Global Privacy Notice for Employees and Crew

Carnival Corporation and Carnival plc (collectively referred to as “Carnival”) operate under a dual listed company structure with primary stock exchange listings in the United States and the United Kingdom. Carnival is a global cruise business with a portfolio of leading cruise brands, including P&O Cruises Australia, Princess Cruises, Carnival Cruise Line, Holland America Line, Seabourn, Cunard Line, P&O World Cruises, AIDA, Costa and Fathom (‘Carnival brands’).

This privacy notice applies to all employees, crew, contractors, temporary staff, external agents, partners, consultants and vendors (including concessions staff on board ships) working on behalf of Carnival brands (referred to in this privacy notice as ‘employees’). It provides information regarding the processing of the personal data that you, in your capacity as the Data Subject (hereinafter the ‘Data Subject’), provided to us in order to initiate and execute your Contract of Employment (hereinafter the ‘Contract of Employment’) for the global operations and/or shipboard and shoreside activities of the following Carnival brands and/or their legal agents: Princess Cruise Lines, Ltd., Holland America Line N.V., in its capacity as general partner of Cruiseport Curacao C.V., Seabourn Cruise Line Limited, Carnival plc trading as P&O Cruises Australia, Carnival plc trading as Cunard Line, HAL Maritime Limited, HAL Beheer B.V., Navitrans B.V., Marine Manpower Services (Guernsey) LTD, Carnival Japan Inc., Cunard Celtic Ltd., Fleet Maritime Services (Bermuda), Ltd., HAL Properties Limited, Holland America Line Inc., Princess Cays Limited, Royal Hyway Tours, Inc., Tour Alaska LLC, Westmark Hotels of Canada Ltd., Westmark Hotels, Inc., Carnival Corporation Hong Kong Limited, Carnival Corporation Korea Ltd., Global Shipping Service (Shanghai) Co., Ltd., Carnival plc (Singapore Branch), Carnival plc Taiwan Branch, UK Carnival plc Cruises Beijing Representative Office, UK Carnival plc Cruises Chengdu Representative Office, UK Carnival plc Guangzhou Representative Office, and UK Carnival plc Shanghai Representative Office , (hereinafter the ‘Company’).

Overview

Your privacy is important to us. We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable law. This privacy notice explains what personal data Holland America Line collects, uses, and maintains (collectively “processes”) about you in the operation of its business, how it uses that data, and your rights to that data.

Please note that this notice applies to the handling of your personal data as an employee. Additional details concerning the Company’s governance and privacy requirements for employee data can be found in internal resources including the Employee Handbook, Information Security Standard, Technology Use and Privacy Policy, Information Governance Policy and all related articles in seafarer’s agreements.

This notice does not cover your use of the Company’s consumer products and services as a consumer, outside of your regular employment or assignment with any of the affiliate brands of the Company. To learn more about the Company’s data collection practices that cover your use of our products as a consumer, please read our Privacy Policies located on the applicable brand websites.

This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with the Company’s ability to process employee data for purposes of complying with its legal obligations, or for investigating alleged misconduct or violations of Company policy or law, subject to compliance with internal policy and local legal requirements.

The Company’s processing of personal data is in all cases subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate). To the extent this notice conflicts with local law in your jurisdictions, local law controls.

  1. What Personal Data We Collect. The data we collect can include the following, but is not limited to:

    • Name and contact data.Your first and last name, employee identification number, email address, postal address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide additional contact information such as personal email address (es) and/or cell phone number(s).
    • Demographic data. Your date of birth and gender. We may also collect and process “Sensitive Personal Information” about you in accordance with local requirements and applicable law.
    • National identifiers. Your national ID/passport, residency, visa and work permit status, social security number, or other taxpayer/government identification number.
    • Employment details. Your job title/position, office location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, leave of absence, sick time, and vacation/holiday records.
    • Spouse/partner and dependents’ information. Your spouse/partner and dependents’ first and last names, dates of birth, and contact details.
    • Background information. Academic and professional qualifications, education, CV/Resume, credit history and criminal records data (utilized for background check and vetting purposes where permissible and in accordance with applicable law and consultation requirements).
    • Financial information. Bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes and benefits.
    • Workplace, Device, Usage, and Content data. Emails sent and received, building and information system access, device, system and application usage when accessing and using corporate buildings, ships, services and assets.

  2. Special categories of personal data. We do not process special categories of personal data (also referred to as ‘sensitive’ personal data) about you except where there is a legal reason to do so, either as part of your contract of employment, where we are under an obligation to process that data, or where you have asked us to do so. Special categories of personal data pursuant to Articles 9 & 10 of Regulation (EU) 2016/679 may include data such as:

    1. racial or ethnic origin, which may be revealed by personal details or by photographs processed for organizational or operational reasons (e.g. Company security pass), religious beliefs, if you have requested to observe religious holidays other than Catholic holidays, in accordance with the law;
    2. trade union membership, if you have requested the Company to withhold trade union membership fees from your wages or you hold, or are a candidate for, a position as a trade union officer;
    3. membership of a political party, if you hold a publicly elected office or work at a polling station as a party-appointed scrutineer;
    4. philosophical beliefs, with specific regard to conscientious objection to military service;
    5. providing and/or referring care by Company medical services as necessary or the Data Subject’s state of health, e.g. medical certificates, medical histories, other certificates justifying absences for medical examinations, certificates of fitness to work, certificates pursuant to Legislative Decree no. 81/2008 (occupational health and safety), maternity certificates and maternity leave, documents regarding injuries and industrial accident insurance;
    6. the Data Subject’s health status as determined by the contracted physician and by the Company’s health facilities, in any event managed by doctors bound by professional secrecy, and generally used for example to ensure compatibility between personal health – including that of your family members – and assigned duties;
    7. criminal convictions, offenses and pending criminal charges, where required by the law for the purposes of employment and for management of the Contract of Employment or for assessment of the Data Subject’s professional aptitude.

  3. Purposes of personal data processing. The processing of your personal data and those of your family members (hereinafter the “Data”), including special categories of such data, is carried out for the following purposes and in accordance with the following legal basis:

    1. Administer and Manage the Contract of Employment. The Data provided for the Contract of Employment will be processed in order to:

      1. fulfill obligations arising from the Contract of Employment and associated legal obligations (e.g. payment of wages, payment of social security contributions, preparation of paychecks, management of annual leave, documents justifying absences, etc.);
      2. carry out the organizational management of your work, as well as for the Company’s operational/management demands, such as creation of job descriptions for the corporate Intranet, collection and retention of information that is useful for your career advancement (e.g. your educational record, training courses attended, knowledge of foreign languages, previous work experience), internal auditing and risk management activities etc.
    2. Workplace Security and Monitoring. The Data will also be processed for security purposes, protection of Company property (including intellectual property) and crime prevention, partly by means of inspections (e.g. internal audits), electronic surveillance, closed circuit cameras (CCTV) as well as tools for reporting misconduct by employees to the competent corporate bodies (e.g. compliance website and hotline). The primary purpose of this monitoring is to protect the Company, its employees, passengers and partners, for example:

      1. For network and device management and support;
      2. For proof of business transactions and recordkeeping;
      3. For the protection of confidential information and Company assets;
      4. For investigating wrongful acts or potential violations of Company policy; and
      5. For other legitimate business purposes as permitted under applicable law.

      You are informed that the security checks and other means of monitoring entrances to the Company’s head office, ships and other premises, as well as associated inspections, internal auditing and reporting of misconduct, will be carried out in full compliance with the principle of necessity and, where applicable, with the prohibition on the use of such cameras to monitor the work of employees and that the image data will only be processed by persons expressly authorized to this end and only be stored for the time strictly necessary for the aforementioned security purposes, or for any longer periods laid down in specific trade union agreements or stipulated by judicial authorities.

    3. Other overriding and legitimate business purposes. We also may process your personal data when it is necessary for other legitimate purposes, such as general HR administration, general business management and operations, disclosures for auditing and reporting purposes, management of network and information systems security and business operations, provision and improvement of employee services, physical security and to protect the life and safety of employees and others. We may also use special applications and systems that record employee performance metrics, such as sales-related or code databases for business operations purposes, as well as for the purposes of reviewing, rewarding and coaching employees on their performance. We may also process your personal data to investigate potential violations of law or breaches of our internal policies.
    4. Legally required purposes. We also may process your personal data when we consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration), under judicial authorization, or to exercise or defend the legal rights of the Company.
    5. Purposes related to the use of your facial image. The Controller may use your facial image (e.g. in photographs), for the following purposes:
      1. Security purposes: your photograph will appear on your Company security pass. These passes are used to monitor access so as to enable the ready identification of all persons on the premises and ships;
      2. Organizational and operational purposes: your photograph may be posted on the corporate Intranet, for the ready identification of job descriptions applying for a Seaman’s book
      3. Advertising: your photograph may be published in Company magazines and promotional material in connection with and/or during Company events in which you may take part. Prior to any event that may be photographed or filmed, you will be informed and a release will be obtained prior to use.

  4. Collection and Use of Data from Third Parties and Social Media. We may also collect personal data about you from third parties or public sources as needed to support the employment relationship. We may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an employee matter, we may obtain information relevant to the incident from external sources including private parties, law enforcement or public sources like news sources and public social media posts.

  5. How and Why We Share Personal Data. The provision of the Data is necessary to finalize and execute the Contract of Employment and to comply with the associated contractual and legal requirements. Failure to provide the Data may make it impossible to execute the Contract of Employment or to fulfill some or all of the associated contractual and legal requirements. The Company will only share your personal data with those who have a legitimate need for it. Wherever we permit a third party to access personal data, we will make sure the data is used in a manner consistent with this notice (and any internal data handling guidelines consistent with the sensitivity and classification of the data.) your personal data may be share with our subsidiaries and affiliates and other third parties, including service providers, for legitimate purpose including but not limited to as follows: The Data will be disclosed to the following categories of recipients, for the purposes mentioned above:

    1. In order to carry out the uses of personal data described above
    2. To enable third parties to provide services to us. Categories of recipients of data would include insurance providers, payroll support services, relocation, tax and travel management services, health and safety experts, and manning agents;
    3. To comply with our legal obligations, regulations or contracts, or to respond to a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counter-parties to contracts, judicial and governmental bodies;
    4. In response to lawful requests by public authorities (such as national security or law enforcement);
    5. To seek legal advice from external lawyers and advice from other professional advisers such as accountants, management consultants, etc.;
    6. As necessary to establish, exercise or defend against potential, threatened or actual litigation (such as adverse parties in litigation);
    7. Where necessary to protect the Company, your vital interests, or those of another person;
    8. In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal / professional advisers); or
    9. Otherwise in accordance with your consent.

  6. Where We Store and Process Personal Data. The Company operates at the global level and therefore personal data may need to be transferred to countries outside of where it was originally collected. For example, because we are headquartered in the United States, information collected in other countries is routinely transferred to the United States for processing. When we transfer your personal data to another country, we will ensure that this transfer complies with applicable laws and legislation. The Company has Model Clauses in place for the collection, use, and retention of personal data transferred from the European Union to other countries. This data is only transferred to other Carnival Group companies and/or to third party service providers, and only for the aforementioned purposes.

  7. Security of your Personal Data. The Company is committed to protecting the security of your personal data. We will use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we store the personal data you provide on computer servers with limited access that are located in controlled facilities, and when we transfer certain highly confidential or sensitive personal information, we protect it through the use of encryption.

  8. Retention period. Personal data will be stored according to applicable laws or regulatory requirements and kept as long as is necessary to fulfill the purposes for which the personal data was collected. Generally, this means that your personal data will be retained as documented in our corporate retention schedule and applicable riders and supplements.

  9. Change of purpose. We will only use your personal data for the purposes outlined in this notice or such purposes as may be reasonably compatible with the original purpose for which it was collected or there is an alternative legal basis for the further processing.

  10. Changes to this Privacy Notice. We may occasionally update this privacy notice. When we do, we will revise the “last updated” date at the top of the privacy notice. If there are material changes to this notice or in how the Company will use your personal data, we will use reasonable efforts to notify you wither by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how the Company is protecting your personal data.

  11. Data Controller The Data Controller is Holland America Line N.V., headquartered in Seattle, Washington, USA.

  12. How to Contact Us. Holland America Group Privacy, attn: Data Protection Officer, 450 3rd Ave West, Seattle, WA 98119 USA Email to privacy@HollandAmericaGroup.com

  13. 13. EU Employees: Your EU Data Subject Rights In addition to the information shared above, EU employees may have certain rights under applicable data protection laws (including the EU General Data Protection Regulation and local legal implementation of that Regulation, which include the rights to:

    1. Request access to and obtain a copy of your personal data,
    2. Request rectification (or correction) or erasure of your personal data you have provided that is inaccurate;
    3. Request erasure (or deletion) of personal data that is no longer necessary to fulfil the purposes or which it was collected, or does not need to be retained by the Company or other legitimate purposes;
    4. Restrict or object to the processing of your personal data; and
    5. If applicable, request your personal data be ported (transferred) to another company.

    Application of the above rights may vary depending on the type of data involved, and the Company’s particular basis for processing the personal data.

    To make a request to exercise one of the above rights, please contact privacy@HollandAmericaGroup.com. We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you. We may, in limited circumstances, charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.

    If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note, however, that this will not affect the lawfulness of the processing before its withdrawal.

    EU employees may also direct questions about how we handle personal information to the Data Protection Officer at privacy@HollandAmericaGroup.com. While the Company hopes it can answer any questions that you may have, if you have unresolved concerns you also have the right to complain to a relevant data protection supervisory authority in the EU.