2022, we operate the following websites: scandlines.dk, scandlines.de, scandlines.com, scandlines.se, scandlines.pl, scandlines-freight.com, bordershop.com (hereinafter referred to jointly as the “website”).
This data protection statement also specifies the purposes for which your personal data will be processed and explains the rights to which you are entitled in this respect. Personal data are any individual details about the personal or factual circumstances of an identified or identifiable natural person. This includes, for example, name, address, telephone number and e-mail address, IP address and any other data, which can be traced back to you.
§ 2 - COLLECTION AND USE OF DATA
Ordering tickets and other services
When you order a ticket or another service with Scandlines, we may receive certain personal data from you. These data may comprise:
- E-mail address
- Telephone number
- Postal address
- Details about your purchase (such as the quality and quantity of what you bought, when you bought it, etc.)
- Information on whether you require special assistance in receiving our services.
These data are exclusively used in order to fulfill our contract with you (cf. article 6 1 (b) GDPR) and will be deleted following the reciprocal rights and obligations under this agreement having become time barred as well as our legal obligations to retain these data (cf. article 6 1 (c) GDPR).
Use of website
Every time the website is accessed, your browser will transfer the following information to us for technical reasons:
- the page from which the file was requested,
- the name and the directory in which the file can be found,
- the date and time of the request,
- the amount of data transferred,
- the access status (transfer file, file not found, etc.),
- a description of the type of web browser used,
- the client IP address.
This data will only be used to enable the technical operation of the website and evaluated by us exclusively for statistical purposes. This use is justified under article 6 (1) f GDPR as it is necessary for fulfilling our legitimate interest in providing, operating and improving the website. This information will not be stored in a manner that relates to a particular person and it will not be combined with other data sources. Your IP address will be promptly deleted following your visit to our website.
If there is the possibility of entering personal data on our website (as specified in § 4) in particular for ordering tickets, other services or general inquiries, you can do this on a voluntary basis. Scandlines will only use your personal data to fulfil the respective purpose, i.e. the fulfilment of the contractual relationship (cf. article 6 (1) b GDPR) or to provide requested information (cf. article 6 (1) b or f GDPR), unless you have granted us your separate explicit consent for more far-reaching use of the data.
Data regarding your browsing behavior on websites within Scandlines is tracked via cookies and pixels. Scandlines will obtain your consent before using cookies to trace your behavior on its websites.
§ 3 - SMILE PROGRAM
This section gives you information about your personal data as a member of the SMILE program.
The SMILE program is provided by Scandlines Danmark ApS, Havneholmen 25, 8th floor, DK-1561 Copenhagen V, Denmark.
Scandlines Danmark ApS is responsible for the handling of your personal data within the SMILE program and that the handling is being done in accordance with the relevant and applicable mandatory rules regarding protection of personal data. Scandlines Danmark ApS is the data controller according to the applicable rules on protection of personal data, including the GDPR.
By becoming a member of the SMILE program, we will process the following data:
The categories of personal data we process
Scandlines processes the following categories of non-sensitive personal data about you:
- Contact detail (such as name, email, home address)
- Travel frequencies
- Browsing behavior (provided that we have obtain your prior consent)
- Purchase history made via your SMILE card (price, location and number of products)
- Your communication history with Scandlines.
The Purposes and legal basis for processing your personal data
Application and Purchases
Scandlines will register and use the data that is required in the SMILE application form. In the SMILE application form you will be asked to provide your name, your e-mail address, your home address, your telephone number and your travel frequencies.
Scandlines will register and use data regarding your purchases (price, location and number of products) made via your SMILE card.
Scandlines processes the abovementioned personal data in order to fulfil its obligation towards you, namely creating an account for you and calculating your SMILE points. The legal basis for this processing follows from article 6 (1) b GDPR.
Furthermore, answers to questions from Scandlines related to your purchases and other information you may provide to Scandlines in relation to purchases will be registered and used to update Scandlines’ knowledge on customer preferences enabling Scandlines to follow its legitimate purposes in providing better service to you including targeted marketing towards you.
The legal basis for this processing is the balancing of interest rule, cf. article 6 (1) f GDPR. Please note that you have the right to object to Scandlines’ processing of your personal data based on the balancing of interest rule and for the purposes of direct marketing. See “YOUR RIGHTS” below.
During the SMILE registration process, you can give a separate explicit consent that allows us to use your personal data to send you newsletters via e-mail. These newsletters will contain, inter alia, tips on travel, information regarding new products and new advantages and invitations to participate in competitions. The content of the newsletter is based on the information we have collected in your customer account. If you hereafter decide to opt out of receiving electronic communication, you will only receive two annual service emails from SMILE stating your point balance and information on the expiry date of your points.
The legal basis for processing your personal to send newsletters is therefore your consent cf. article 6 (1) a GDPR. Your rights in respect of this are further described below under Sec. 12.
Scandlines will use your personal data for marketing of our products and services and for conducting questionnaire surveys.
In this regard, your personal data may be shared with social media operators (such as Facebook) for the sole purpose of marketing of products and services from Scandlines via these social media.
The legal basis for this processing is your explicit consent, article 6 (1) a) GDPR. Your rights in respect of this are further described below under Sec. 12.
§ 4 – MARKETING IN GENERAL
For marketing outside our SMILE loyalty program, we may from time to time send out marketing material based on general customer data (address data) we may have obtained from a third party. In this case, the use of your personal data is justified by the legitimate interests in marketing our products and services, article 6 (1) f GDPR. At any time, though, you have the right to object to our marketing or demand deletion of your personal data from any of our marketing data bases as well as any other right mentioned in this data protection statement.
§ 5 – COMPETITIONS
In this section, you will find further information on how we process your personal data, if you participate in a competition we arrange.
Categories of personal data, these will be the following personal data:
- Contact data (such as name, e-mail, address, phone number) and
- Correspondence with Scandlines, if any.
The purpose of the processing is to draw a winner of the competition and contact the winner.
Scandlines registers and processes the above personal data based on your and Scandlines´ legitimate interests, article 6 (1) f GDPR, in particular in order to be able to contact you, or, depending on the competition conditions publish your name, in case you have won the competition.
§ 6 - RECIPIENTS OF YOUR PERSONAL DATA, JOINT DATA CONTROLLING
Scandlines may share your personal data with companies within the Scandlines group (i.e. the companies mentioned in section 1 above) for the abovementioned purposes, including allocating SMILE points based on your purchases made in one of the Scandlines companies.
Scandlines may also share your personal data with social media such as Facebook for the purposes of marketing via these media and from time to time act as joint data controller with social media providers, e.g. when arranging for competitions (cf. § 5), or in order to show personalized advertisements (cf. § 3). In this case, Scandlines has entered into a joint controller agreement with the social media providers. For Facebook, you can see the agreement under https://www.facebook.com/legal/controller_addendum . When Scandlines acts as joint data controller, all rights described in this data protection statement fully apply also to this data processing.
Scandlines may also engage third parties to store and process your personal data on our behalf, e.g. hosting providers, conducting surveys, and Google Analytics (see also § 10 below). Such recipients are data processors pursuant to applicable data protection laws and may only process your personal data in accordance with documented instructions from us. Scandlines has ensured that such third parties have implemented the necessary safety measures in order to protect your personal data.
In case of requests by authorities or courts, we can also forward your personal data to these, as far as this is necessary for compliance with our legal obligations, Art. 6 (1) c GDPR.
§ 7 - TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA
Scandlines makes use of third party data hosting companies located outside of EU and the EEA, e.g. in the USA, to store and process your personal data collected by us.
All data transfers to such third parties will be subject to a written contract between us and the third party in question to ensure full compliance with the EU regulation on data protection. The contract will in general be concluded on the basis on the EU Commission´s Model Clauses. Alternatively or additionally, we may implement further or supplementary guarantees for the protection of personal data.
The third party is only authorized to process personal data according to our instructions.
You are at any time entitled to request a copy from Scandlines of the guarantees regarding data protection guaranteed by the third party in question as well as copy of the data, which will be sent to the e-address indicated by you.
§ 8 - RETENTION PERIODS
Information you provided to us via the website will in general only be stored for the time period it is required to fulfil the contract with you or to respond to your inquiry. Where statutory longer retention periods apply, the data may be stored for a longer period in compliance with these obligations, also in case of an individual legitimate interest (e.g. in case of a legal dispute).
Information regarding your SMILE point related purchases will be deleted one year after the said points are statute-barred, cf. Section 8 of the SMILE terms. Our SMILE terms can be accessed on https://www.scandlines.com/terms
Information regarding name, e-mail address, home address, telephone number and travel frequencies will be kept for one year after the last points on your account have been statue-barred or your membership has been terminated, unless you specifically asked us to delete your data previously.
Information on ordering tickets and other services (cf. § 2) will be stored for 5 years following the financial year in which you bought the ticket or service.
Information purchased for direct marketing purposes (cf. § 4) will be deleted after having sent out the direct marketing material.
Information received in connection with competitions (cf. § 5) will be deleted after you have received your competition prize, but latest after three months.
In regard to your right of information, correction, deletion or blocking § 12 below applies. If you request that Scandlines delete all your data and if consequently a further membership is not possible anymore without such data, the termination rules in Section 10 of the SMILE terms will apply accordingly.
§ 9 - RIGHT TO WITHDRAW CONSENT
To the extent that Scandlines processes your personal data on your consent, cf. above, you may at any given time withdraw such consent by Scandlines.
Your withdrawal of your consent usually means that Scandlines will no longer process your personal data, unless Scandlines has another legal basis, without affecting the lawfulness of processing based on consent before its withdrawal.
§ 10 - GOOGLE ANALYTICS
The website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, i.e. text files which are saved on your computer and make it possible to analyze your use of the website. The information generated by the cookie on your use of the website will generally be transmitted to a Google server in the USA and stored there. IP anonymization is activated on the website. Therefore, within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area, Google will first shorten your IP address. In case that nevertheless personal data are transferred to Google, we will via appropriate guarantees assure that these data are subjected to an adequate data protection level also in the US (for example by entering into European Standard Model Clauses).
On our behalf, Google will use that information to evaluate your use of the website, to compile reports about website activities and to provide other services associated with the use of the website and the Internet to us.
The IP address transmitted by your browser within Google Analytics will not be merged with other data of Google. You can prevent the installation of cookies by setting your browser software accordingly. However, please note that you may not be able to use all functions of the website to their full extent if you do so. You can also prevent the collection of the data generated by the cookie relating to your use of the website (including your IP address) for Google, as well as the processing of that data by Google, by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
§ 11 - CAMERA SURVEILLANCE
Video surveillance systems are installed in certain areas at Scandlines. Where this is the case, signs expressly indicate so.
Camera surveillance data are processed for the following purposes and based on the following legal grounds:
- Safety and security of port infrastructure and vessels based on mandatory law (ISPS Code, article 6 (1) c GDPR;
- Our legitimate interest in protecting the of property of Scandlines against damage and theft, article 6 (1) f GDPR.
Any surveillance data will only be accessed in case of a related incident and else, will be automatically deleted within 72 hours.
§ 12 - YOUR RIGHTS
In accordance with the applicable data protection laws you have a number of rights, which you can exercise by contacting Scandlines using the contact information below.
Giving your data is voluntary, however please note that we require certain key information from you in order to be able to provide you with the services you need. If you would like such information to be partially or completely deleted it is therefore possible that you will no longer be able to use certain services on our website, or you will only be able to use them in part.
With regards to the following rights, you are most welcome to raise them in an email to email@example.com.
Right of access
You have the right to request access to the personal data, which Scandlines processes about you, including retention period, with whom we have shared your personal data etc.
Right to rectification and erasure
If the personal data Scandlines processes about you is incorrect, incomplete or misleading, you have the right to have such data corrected, rectified or blocked.
You may also in some cases have the right to have your personal data erased.
Right to limiting the processing of your personal data
You may in some case have the right to request Scandlines to limit the processing of your personal data.
If you have such a right and you chose to exercise this right, Scandlines may only store your personal data or process your personal data for the purposes of establishing, exercising or defending a legal claim or protecting a third party or vital or protection vital public interests, unless we obtained your consent.
Right to object
In some cases, you may object to our processing of your personal data based on our processing of your personal data (Art. 21 GDPR). This applies in case of grounds relating to your particular situation where we process your personal data on the basis of our legitimate interests (see above). You can also object to our processing of your data for the purposes of direct marketing.
Right to data portability
You may in certain cases have the right to data portability, and either receive your personal data or to transfer your personal data to another data controller.
Right to complain
You can contact Scandlines at any time if you believe that Scandlines is processing your personal data in violation of applicable data protection laws.
However, if you cannot find a solution with Scandlines or do not wish to contact Scandlines, you can submit a complaint to the competent data protection authority. You can find the contact details of your local supervisory authority here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
§ 13 - CONTACT
Your questions and suggestions on the topic of data protection are very welcome and important to us. You can contact us by writing an email to: firstname.lastname@example.org.
16 February 2022
Scandlines Danmark ApS *
Scandlines Gedser-Rostock ApS*
Scandlines Catering ApS*
*Havneholmen 25, 8.
DK – 1561 Copenhagen V
Scandlines Deutschland GmbH**
Scandferries Holding GmbH**
Scandlines Bordershop Puttgarden GmbH**
Scandlines Bordershop Rostock GmbH**
D – 20354 Hamburg
** External Data protection officer: Frank Jander, Kedua GmbH, Eichhorster Weg 80, 13435 Berlin.