Facial Recognition Privacy Notice
Please click here to download the pdf versionPlease carefully read this information notice, which provides relevant information on the processing of personal and biometric data of passengers adhering to the identity verification system based on facial recognition, designed to enable a smoother and faster transit of passengers during embarkation and disembarkation procedures.
Please note that the information provided in this privacy notice (“Facial Recognition Privacy Notice”) applies only to passengers who have requested to perform embarkation and disembarkation procedures through the Fast Lane at the terminal, which involves the use of the facial recognition system, subject to prior consent to the processing of biometric data. Information about the processing of your data for purposes that do not involve the use of facial recognition technologies is available in our Privacy Notice.
1. Who we are
MSC Cruises S.A., headquartered in Avenue Eugène-Pittard 16, Geneva, Switzerland, registered for tax purposes under number 060.667.071 (CHE- 112.808.357) (the “Data Controller”, “MSC Cruises”, “we” or “us”), is the data controller for the processing activity described in this privacy notice and is committed for the fair processing of passengers’ personal data.
Please be informed that we have appointed MSC Procurement & Logistics SPA (Via Balleydier 7N 16149, Genova, Italy) as our representative in the European Union.
To get in touch with our Data Protection Officer (“DPO”) please write an e-mail to
dpo@msccruises.com or send your requests in writing to Avenue Eugène-Pittard 16, Geneva, Switzerland; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.
2. What data we process, where we collect it and how we process it
To enable passengers to enroll in the embarkation and disembarkation process through facial recognition technology, MSC Cruises processes the following categories of personal and biometric data. These data are provided directly by the passenger, by a third party (e.g., a travel agency or co-traveler booking the cruise or performing check-in on behalf of other passengers), or collected from devices used to perform check-in or through kiosks located at the terminal. Below is an overview of the various steps to provide an understanding of how the entire process works:
A) Pre-Cruise Phase
The first step of the process is the pre-cruise check-in, which can be completed through two channels: the MSC for Me application or the MSC website related to the booking. Starting from 30 days before departure and up to two days prior, guests can check in for their cruise through both channels. During check-in, guests are required to provide their relevant travel documents, a security picture, as well as travel information.
NB: At this stage, no biometric data processing is conducted. Instead, guests are requested to provide their consent for biometric data processing, which will occur later upon their arrival at the terminal to facilitate a faster boarding process.
Personal Data Processed:
- Identity and Contact Data: Including all information available on the ID/passport, emergency contacts, address, etc.
- Booking and Traveling Information: E.g., passport/ID details, visas, date of travel, port of departure and port of destination, journey dates, etc., necessary for standard checks during boarding and disembarkation procedures.
- Security Picture: Used for passenger identification at various stages of the cruise, such as at the terminal during boarding and when embarking and disembarking at the port of call.
B) Embarkation Phase
Guests who consented to biometric processing during pre-cruise check-in can proceed to the Totem (self-service check-in station) at the terminal. In this phase, the guest scans their passport on the reader, and the Totem verifies if the provided document number matches the expected passenger list. The Totem reads the data from the passport chip, including the guest’s picture, which is analyzed to detect unique facial features. These features are measured and transformed into a biometric template (face vector/print) — a numerical code that does not allow the original image to be reconstructed. The passenger is then prompted to take a selfie, in which their biometric template is compared with the passport photo. If the comparison is successful, a Digital Identity Token (DIT) (i.e., hashed token containing only pseudonymized data) is created, allowing the guest to proceed to the e-gate.
During embarkation at the e-gate, the guest takes another selfie to verify their DIT and confirm that they are on the passenger list for the specific trip. No passport scan is needed at the e-gate. Similarly, upon disembarkation, the passenger can approach the e-gate to be automatically recognized as described above by taking a selfie at the Totem. This specific processing during disembarkation falls outside the controllership of MSC Cruises, as the local authority remains the controller for immigration processes. If the selfie is successfully verified, the gate will open and allow the guest to proceed. Otherwise, the guest will be directed to a patrol officer for manual processing.
Personal Data Processed:
- Face Image: Biometric template derived from the face image and the passport scan (biometric template of the passport photo) to perform the match.
3. Why we process your personal data and legal basis of the processing activities
By providing your consent, you allow MSC Cruises to process the data mentioned in the section above for the purpose of performing identity verification through facial recognition technology in order to carry out the usual checks as part of check-in, embarkation and disembarkation procedures.
Please also be informed that you can withdraw your consent at any time, through the “Terms and Conditions and Privacy” section on the MSC4ME App,that you can access via the link in the footer of the web check-in page, or by writing to dpo@msccruises.com. However, please consider that if you withdraw your consent, we will not be able to let you take advantage of the facial recognition technology during check-in, embarkation and disembarkation procedures.
Importantly, biometric data and other sensitive data collected through facial recognition technologies is only processed for the business purposes outlined in this Facial Recognition Privacy Notice where the information is reasonably necessary and proportionate to the use: (a) to perform certain services, such as verifying identification and other information; (b) to verify or maintain the quality or safety of our services; (c) to provide or perform our services as reasonably expected by our customers; and/or (d) to resist malicious, fraudulent, or illegal actions or to ensure physical safety. MSC Cruises does not use biometric data or other sensitive data for commercial purposes.
More information about the processing of your data for purposes that do not involve the use of facial recognition technologies is available in our
Privacy Notice.
4. How long we store the data
The personal data that we collect is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are collected and processed, and in any case not longer than as specified by the relevant applicable laws. Please note that your DIT/ biometric template is retained for a period of 48 hours after embarkation, after which it is deleted.
More information about the retention of your data for purposes that do not involve the use of facial recognition technologies is available in our Privacy Notice.
5. Categories of data recipients
a. Companies of our group
Depending on the country where the booking is made from, we may share information about you with the group companies of MSC Cruises. All companies are processing the personal data in compliance with the GDPR.
b. Data sharing with port agents and authorities
As a travel operator, we need to share some information about our passengers with local authorities for immigration purposes. In this regard, for the purpose of facilitating your security screening process at the terminal, the information collected to allow you to take part of our cruise may also be communicated to the United States (US) Customs and Border Protection (CBP) system to promptly notify of the arrival of the departing passenger before he or she reaches the boarding point (when exiting the US border) and to expedite the related required checks during the U.S. entry and exit process. These data are shared and transferred based on the legal obligation that MSC Cruises has in relation to the provision of information to the relevant authorities.
c. Third parties
To enable you to take advantage of facial recognition technology in the check-in, embarkation and disembarkation procedures, and in general to provide our services, we engage third parties (e.g. service providers, consultants) that may perform certain data processing activities on our behalf and under specific data protection obligations.
6. Transfers of data outside the EEA
The sharing of data with the third parties mentioned above may involve international transfer of data (e.g., from inside the EEA towards the United States). Please note that MSC Cruises takes appropriate safeguards to ensure that any transfer performed complies with applicable data protection regulations, in particular the provisions of the GDPR, as it is carried out, for example, on the basis of an adequacy decision of the European Commission, or on the basis of Standard Contractual Clauses ("SCC") approved by the European Commission.
In any case, kindly note that even if you consent to biometric processing, your personal data is not internationally transferred outside the country in which the biometric data itself is collected and stored directly at the terminal where you will embark on your journey.
7. Your data subject rights
a) The right to access your personal data and obtain specific information about how we process it.
b) The right to rectify (update or change) your personal data if that is not accurate anymore.
c) The right to obtain the erasure of personal data concerning you, unless the data is necessary for any justified reasons provided for by the law.
d) The right to obtain the restriction of the processing of your personal data, which right may be exercised only in certain cases.
e) The right to data portability. You may exercise this right in those cases where the processing is based on your consent or on your contractual relationship with MSC Cruises or one of the companies of our group, and the processing is carried out by automated means.
f) The right to object, at any time, to the processing of the personal data concerning you. You may exercise this right where the processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or where the processing is based on our legitimate interests.
g) The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you.
h) The right to lodge a complaint with a supervisory authority.
More information about your rights as a data subject, particularly about their requirements and possible limits, can be found in our Privacy Notice.
To exercise your data subject rights, you can send your request to the Data Controller at the e-mail address dpo@msccruises.com.
Requests may also be sent in writing to MSC Cruises S.A., Avenue Eugène-Pittard 16, Geneva, Switzerland; in that case, please specify “For the Attention of the Data Protection Officer” on the envelope.