Personal Data Privacy Management Policy

Identification of the document
Pol. GDPR.001 – Personal Data Privacy Management Policy

Associated Documents
Pol. SGSI.002 – Information Security

Classification of the Document

Security checks applicable to the document
ISO Standard 27001:2013
Controls A.8.2.1 – A.8.2.2 – A.8.2.3


Distribution List
All Pluris’s employees[1]

[1] Employees mean all those who, regardless of the nature and validity of the contractual relationship, carry out their activity inside or outside the Group’s facilities. The employees or entities that use the facilities or resources provided by the Group and through which they access the protected information are also covered by this Policy.


This policy aims to present the commitments of Pluris Investments S.A. (hereinafter referred to as PLURIS or Group[2]) regarding the management of the privacy and protection of personal data of the Data Subjects whose treatment is its responsibility and to respond to the requirements of the General Data Protection Regulation[3] and its national enforcement legislation[4].

It is also intended to demonstrate how personal data will be treated in the context of the activity developed by the Group and its employees, through the setting of internal rules that comply with the requirements demanded by the Regulation, namely, the legitimacy, processing and conservation.

All personal data will be processed and managed in accordance with this policy together with the Information Security Policy, considering the updated inventory of such data.

[2] Group means all companies that are directly or indirectly owned by Pluris Investments, S.A.

[3] Regulation (EU) 2016/679 of the European Parliament and the Council, from 27 April 2016, on the protection of the processing of personal data and the free circulation of such data, that revokes Directive 95/46/EC. The GDPR entered into force on 24 May 2016 and is mandatory and automatically applicable in all Member States since 25 May 2018.

[4] Law No. 58/2019, from 8 August ensures the enforcement in the national legislation of the General Data Protection />

Roles and Responsibilities

The role of the Pluris’s Board is to ensure that this policy is aligned with the Group’s strategy, in order to ensure its continuous improvement in terms of information security and privacy.
The Data Protection Officer (DPO) has the role of ensuring compliance with the requirements of the continuously and systematically, that all the rights of the Data Subjects are being observed and that the appropriate security controls are operationalised for the objectives set out herein.
Pluris’s Board designates and assigns to the Data Protection Officer the roles and responsibilities described above in relation to all companies in the Group.
All the Group’s employees, as well as its subcontractors – as far as the latter is applicable – have the responsibility to comply with and enforce the commitments of this policy.

Personal data subjects

For the execution of its activities and associated processing purposes, Pluris collects personal data from the following sources:

  • Corporate clients through a contract
  • Customers registered through web tools
  • Customers by ticket acquisition
  • Internal employees and hired service providers
  • Suppliers and services providers
  • Visitors to physical or nautical facilities

Guarantee of confidentiality and privacy of personal data

The personal data identified in this Policy will be processed by Pluris as the entity responsible for the processing of personal data.
In order to ensure the confidentiality and privacy of the data, the Group ensures that it will only be accessed by formally authorized employees for the performance of their duties.
The responsibilities of each employee in matters of Security, Privacy and Personal Data Protection are detailed in the contracts entered into by Pluris, including the confidentiality and secrecy obligations to which they are bound.

Identification of the responsible for the processing of personal data

The responsible for the processing of personal data is Pluris Investments, S.A., with registered offices at Rua de Miragaia 103, 4050-387, Porto, Portugal, with legal person registration number 508 767 881.
The PLURIS Group leads several companies to which the responsibilities and obligations arising from this Policy apply.

Data Protection Impact Assessment

Where data processing operations are likely to result in a risk, to a level that cannot be accepted by the Group, PLURIS shall carry out, before the beginning of the processing, an impact assessment with the aim to identify and treat them.
The result of the assessments carried out is accompanied by the grounds for the selection of the security controls to be applied for each situation, in accordance with the criteria for the existing risk management methodology.

Collection, processing, sharing and retention of personal data

a) Collection of personal data

1. For situations that do not involve Web tools

Personal data is collected directly through the following ways:

• Spontaneous applications or response to job offers with sharing of Curriculum Vitae
• Filling out paper forms
• Capture of images and videos on fixed premises and onboard sea or river vessels
• Biometric data
• Email or phone
• When purchasing tickets, marketing products or other materials purchased in the Group physically or in the vessels’ stores, including catering services

Personal data may be collected indirectly, through the following ways:

• Import the content of Curriculum Vitae for human resources registration.
• Import of data with shared responsibility with commercial partners hired for this purpose
• Marketing points of sale, catering services or similar
• Job candidates selection companies
• Medical service providers
• Companies providing life insurance services

In addition to the ways described above, no other methods of indirect collection of personal data may be used, unless previously and expressly authorized by the Data Protection Officer.
The collection of sensitive personal data will only be carried out in strictly necessary cases and justified by the legislation in force.

2. For situations involving web tools

Personal data is collected directly through the organization’s official web tools, namely online shopping websites, or indirectly through marketing automation tools and online advertising from duly authorized subcontracting partners and in full compliance with our personal data privacy management policy.
Indirect collections may also occur through subcontracting partners regarding the placing of orders, namely the acquisition of tickets for exhibitions access or company services.
The cookie management policy complements this subject by presenting the “opt-in” and “opt-out” options that are available for this component of the websites.
The cookie management policy complements this subject by presenting the “opt-in” and “opt-out” options that are available for this component of the websites.
The personal data Subject may also opt-out of online advertising services in social tools, namely on Facebook, Google Ads, Instagram and LinkedIn.
Pluris guarantees that no manual or computerized form will have previously completed options, being all alternatives selected by the Data Subject.
Personal data shall be collected on the basis of the grounds of lawfulness provided for in this policy and in compliance with the principle of minimization.


b) Processing of personal data

In addition to the processing types described below, no other types of processing of personal data may be used, unless previously and expressly authorized by the Data Protection Officer.

1. For situations that do not involve Web tools


There will be no use of personal data for the purpose of creating and using sales profiles or indicators of products, regions or trends.

2. For situations involving web tools

Such activities include:

c) Sharing personal data

1. For situations that do not involve Web tools

In addition to the sharing purposes described below, no other purposes may be carried out, unless previously and expressly authorized by the Data Protection Officer.

Personal data may be shared to subcontracting entities for the above purposes, in accordance with the contracts entered with them. Pluris only uses subcontractors that ensure the implementation of appropriate technical and organizational measures to the protection of their data through subcontractor agreements, thus ensuring the protection of their rights according to the applicable data protection law.
The sharing of data classified as sensitive will only be carried out with legal entities, partners providing medical services and the like.

This Data Sharing will, as a rule, be carried out within the European area.

There are specific situations that require data sharing with entities outside the European area, namely:
• With port authorities: for the purposes of security and immigration control on sea cruise vessels, in accordance with applicable legal provisions.
• With companies from the Group: to support activities of legitimate interest, ensuring the minimization of the processing of personal data.


2. For situations involving web tools

There is Data Sharing with subcontractors formally authorized for digital marketing purposes, being the personal data involved in these shares subject to the consent of the respective Data Subject, who has, at any time, the possibility to opt-out..

These shares may lead to data transfers outside the European area for cases of targeting digital marketing campaigns with intercontinental subcontracting partners. In these cases, the organization takes care to implement appropriate security controls to each identified risk situation, as well as to ensure to the Data Subject the guarantee of unconditional enforcement of his rights and all the requirements of the General Data Protection Regulation.

d) Retention of personal data

The period during which personal data will be retained varies depending on the purpose for which the data is processed, as described in the table below.
Failure to comply with the deadlines set below will be immediately communicated to the Data Protection Officer.
The practices of retention of personal data are described in the Information Classification Policy in force.

Retention means the secure storage of data, in digital or paper format, ensuring the conditions of access management to guarantee confidentiality, integrity and availability of information, as well as its preservation in the appropriate conditions of use according to the defined retention time.

In addition to data retention, legal requirements that require the retention of personal data for a minimum period will be met. Where such a minimum period does not exist, personal data shall be kept only for the period strictly necessary for the pursuit of the purposes for which the data were collected or are subsequently processed or, if and where applicable, for the period determined by the competent data protection authority, after which the data will be permanently deleted.

Rights of Data Subjects

Data Subjects will be guaranteed the conditions to exercise their rights under the General Data Protection Regulation.

The Data Protection Officer appointed by the Group will be involved in all matters relating to the protection of personal data, and all questions placed by the Data Subjects should preferably be placed in writing through the email address any.

If the Data Subject wishes to present a complaint or report a privacy violation, the Data Subject may communicate through the email address or directly with the control authority he selects.

Alternatively, the Data Subject will have at his disposal a web communication portal, where he can perform all the above-mentioned interactions and obtain information about the processing of such requests.

Following the records of complaint or violation of privacy, the Group undertakes to inform the Data Subject of each step and progress of the process of his complaint, without prejudice to comply with the deadlines defined by the Regulation.

Continuous review and improvement

This policy will be reviewed annually, or whenever there are significant changes in the inventory of personal data and/or in computer or documentary supports.

Each of these revisions will give rise to a new version of this document.

Release and publication

The Privacy Management Policy is classified as publicly accessible information. (as. Information classification Policy) and will be available for consultation via the Internet, either on the institutional website or Internet tools that support the business and also in the group’s social networks.

During the reception process, new employees will be made aware of this Policy, as well as the mandatory participation of those in training and awareness-raising actions in the security, privacy and protection of personal data that will be part of the reception process.

Employees may consult this Policy at any time through the document management platform of the Group’s internal network.

Entities/employees who, for reasons related to their duties, do not have access to the platform, will be aware of this policy through sharing it in the format appropriate to each case.

Policy Term:

This policy has been approved by the Board of the Pluris Group and becomes effective on the date it is published. Any subsequent changes will take effect immediately after its publication.

Revision register: