Privacy
Notice

Global Ports Holding Plc Privacy Information Notice (Liverpool Cruise Port)

Introduction
Global Ports Holding Limited (“GPH”) respects your privacy and is committed to protecting your personal data. This privacy notice explains how we manage your personal data when you visit our website or use our Liverpool Cruise Port and outlines your privacy rights in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please note that our Company is not a travel agency or cruise line operator and does not sell travel programs or cruise services to passengers. As a cruise port operator, our role is strictly limited to managing and facilitating port operations, including embarkation and disembarkation processes. All travel arrangements, bookings, and associated services are provided by cruise companies or authorized travel agencies. Accordingly, our processing of personal data relates solely to port access, safety, logistics, and regulatory compliance within the scope of our terminal operations.

Important Information and Who We Are

Purpose of the Privacy Notice

This privacy notice provides information on how GPH collects and processes your personal data during your interactions with us, including any data you may provide through our website or at Liverpool Cruise Port.

Controller
This privacy notice provides information on how GPH collects and processes your personal data during your interactions with us, including any data you may provide through our website or at Liverpool Cruise Port.

Contact Details

If you have any questions about this notice or our data privacy practices, please contact our Data Protection Officer (DPO) as follows

• Full name of legal entity: Global Ports Holding Limited
• Email address: dpo@globalportsholding.com

• Postal address: 35 Albemarle Street, 3rd Floor, W1S 4JD, London – UK (Please specify “For the Attention of the Data Protection Officer” on the envelope)

Changes to the Privacy Notice

This version was last updated on 11.08.2025. We may update this notice from time to time, and any significant changes will be communicated through our website, ensuring that your privacy rights are respected and upheld.

Third-Party Links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

Please note that when booking through a travel agency or cruise company, they will complete your booking by entering the required data into our systems, acting as independent data controllers. This essentially means that the travel agency or cruise company independently decides how to process your personal data for activities under its competence and is responsible for the processing and appropriate data protection measures. For details on the processing activities involving your personal data, please contact your local travel agency or cruise company. Similarly, if you have booked additional services or packages involving cruise lines, these cruise companies are also separately considered data controllers regarding passenger data processed in the context of providing their services. You can access the privacy policies of the respective travel agencies or cruise companies via their own websites or offices.

1. The Data We Collect About You

Personal Data

Personal data, or personal information, means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data: First name, maiden name, last name, username or similar identifier, marital status, title, date of birth, and gender.
• Contact Data: Billing address, delivery address, email address, and telephone numbers.
• Financial Data: Bank account and payment card details.
• Transaction Data: Details about payments to and from you and other details of products and services you have purchased from us.
• Technical Data: Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Usage Data: Information about how you use our website, products, and services.
• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.
• Surveillance Data: includes static or moving imagery via CCTV or surveillance systems as you pass through our ports.

2. How is Your Personal Data Collected?

We collect personal data about you whenever you use our services (whether these services are provided by us or by other companies or agents acting on our behalf), including when you embark or disembark through our ports, use our website, or interact with us via email or by calling our contact center. In addition, we may receive personal information about you from third parties, such as:

• Companies contracted by us to provide services to you;
• Companies involved in your travel plans, including airlines, cruise companies, and customs and immigration authorities;
• Companies that act as our third-party business partners with whom you have interacted and with whom you have consented to provide us with your data to receive marketing communications.

Please also note that when you provide us with data about others (e.g., details of passengers travelling with you, emergency contact data,), such as a co-traveller or minor, it is your responsibility to ensure that such individuals have authorized you to do so and that they are aware and have understood and accepted how our company uses their information (as described in this Privacy Notice).

Below you will find the main purposes for which your data is processed:

a) Responding to your requests (via website, call center, or email)

You can submit your requests regarding our activities and services through various channels (phone, email, SMS, messaging systems, etc.). To respond to your request, we need to process your identity and contact data, as well as the content of your query. Without this data, we cannot provide you with the requested information. This processing is carried out to take steps at your request prior to entering into a contract or to answer your request in the context of our port services.

Additionally, using the different forms on the website, you can request to be contacted through different channels (phone, email, SMS, messaging systems, etc.). Please also note that if you contact us via our call center, phone calls may be recorded for legal purposes where required by local regulations. In other cases, if the recording of the call is not mandatory under local laws, with your consent, the calls may be recorded for the protection and reproducibility of verbal commitments and may be cross-checked with other reservation data. The call recordings may also be processed based on our legitimate interest to meet quality assurance and training purposes. If the call is being recorded, you will be notified at the beginning of the call.

b) Completing and handling the embarkation process

To ensure smooth operations, we need to process your identity and contact data. We also register your booking and travel information, such as date and port of embarkation and disembarkation, vehicle information such as plate number, brand, and model of the vehicle. We process this information in order:

• To maintain the safety and security of the ports for our passengers, colleagues, and stakeholders, including but not limited to control authorities, national security, detection and prevention of crime, and aviation security;
• To monitor flows and demand throughout the ports to optimize resourcing and passenger experience;
• To support the effective management of port operations and any incidents;
• For investigative purposes or as evidence to support any formal follow-up to port incidents;
• In response to a subject access request.

In this regard, please note that we may also send you communications to provide you with relevant documents and information, as well as to inform you about necessary steps you need to take prior to your trip. These updates may include changes to embarkation or disembarkation times, alterations or cancellations of shore excursions, changes or cancellations to the ship’s itinerary, and other last-minute information related to your booking (such as due to adverse weather conditions or unforeseen circumstances).

We process all the above data based on our contract with you and to fulfill our service activities. You also need to provide information about valid travel documents and visas, where applicable. Furthermore, some ports of call may require the use of facial-recognition technology to validate travel documents. If biometric data is required to embark or disembark at such ports, your explicit consent will be obtained in accordance with UK GDPR Article 9(2)(a). Additionally, where required by law, alternative verification methods will be made available to passengers who do not wish to provide biometric data.

c) Sending you marketing communications

With your consent, we may process your identity and contact data, booking and travel information, preferences, and technical data related to online activity for marketing purposes. This includes sending you questionnaires/surveys, conducting market research, and direct marketing through email, WhatsApp, SMS, ordinary mail, phone calls, push notifications/pop-up banners on our app, instant messaging, via an operator, through our official social media pages, and other marketing activities. This may involve products and/or services related to our subsidiaries, other companies in our group, and our business partners (such as tourist activities, transportation services, luxury brands, travel agencies, insurance companies, etc.), as well as other third-party products and/or services.

Additionally, to enhance our efforts in providing you with relevant information and offers, we may also obtain personal data from our third-party business partners. This involves receiving or accessing databases from trusted partners to identify individuals who may be interested in our services and products and who have consented to share their data with us.

Please note that it is not mandatory to provide consent to receive promotional messages and offers from us or from third parties. However, without this consent, we will not be able to send you such communications that may be of interest to you.

Marketing communications are sent only after obtaining your explicit consent, verified through a double opt-in process. Since the processing of your data for the purposes indicated above is based on your consent, you can withdraw this consent at any time by clicking on the “unsubscribe” link at the bottom of a marketing email received from us. Any consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

d) Sending you personalized communications

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. With your consent, we may process your personal data from time to time. We may use this data to analyse your preferences, habits, behaviour, and interests in order to send you personalized commercial communications and conduct targeted promotional actions. Since this processing is based on your specific consent, you can withdraw it at any time by emailing us at the address provided in section 1 of this notice or through the dedicated consent management options depending on the channel used. Additionally, if you are based outside the EU/EEA, specifically in the United States, and with your consent, we may also process your identity and contact data, booking and travel information, preferences, and technical data related to online activity for marketing purposes. This includes promoting our products and services to third parties (e.g., by improving the performance of personalized advertising campaigns). We use both automated means (e.g., emails, text messages, social media advertising) and non-automated means (e.g., ordinary mail, phone calls) to personalize our communications. This involves analysing your travel preferences, experiences, consumption habits, and market surveys to enhance the range of services we offer and send you communications that may interest you. Please also note that, with your consent, we may engage in social media marketing activities. To target audiences who may be interested in our offers and communications, we perform profiling activities based on interactions, preferences, and behaviour. When you browse our website, we use cookies to track certain information about you, provided you consent to their use. This helps us make the website more intuitive and suggest products or services that may interest you. For more details about our use of cookies and other tracking technologies, please see the section below. Since this processing is based on your specific consent, you can withdraw it at any time by clicking the “unsubscribe” link at the bottom of our communications, if available, or by using the contact details provided in section 1 of this notice.

e) Compliance with applicable laws

When you provide personal data to GPH, we are obligated to process it in accordance with applicable laws, which may include storing and reporting personal data to official authorities. This includes, for example, compliance with UK tax and fiscal laws, port security regulations, and other legal reporting obligations under the UK Data Protection Act 2018.

Additionally, in accordance with UK immigration and border control requirements, we may be required to process and share your personal data with relevant government authorities when necessary for security, safety, or regulatory compliance.

f) Handling requests, complaints, and comments

We keep track of comments and complaints you make regarding our port services, whether on-site or after your visit, to respond appropriately to your requests. We process this data in connection with our provision of services to you or based on our legitimate interest to protect the interests and rights of our company in case of disputes. You may choose to make an anonymous complaint or comment, but please note that in some cases, this may hinder our ability to follow up or provide assistance. You may choose to submit complaints anonymously. However, please note that we may not be able to fully resolve your issue without certain personal details. Additionally, we may use the content of your request, complaint, or comment to improve our port services. We limit the use of personally identifiable data as much as possible in this process. This processing is based on our legitimate interests in enhancing our services to ensure a positive experience for our visitors. We also retain this data to comply with our legal obligations, such as for accounting and tax purposes.

g) Ensuring port security

We monitor individuals present at the port to ensure security and handle potential crisis situations. We record your identity and contact data, booking and travel information, and security-related information. We process this data based on our legitimate interest (UK GDPR Article 6(1)(f)) in maintaining public security and managing crisis situations. Providing this data is not mandatory, but refusal to provide it may affect our ability to accommodate you at the port. We also process some personal data for fraud prevention and detection, relying on our legitimate interest in preventing and detecting fraud.

We use closed-circuit television (CCTV) systems throughout the port, including at all access points and public areas. CCTV cameras are continuously operational, and images of you may be captured. In some areas, CCTV footage may include sound recordings. CCTV footage is processed for the following purposes such as; ensuring security and public safety, preventing and detecting crime, fraud, and other unlawful activities, maintaining records of incidents and facilitating investigations, protecting our rights and the rights of our visitors, complying with legal or regulatory requirements.

CCTV systems are operated in compliance with UK GDPR and the UK Information Commissioner’s Office (ICO) guidelines. Footage is stored securely and accessed only by authorized personnel when necessary for security investigations or legal obligations.

In the event of a security incident, security officers may gather evidence from involved guests and staff to draft a report. If you are a witness, suspect, or victim, providing a statement is not mandatory.

If CCTV footage is available during an incident, it may be extracted and stored for up to 1 year, or longer if necessary, depending on the specific case (e.g., investigation by authorities). Footage not extracted or used is retained for up to 30 days from the recording date.

h) Disciplinary and precautionary measures

Please note that we have the authority to deny access to the port or require disembarkation of an individual whose presence may be deemed a potential risk to themselves, other individuals, or port operations, or when their behaviour may affect or compromise the comfort and safety of others.

To manage such situations, we may process data necessary for this purpose, including identity and contact information, booking and travel details, security-related information, as well as information regarding the cause of the measure, based on our contract with the relevant individual (UK GDPR Article 6(1)(b)) and our legitimate interest (UK GDPR Article 6(1)(f)).

Only data strictly necessary to assess and mitigate the risk will be processed, in compliance with UK GDPR principles of data minimization and purpose limitation. Additionally, any decisions that significantly affect an individual and are based solely on automated processing will be subject to appropriate safeguards as required under UK GDPR Article 22.

3. How long we store the data

In accordance with the principle of storage limitation, the personal data we collect is kept in a form that allows the identification of data subjects only as long as necessary for the purposes for which it was collected and processed, and in any case, no longer than specified by applicable laws.

Generally, information related to the contractual relationship with you will be retained for no longer than 10 years. Personal data collected based on your consent, specifically for marketing and profiling purposes, will be retained until you withdraw your consent, and in any case, no longer than 10 years from the withdrawal of this consent.

In cases where the retention period is not specifically stated above, we have defined a Corporate Data Retention Policy which outlines the timeframe for data processing, at the conclusion of which all copies of personal data are either destroyed or anonymized using appropriate techniques that prevent the reidentification of the individual in question.

At the end of this period, all copies of personal data are either destroyed or anonymized using techniques that prevent reidentification of the individual.

For more information on our data retention periods and the criteria used to determine these periods, please contact our Data Protection Officer (DPO) at the email address provided in Section 1.

4. Categories of Data Recipients and Personal Data Transfer

We may need to transfer this data to companies within the GPH Group or to other reputable third-party organizations, both within and outside of the United Kingdom (UK) . Additionally, your personal data may be shared with recipients situated outside the UK, including countries that are not subject to UK data protection laws.

Whenever we transfer your personal data internationally, we ensure that appropriate safeguards are in place to protect your data. These safeguards may include, (i) adequacy decisions issued by the UK government recognizing certain countries as providing an adequate level of data protection, (ii) Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO) to ensure that data recipients provide an adequate level of data protection, and (iii) other appropriate measures as required under UK GDPR and the Data Protection Act 2018.

To ensure greater transparency, we have provided a list below of the main categories of recipients with whom your personal data may be shared:

a) Group Companies

Depending on the country from which your embarkation originates, and to ensure we provide you with tailored services, we may share your information with companies within our corporate group. These companies process your data in full compliance with UK GDPR and applicable data protection laws.

Depending on where your booking is made, your data may be handled by one of our group companies, acting as a data processor following the instructions of the data controller.

In some instances, these companies may act as data controllers for specific processing activities (e.g., for onboard security, as detailed in this notice). In such cases, a separate privacy notice will be provided for that specific activity.

b) Commercial Partners

Certain services that you book with us are delivered by our commercial partners. In such instances, we may need to share your data with these partners. However, rest assured that we only disclose the data necessary to fulfill your request, and we have robust agreements in place to ensure that our partners use your data solely for this purpose. If these partners act as independent data controllers, we recommend that you review their specific privacy policies to understand how they manage your personal data.
Our commercial partners typically operate in the following sectors:

• Tourism (e.g., tour operators, local guides)
• Transportation (e.g., bus, train, airplane, or other transport services based on the specific service required)
• Insurance (e.g., when activating your insurance package during a cruise)
• Service Providers (e.g., IT service providers, consultants), including those authorized to process data necessary to carry out services and who are bound by confidentiality obligations.

c) Port Agents and Authorities

As a cruise port operator, we may be required to share certain passenger information with local port agents, border control agencies, and government authorities for immigration, security, and regulatory compliance purposes. If these entities are located outside the UK, such data transfers will be carried out in accordance with UK GDPR and relevant UK data protection laws.

Whenever personal data is transferred internationally, we ensure that appropriate legal safeguards are in place, which may include: (i) adequacy decisions issued by the UK government for certain countries, (ii) Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO), and (iii) other legally recognized mechanisms for data transfer compliance.

All data shared with port agents and authorities is limited to what is strictly necessary for compliance with legal and regulatory obligations.

5. Your Data Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights concerning your personal data:

• Access: You have the right to request access to your personal data to understand how it is being processed, in accordance with Article 15 UK GDPR.
• Correction: You can request the correction of inaccurate or incomplete data, in accordance with Article 16 UK GDPR.
• Deletion: You can request the deletion of personal data if it is no longer necessary for the purposes for which it was collected, subject to legal obligations, in accordance with Article 17 UK GDPR.
• Restriction: You can request the restriction of processing under specific circumstances, in accordance with Article 18 UK GDPR.
• Objection: You can object to the processing of your personal data in certain circumstances, such as for marketing purposes, in accordance with Article 21 UK GDPR.
• Data Portability: Where applicable, you can request the transfer of your personal data to another controller, in accordance with Article 20 UK GDPR.
• Withdrawal of Consent: Where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at dpo@globalportsholding.com. Additionally, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority.

For further information, please consult Section 1 of this Privacy Notice or contact our Data Protection Officer (DPO).

To exercise your rights, contact us at dpo@globalportsholding.com.

6. Website Cookies and Other Tracking Technologies

Cookies are small text files that websites send to your computer or mobile device, which are then stored and used during subsequent visits. These cookies allow the website to remember your preferences and actions (such as login details, language settings, font sizes, and other display preferences) so that you don’t have to re-enter them each time you visit the site.

Cookies serve various purposes, including electronic authentication, session management, and storing information about your activities on the website. They can also contain a unique identifier that tracks your browsing behavior for statistical analysis or advertising purposes. Additionally, while browsing, you may receive cookies from third-party websites or servers not directly related to the site you are visiting.

Cookies come in different types based on their characteristics and functions, and they can remain on your device for varying periods. “Session cookies” are temporary and are deleted when you close your browser, whereas “persistent cookies” remain on your device until they expire or are manually deleted.

Depending on applicable laws, your consent may not always be required for cookies to be used on a website. For instance, “technical cookies,” which are necessary for electronic communication or to provide a service you requested, usually do not require consent. This includes browsing or session cookies that enable users to log in and functionality cookies that remember user choices, such as language settings or selected items for purchase.

Conversely, “profiling cookies,” which are used to create user profiles and send targeted advertising based on browsing behaviour, typically require explicit user consent, though this can vary by jurisdiction.

Our website uses the following types of cookies:

• Technical cookies: Essential for the website’s functionality and to enable you to access its content and services.
• Analytics cookies: Help us understand how users interact with the website and monitor traffic to and from the site.
• Marketing/profiling cookies: Used to send targeted advertisements and to create user profiles based on browsing preferences.

In addition to cookies, we also use “pixels”—small code snippets embedded in the website. Pixels enable us and third parties to track user behaviour and gather information about how users engage with our website. They can monitor actions like page views and clicks, often for personalized advertising and website analytics.

7. Sale of Personal Data

GPH does not sell personal data to third parties. However, we may process your personal data for targeted or personalized advertising, often referred to as interest-based or online behavioural advertising, which might include cross-contextual advertising.

These activities are conducted for both; business purposes (such as delivering our cruise-related services) and commercial purposes (such as marketing and personalized offers)

We ensure that such processing is carried out in compliance with UK GDPR and the Data Protection Act 2018, and we do not process personal data for marketing purposes without obtaining your explicit consent where required.

8. Changes to This Information Notice

We reserve the right to update, modify, add, or remove portions of this information notice at any time. When changes are made, the revised Information Notice will be posted on this page, the “Last update” date will be modified accordingly, and a banner will be displayed on the website to inform you of the changes.

Each updated version of the information notice becomes effective immediately upon publication on the website. If there are significant changes in how your personal data is processed, your acknowledgment may be required, in accordance with applicable legislation.

We encourage you to periodically review this document to stay informed of the current version. If you need access to a previous version of the information notice, please contact us using the details provided in Section 1 of this notice.

9. Contact Us

GPH is committed to protecting your privacy and ensuring that all personal data processing complies with applicable data protection legislation. If you have any questions or concerns about how we handle your personal data, please reach out to us filling the personal data request form provided in our website.