Your privacy is important to us at Hurtigruten Group and we are concerned with safeguarding your personal data.
We process personal data about you when you travel with Hurtigruten Group. In order to offer you a great experience, we collect personal data from you on different occasions, e.g., when you travel with us, use our services, visit our website or mobile phone applications or otherwise interact with us. All information that Hurtigruten Group processes about you is information that you have personally provided. We do not collect data from other sources.
what data we collect about you,
why they are collected,
how we use, share and secure these data and
your choices regarding use, access and rectification of your personal data.
2. Data Controller
Hurtigruten Group consists of several companies, and we can share your personal information with other companies in the Hurtigruten Group. We also work with several providers including government agencies, medical personnel, other business partners and providers, and may share personal information if
we have a legitimate reason
it is permitted by law, or
you have given your consent
Providers process your personal information in accordance with a data protection agreement or a data exchange agreement. The information can only be used in connection with the services you have purchased.
In order to provide services to you, the following companies within the Hurtigruten Group are responsible for the processing and storage of personal information:
Hurtigruten Global Sales AS, organization number 914 904 633, is responsible for the processing of personal data through our centralized booking system, for our websites, for your account on our websites, for our mobile app and for our loyalty program, and is responsible for all marketing and distribution of e-mail to our customers and contacts.
Hurtigruten Global Services AS, organization number 974 526 689, is responsible for the processing of personal data associated with all financial information about you, such as when you receive an invoice or make a payment with us.
Hurtigruten Norway AS, organization number 927081946, is responsible for the processing of personal data when you are on board our vessels along the Norwegian coast. Hurtigruten Norway is also responsible for the processing and storage of your personal information in connection with all activities and excursions on board.
Hurtigruten Expeditions AS, organization number 927 082 047, is responsible for the processing of personal data when you travel on an expedition trip with us. Hurtigruten Expeditions is also responsible for the processing and storage of your personal information in connection with all activities and excursions on board.
Hurtigruten Destinations AS, organization number 921 885 156 is responsible for the processing of your personal data when traveling to Svalbard and Barents. Including stays at our hotels, restaurants and in connection with all our activities and excursions.
We have a Data Protection Officer who assists Hurtigruten Group in ensuring good data protection. If you have questions regarding the processing of data, you may contact us by email at:
or send an enquiry to Hurtigruten Group AS, Attn.: DPO, Langkaia 1, 0150 Oslo
Please note: If you have questions regarding your booking or wish to unsubscribe to our newsletters or mail, we ask that you contact booking[at]hurtigruten.com
3. What data do we collect about you and for how long do we store them?
Hurtigruten Group stores the personal data we collect in a manner that allows for identification of you for as long as is necessary for the purposes for which the personal data are collected and processed in each individual case and in any case no longer than as specified by applicable laws.
How long do we store data about you depends on, among other things
when you booked your ticket
when you travelled
statutory storage requirements in different countries
whether you have given your consent, or
whether you are a Loyalty customer.
We have guidelines for the storage of personal data. These determine how long we store personal data and what personal data we process.
Identity and contact information, including name, address, phone number, email address, sex, date of birth and nationality.
You provide us with these data if you book a trip, register to receive our newsletter, join our Loyalty Programme or use our digital platforms or interact with our social media accounts (including by participating in competitions) or if you are in contact with our customer service centre. All information we have about you is information you have personally provided. We do not collect data from other sources. More on this in point 4 (a).
We store this information from and including the time of booking and until 5 years after your trip has ended or until your consent has been withdrawn.
We may store your personal data for longer if you want us to store them for your next trip and you have given your consent to do so.
Upon registering via Hurtigruten Group’s portal, the information you have provided in the portal will be stored for as long as you are registered as a user of this portal.
Passport information, including photo of face upon boarding one of our ships.
When you book a trip with us you provide information regarding valid travel documents and visas, where this is relevant. We process this information in order to comply with statutory requirements in the ports of call. We may also take a photo of your face upon boarding our ships for security reasons, as described below in point 4 (e). We process this information in order to comply with statutory requirements in the ports of call.
All information we have about you is information you have personally provided. We do not collect data from other sources. More on this in point 4.
We store this information from and including the time of booking and until 90 days after your trip has ended or until your consent has been withdrawn. In some circumstances, we may be required to store the data for longer in according with legislation.
Information regarding next of kin
For security reasons, we ask that you provide contact information for next of kin on some of our trips. We are only in possession of information about you that you have provided and do not collect data from other sources.
We store this information from and including the time of booking and until 90 days after your trip has ended or until your consent has been withdrawn.
Transaction data Transaction information including credit and debit card information, payment method and purchase history
In order to process payments and invoicing when you make a purchase, either in connection with a trip or products and services such as land excursions, we will process your payment information to process the transaction.
We store payment method, credit and debit card numbers for up to 5 years. All other transaction data and financial data are stored for up to 10 years or in accordance with local bookkeeping rules.
Payment information and activity information, including information relating to booked trips and excursions, flight bookings, hotel bookings, travel itinerary, travel companies, activities you have participated in while on a trip with us etc.
All data relating to bookings and activity information are collected when you make a booking or purchase with us. We are only in possession of information about you that you provide and do not collect data from other sources. More on this in point 4.
We store information regarding destination and travel date for up to 5 years. In some circumstances, we may be required to store the data for longer in according with legislation.
Communication between you and us including recordings of conversations with our customer service centres, email correspondence, chat, comments and reviews that are collected through surveys or that you have published on our channels or on social media.
We maintain an overview of communication between you and us in order to be able to respond to your enquiries, to maintain good service and to fulfil our agreement with you. We are only in possession of information about you that you have provided and do not collect data from other sources. More on this in point 4.
We store your communication with us for up to 5 years, or for as long as is required by local legislation, so that we may process possible claims or enquiries from you.
Digital information, including IP address, browser data, communications data, booking history, conduct on social media or user pattern. If you subscribe to our newsletters, we may collect data regarding what newsletters you open, your location when you open them and whether you use possible links in the newsletters.
We collect data about you when you use our website, mobile phone applications and other digital platforms in order to provide you with the best possible experience and to understand what you might be interested in. It is your device that provides us with this information, whether you are logged into your account or have accepted cookies. When you visit our digital platforms and use our services, this entails that we have to identify you (e.g., when you book a cruise, log into your account, when you want us to identify you as a member of our Loyalty Programme and when we need to remember your preferences).
We store such information for 6 months or until consent is withdrawn.
Health information, including information regarding allergies, disability or medical conditions.
You provide these details if you are informing us of medical conditions upon making a booking with us, checking in for a cruise, visiting our medical facilities during a cruise and/or registering for an excursion, trip or entertainment on board the cruise. We receive such information via a self-declaration form that you fill out. For some trips, we have simple forms wherein we collect information to prevent the spread of infectious diseases on board (e.g., COVID-19 or the flu). For security reasons, we have more comprehensive forms for some expedition cruises. At times, it may be necessary to perform certain examinations, such as screening for symptoms of disease, temperature measurement, testing for COVID-19 and contact tracing. We are only in possession of information about you that you provide and do not collect data from other sources. More on this in point 4.
We store this information from and including the time of booking and until 24 months after your trip has ended. In some circumstances, we may be required to store the data for longer in according with legislation.
Recordings from video surveillance
For security reasons, we operate closed-circuit television (CCTV) cameras on board our ships, including at all access points and in all public spaces. More on this in point 4 (e)
We store recordings from video surveillance for up to 30 days. If we believe it is necessary to hand over recordings from video surveillance to the police – e.g., when a criminal offence has been committed – we may store the recordings for up to 90 days.
4. Why, when and how do we collect data about you?
Our main purpose is to provide you with a great experience during your trip. Below, you will find the main purposes for the processing, as well as why and how your data are processed.
To provide you with information when you book our cruises and expeditions (via website, phone or email) We need to know your name, contact details and the content of your enquiry in order to be able to process your communication and provide you with relevant information regarding your trips and possible excursions. It is important for us to ensure that your trips are as comfortable and hassle-free as possible. Therefore, we will send you information that we consider necessary in order to organise your trip and to fulfil our agreement with you. This includes information regarding departure times, cancellations and check-in at hotels etc.
We may forward this information about you to our cooperation partners, as they require this information in order to communicate with you, as well as to provide you with support and assistance. More on this in point 5.
In addition, and only if you provide your express and specific consent, we will use your contact information to send you newsletters and marketing communication by email and SMS text message regarding our products and services that may be of interested to you. This processing is based on your consent and you may withdraw your consent at any time.
To complete and manage bookings In order to travel on board our ships, you are required to provide your name, contact information, date of birth and nationality when you make a booking. We also register some information about your choices of cruise, e.g., cabin category and type of cruise experience. We process these data based on our contract with you. You are also required to provide information regarding valid travel documents and visas, where this is relevant. We process this information in order to comply with statutory requirements in the ports of call. During the booking process, you may in some cases communicate data that indicate information regarding your health or even religious preferences (allergies or food preferences that indicate the observing of a specific religion – e.g., kosher or halal foods – or medical conditions that require special attention on board – such as disabilities or celiac disease.
We collect these data when you provide us with such information. For cruises, we collect such data in a self-declaration form and only process them based on your informed and specific consent. It is not mandatory to provide such data but please note that if you do not provide them, it is not certain that we will be able to accommodate your needs on board and in certain cases, for safety reasons, it is not certain that you will be able to book the desired trip.
In order for us to be able to be able to facilitate your trip in a good manner, we may have to forward your information to branches, agents and cooperation partners.
To send you information regarding products and services that are similar or are related to products and service that you have already booked When you provide us with contact information in connection with the booking of a trip, we will send you information regarding products or services that are similar or related to those you booked, unless you make use of your right to make reservations against receiving marketing communication from us at the time of booking. For instance, we will send you information regarding activity offers or restaurant options that are available on the cruise you booked.
Such data processing is performed based on our legitimate interest in informing you of similar or related products and services that we offer and that may improve your cruise experience.
To send you personal and adapted newsletters and communication in accordance with your preferences You have the option of giving your informed and specific consent to receive personal information from us when you register for our newsletter, when you register for the Loyalty Programme, when you request a brochure, in a conversation with us, as well as when you register for a ship visit or participate in a competition we arrange on our website. In all of the above circumstances, it is not mandatory to provide your consent to receive personal messages and offers from us. However, without your consent we will not be able to send you personal offers.
The processing of your data for the purposes that are specified above is based on your specific consent. You may at any time withdraw this consent by clicking the ‘unsubscribe’ link at the bottom of a received marketing email from us or by using the contact email address in paragraph 2 of this announcement. Before you go on board the cruise ship, we also register your interest in receiving special personal offers in your cabin.
If, for example, you are travelling with children, we will send you specific information about the events we are arranging for children on board. You may choose to not give such consent, although you will not receive personal messages in the cabin during your stay.
We will process your personal data based on our legitimate interest in informing you of the offers on board that are active during the cruise and that may improve your cruise experience.
Safety on board We maintain an overview of the people who are on board at all times in order to handle emergency situations and to ensure everyone’s safety throughout the entire cruise. Therefore, we register name, cabin number, photo (taken when you board), date of birth, travel companions and port of disembarkation and information regarding special needs that may require specific assistance in emergency situations.
For security reasons, we operate closed-circuit television (CCTV) cameras on board our ships, including at all access points and in all public spaces. These CCTV cameras record continuously, 24 hours a day. We may conduct screening of your personal data against publicly available databases to ensure safety on board our ships.
On some journeys, we request that you provide health information. This is for safety reasons, e.g., to prevent unadvised trips or to prevent infectious diseases on board.
We process such data to ensure public safety and to handle potential emergency situations.
Additional data processing activities on board Some additional information may be collected about you during a cruise to enable your participation in specific activities (e.g., the fitness studio or lectures). The data that are processed vary depending on the specific activity on board. However, we ensure that we only collect the data that are strictly necessary in order to achieve the specific purposes. You will be requested to fill out the form if you wish to receive the specific offer or event you have requested and we will process the data based on our contact with you.
Loyalty Programme We may process your Loyalty account data via a unique Ambassador ID containing information regarding points balance, account activity, cruise milestones, e.g., anniversary dates and Loyalty level. We store these details for you when you join our Loyalty Programme and update them when you credit bookings and other activity to your Loyalty account.
The Hurtigruten App If you choose to download the mobile phone application, we will collect your first name, last name, date of birth, phone number and email via the app, in order to customise the choices you make in our app.
5. International transfer of information
Our companies: Hurtigruten Group offers services worldwide and has branches and partners in all European countries, the Pacific Rim, Africa and South, Central and North America. Depending on from which country the booking was made and to provide you with specific services, we share information about you with the companies in our Group. All of the companies process personal data in compliance with the GDPR..
Sharing outside the EEA We have partners, branches, agents and cooperation partners located outside the EEA and may transfer information to them. We will ensure that your personal data are protected in an appropriate manner by the receiving party in these countries. Appropriate protection means e.g., ensuring that the receiving party is contractually obliged to ensure that they offer the same degree of data protection and information security as us. You may at any time request more information or to receive a copy of the security measures we utilise to ensure that your personal data are transferred in a legally justifiable manner.
Data sharing with port agents and authorities: As a travel operator, we are required to share information regarding our passengers with local port bureaus and authorities for immigration purposes. Data may also have to be shared in connection with special incidents, such as contact tracing. These data are shared and transferred based on the legal obligation Hurtigruten Group has in relation to the relevant authorities and only the necessary data are communicated.
6. Safety measures
We ensure that your personal information is protected against accidental or unlawful alteration or loss, or against unauthorized use, disclosure or access in accordance with our data security guidelines. To ensure such protection, we have implemented appropriate technical and organizational measures.
Awareness Training:We do regular security awareness training to help employees identify and avoid cyber-threats in the workplace. We also conduct mandatory privacy management training for all employees and conduct refresher training from time to time and following any highlighted data incident. This is done to reduce or limit the risk of human error and insider threats from causing data breach.
Third Party Management:To ensure that your data is appropriately protected when it is processed by a third party on our behalf, we have data processing agreements in place with all third-party suppliers which meet the requirements of either the General Data Protection Regulation or local Regulations (whichever provides the most protection for our customers). We look to implement the terms of our Data Processing Agreement wherever possible but, where we are required to agree to the terms provided by the third-party supplier, we undertake risk assessments, due diligence, suggest amendments and take all reasonable steps necessary to ensure that your data is covered by an equivalent level of protection. In all instances, we ensure that any third-party agreement meets the requirements of this policy.
Audit and Risk Assessment:we regularly assess our practices and systems to ensure that they are in compliance with this policy. Exceptions are reported internally and recommendations for improvements made.
7. Your privacy rights
You may at any time contact us if you wish to be granted access to or rectify your personal data. You may also request a copy of the information we have collected about you.
Access and data portability: You may at any time contact us if you wish to be granted access to your personal data. You have the right to receive personal data that you have provided to us in a machine-readable format.
Rectification or erasure: In principle, you have the right to request us to rectify incorrect data about you and request us to erase personal data about you. However, we are required to store the information that is required in order to fulfil our agreement with you, as well as information that is necessary in order to comply with relevant laws and rules or requirements from authorities
Complaints to the Norwegian Data Protection Authority: If you disagree with the manner in which we process your personal data, you may submit a complaint to the Norwegian Data Protection Authority. We appreciate it if you contact us first, so that we may clarify any misunderstandings.
Notification in the case of a Data Incident: Whenever we are made aware of an incident that has (or could) affect your personal data we will promptly investigate that incident and take any necessary remediation action to ensure that it doesn’t happen again. Where the incident constitutes a data breach that is likely to result in a risk to your rights and freedoms, we will report that breach to the appropriate regulator. If a data breach is likely to result in a high risk to your rights and freedoms, we will notify you of that breach without delay. Where we are required to report or notify you of breaches beyond those that represent a risk to your rights or freedoms, we will ensure that we comply with those regulations
10. Revision History
Amendment to sections 6 and 7, incorporation of section 10, addition of version control and new versioning.