Privacy Policy

This Privacy Policy explains how Irish Ferries ("we", "us", "our", or "the Company") collects, uses, stores, shares, and protects your personal data when you visit our website at irish-ferrles.com, make a booking, or otherwise interact with our services. We are committed to safeguarding your privacy and ensuring that your personal information is handled in a lawful, fair, and transparent manner in accordance with applicable Irish and European data protection law.

Please read this Privacy Policy carefully. By using our website or services, you acknowledge that you have read and understood this policy. If you do not agree with any part of this policy, please discontinue use of our website and services.

1. Who We Are

Irish Ferries is a ferry transport service operator based in Ireland. For the purposes of this Privacy Policy and applicable data protection legislation, Irish Ferries acts as the Data Controller in respect of personal data collected through our website and service interactions.

2. Legal Framework

We process your personal data in compliance with the following legislation and regulatory frameworks:

• General Data Protection Regulation (EU) 2016/679 (GDPR) — the primary European Union regulation governing the processing of personal data.
• Data Protection Acts 1988–2018 (Ireland) — the national legislation implementing and supplementing the GDPR in Ireland.
• ePrivacy Regulations (SI No. 336 of 2011) — Irish regulations governing electronic communications, cookies, and direct marketing.
• Network and Information Systems (NIS) Regulations — where applicable to our digital infrastructure.

The supervisory authority responsible for overseeing data protection compliance in Ireland is the Data Protection Commission (DPC), which can be contacted at www.dataprotection.ie.

3. What Personal Data We Collect

We collect and process various categories of personal data depending on your interaction with us. The categories are described below.

3.1 Personal Identification Information

When you register an account, make a booking, purchase a ticket, or contact us, we may collect:

• Full name (first name, last name)
• Date of birth
• Gender (where required for passenger manifests or regulatory compliance)
• Nationality and passport or national identity document details
• Contact details including email address, phone number, and postal address
• Username and password (stored in encrypted form)

3.2 Booking and Travel Information

• Travel itinerary details including departure and arrival ports, travel dates, and route preferences
• Passenger numbers and cabin or vehicle requirements
• Accessibility or special assistance requirements
• Vehicle registration details where applicable
• Booking reference numbers and travel history
• Loyalty programme or membership information

3.3 Payment Information

• Credit or debit card details (processed securely through our payment service providers; we do not store full card numbers on our own systems)
• Billing address
• Transaction history and payment confirmation records

3.4 Usage and Technical Data

When you visit our website, we automatically collect certain technical information, including:

• IP address
• Browser type and version
• Operating system and device type
• Pages visited and time spent on each page
• Referring URL and search terms used to find our website
• Click-stream data and navigation behaviour
• Time zone setting and language preferences

3.5 Cookie and Tracking Data

We use cookies and similar tracking technologies such as web beacons, pixels, and local storage objects. Please refer to Section 11 of this policy for more detailed information, and to our dedicated Cookie Policy available on our website.

3.6 Communications Data

• Emails, live chat transcripts, or other correspondence between you and our customer services team
• Records of complaints or enquiries made
• Survey responses and feedback forms

3.7 Special Category Data

In limited circumstances, we may process special category data (as defined under Article 9 of the GDPR), such as health or disability information provided for the purpose of arranging accessibility assistance onboard. We process such data only with your explicit consent or where otherwise permitted by law, and we apply enhanced security measures to its storage and handling.

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes, each supported by a defined legal basis under the GDPR:

4.1 Service Provision and Contract Performance

Legal basis: Performance of a contract (Article 6(1)(b) GDPR)

• Processing your bookings, reservations, and ticket purchases
• Providing customer support and responding to enquiries
• Managing your account and loyalty programme membership
• Processing payments and issuing refunds where applicable
• Sending booking confirmations, itinerary updates, and travel-related communications
• Facilitating boarding procedures and passenger manifests as required by maritime regulations

4.2 Legal Compliance

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR)

• Complying with EU and Irish maritime safety regulations
• Providing passenger data to border control, customs, and immigration authorities as required by law
• Maintaining financial and accounting records in accordance with Irish company law and revenue requirements
• Responding to lawful requests from law enforcement authorities

4.3 Legitimate Business Interests

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

• Improving our website functionality, user experience, and service quality
• Conducting internal analytics, research, and business reporting
• Detecting and preventing fraud, unauthorised access, and security threats
• Managing and protecting our IT systems and infrastructure
• Enforcing our Terms and Conditions and other contractual rights

4.4 Marketing and Communications

Legal basis: Consent (Article 6(1)(a) GDPR) or Legitimate Interests (Article 6(1)(f) GDPR) for existing customers

• Sending you promotional offers, special deals, and newsletters where you have opted in or where we have a legitimate interest as an existing customer
• Personalising content, recommendations, and advertising displayed to you
• Retargeting campaigns via third-party advertising platforms

You may withdraw your consent to marketing at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us at [email protected].

5. Sharing Your Personal Data with Third Parties

We do not sell your personal data. However, we may share your data with third parties in the following circumstances:

5.1 Service Providers and Data Processors

We engage trusted third-party service providers who process personal data on our behalf under written data processing agreements, as required by Article 28 of the GDPR. These include:

• Payment processing companies (e.g., secure card payment gateways)
• IT hosting, cloud computing, and data storage providers
• Email and communications platform providers
• Customer relationship management (CRM) software providers
• Analytics and website performance tools (e.g., web analytics services)
• Marketing and advertising technology platforms

5.2 Port and Maritime Authorities

As a maritime operator, we are legally required to share passenger manifest data with relevant port authorities, coast guard services, and border control agencies in Ireland, the United Kingdom, France, and other relevant jurisdictions where our services operate. This processing is carried out in compliance with applicable maritime safety regulations and EU directive requirements.

5.3 Legal and Regulatory Authorities

We may disclose your personal data to law enforcement bodies, regulatory agencies, courts, or other public authorities where required to do so by applicable law, court order, or to protect the rights, property, or safety of Irish Ferries, its customers, or the general public.

5.4 Business Transfers

In the event of a merger, acquisition, corporate restructuring, or sale of all or part of our business assets, your personal data may be transferred to the relevant acquiring or successor entity. We will notify you of any such transfer and ensure appropriate protections are in place.

5.5 Professional Advisors

We may share personal data with our legal advisors, accountants, insurers, and auditors where necessary for the conduct of our business operations, subject to obligations of professional confidentiality.

6. International Data Transfers

Some of our service providers and technology partners may be located outside the European Economic Area (EEA). Where we transfer personal data to countries that have not been deemed by the European Commission to provide an adequate level of data protection, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) — approved by the European Commission under Article 46(2)(c) GDPR
• Adequacy decisions — relying on transfers to countries or territories recognised as providing adequate protection
• Binding Corporate Rules (BCRs) — where applicable within corporate group transfers

You may request a copy of the safeguards we have in place for international transfers by contacting us at [email protected].

7. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect your information against unauthorised access, accidental loss, destruction, alteration, or disclosure. Our security measures include:

• Encryption: All data transmitted between your browser and our servers is protected using industry-standard TLS (Transport Layer Security) encryption. Payment data is processed over encrypted connections.
• Access Controls: Access to personal data is restricted on a strict need-to-know basis. All staff with access to personal data undergo data protection training and are bound by confidentiality obligations.
• Password Security: Account passwords are stored using secure one-way hashing algorithms. We do not store plaintext passwords.
• Firewalls and Intrusion Detection: Our IT infrastructure is protected by enterprise-grade firewalls, intrusion detection systems, and regular vulnerability assessments.
• Regular Security Audits: We conduct regular internal and external security assessments and penetration testing of our systems.
• Data Minimisation: We collect only the personal data necessary for the purposes described in this policy.
• Incident Response: We maintain a documented data breach response procedure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours as required by Article 33 GDPR, and affected individuals where required under Article 34 GDPR.

Please note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data using commercially acceptable means, we cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are set out below:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our Data Retention and Disposal Policy.

9. Your Rights Under Data Protection Law

Under the GDPR and the Data Protection Acts 1988–2018, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at [email protected]. We will respond to all verified requests within one calendar month of receipt (with a possible extension of a further two months for complex or numerous requests, of which you will be notified).

9.1 Right of Access (Article 15 GDPR)

You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed. This is known as a Subject Access Request (SAR). There is no charge for making a SAR, unless a request is manifestly unfounded or excessive.

9.2 Right to Rectification (Article 16 GDPR)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where the data has been unlawfully processed. This right is not absolute and may be subject to legal retention obligations.

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of legitimate grounds.

9.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

9.6 Right to Object (Article 21 GDPR)

You have the right to object to the processing of your personal data where it is based on our legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately and without exception.

9.7 Rights in Relation to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, unless such processing is necessary for a contract, authorised by law, or based on your explicit consent.

9.8 Right to Withdraw Consent

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10. Complaints to the Data Protection Authority

If you believe that we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission (DPC), which is the Irish supervisory authority for data protection matters.

We would, however, appreciate the opportunity to address your concerns before you approach the DPC, and we encourage you to contact us in the first instance at [email protected].

11. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and deliver personalised content and advertising. A cookie is a small text file stored on your device when you visit a website.

11.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the operation of our website and cannot be switched off. They include session management, security, and load balancing functions.
• Performance and Analytics Cookies: These help us understand how visitors interact with our website by collecting anonymous statistical information.
• Functional Cookies: These remember your preferences (such as language and region) to provide a personalised experience.
• Targeting and Advertising Cookies: These are used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

In accordance with the ePrivacy Regulations (SI No. 336 of 2011) and the GDPR, we request your informed consent before placing non-essential cookies on your device. You may manage or withdraw your cookie consent at any time via our Cookie Preference Centre available on our website.

For full details about the cookies we use, their purposes, and how to manage them, please refer to our dedicated Cookie Policy.

12. Children's Privacy

Our website and services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect personal data from children under the age of 18. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at [email protected] and we will take prompt steps to delete such information.

Where passengers under the age of 18 are travelling as part of a family booking, personal data related to minors is collected and processed solely for the purpose of fulfilling the travel booking and complying with legal obligations. Such data is processed under the responsibility of the adult account holder or guardian who made the booking.

We do not direct any marketing or promotional communications to individuals under the age of 18, and we do not build profiles of or conduct automated decision-making in relation to minors.

13. Links to Third-Party Websites

Our website may contain links to third-party websites, plug-ins, and applications, including social media platforms, travel comparison websites, and partner booking systems. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

14. Direct Marketing

We may contact you with information about products, services, offers, and promotions that we believe may be of interest to you. We will only send you direct marketing communications where:

• You have given us your explicit consent to do so; or
• You are an existing customer and the marketing relates to similar goods or services to those you have previously purchased from us, and you have been given a clear opportunity to opt out (the "soft opt-in" rule under the ePrivacy Regulations).

You can opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email we send you;
• Updating your communication preferences in your online account settings; or
• Contacting us at [email protected].

Please allow up to 10 business days for your opt-out request to take effect across all our systems.

15. Profiling and Automated Decision-Making

We may use automated tools and profiling techniques to analyse your browsing behaviour, booking history, and preferences in order to provide personalised content, targeted marketing, and improved service recommendations. We do not make any decisions with legal or similarly significant effects on you based solely on automated processing without human review, except where this is required by law or where you have given your explicit consent.

You have the right to object to profiling for direct marketing purposes at any time. If you have concerns about profiling activities, please contact us at [email protected].

16. Changes to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes to this policy, we will notify you by posting the updated policy on our website and updating the "Last Updated" date at the top of this page. Where required by law, we will provide more prominent notice or seek your renewed consent.

We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your information. Your continued use of our website and services after any changes to this policy constitutes your acceptance of the updated terms.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please do not hesitate to contact us. We are committed to addressing your queries promptly and transparently.

When contacting us about a data protection matter, please include sufficient information to allow us to identify your account or query, including your name, email address on record, and a description of your request. We will acknowledge your query within five business days.