1. Scope Of Application

The purpose of this policy is to present the commitments of Pluris Investments S.A. (hereinafter referred to as PLURIS or the Group1) in relation to the management of the privacy and protection of the personal data of the data subjects whose processing is its responsibility and to respond to the2 requirements of the General Data Protection Regulation and the respective national implementing legislation3.

It is also intended to demonstrate how personal data will be processed in the context of the activity carried out by the Group and its employees, through the definition of internal rules that comply with the requirements required by the Regulation, namely, legitimacy, processing and conservation.
All personal data will be processed and managed under the terms of this policy in conjunction with the Information Security Policy, taking into account a carried out and updated inventory of such personal data.

2. Roles and responsibilities

The Management of Pluris will ensure that this policy is aligned with the Group’s strategy, in order to ensure its continuous improvement with regard to information security and privacy.
The Data Protection Officer (DPO) is responsible for ensuring compliance with the requirements of the Regulation in a continuous and systematic manner, that all the rights of the data subjects are being complied with and that the appropriate security controls are operationalized for the purposes defined herein.
The Management of PLURIS designates and assigns to the Data Protection Officer (or “DPO”) the roles and responsibilities described above in relation to all companies in the Group.
All employees of the Group, as well as its subcontractors – as applicable to them – have the responsibility to collaborate with and comply with and enforce the commitments of this policy.
In the case of river and seagoing ships, there is also the definition of a “Local DPO” per ship, whose mission is to exercise the functions of a local DPO when the ships are in a cruising situation, and which will act in accordance with the rules of this policy.

1 Group shall be understood as all companies that are invested, directly or indirectly, in at least 10% of their share capital by the company Pluris Investments, S.A.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and subsequent amendments;.
3 Law no. 58/2019, of 8 August (and its subsequent amendments) which ensures the implementation of the General Data Protection Regulation in the national legal system.

3. Data subjects

For the execution of its activities and associated processing purposes, personal data from the following sources are collected by Pluris:

  • Corporate Contract Clients
  • Customers registered through web tools
  • Customers by Ticketing Acquisition
  • Internal employees and contracted service providers
  • Suppliers and service providers
  • Visitors to physical or nautical facilities

4. Guarantee of confidentiality and privacy of personal data

The personal data identified in this Policy will be processed by Pluris as the entity responsible for the processing of personal data.
In order to guarantee the confidentiality and privacy of the data, the Group ensures that it will only be accessed by employees formally authorized to perform their duties.
The responsibilities of each employee in matters of Security, Privacy and Protection of Personal Data are detailed in the contracts signed with Pluris, including the confidentiality and secrecy obligations to which they are attached.

5. Identification of the person responsible for the processing of personal data

The person responsible for the processing of personal data is Pluris Investments, S.A.com registered office at Rua de Miragaia 103, 4050-387, Porto, Portugal, with legal person registration number 508 767 881.
The PLURIS group leads a group of companies to which the responsibilities and obligations arising from this Policy are applicable.

6. Data protection impact assessment

In cases where data processing operations are likely to result in a risk whose level is not accepted by the group, PLURIS will carry out, before the start of processing, an impact assessment with the aim of identifying and processing them.

7. Collection, Processing, Sharing and Retention of Personal Data

a) Collection of personal data

1. For situations that don’t involve web tools

Personal data is collected directly in the following ways:

  • Spontaneous applications or response to job offers with Curriculum Vitae sharing
  • Filling out paper forms
  • Capture of images and videos in fixed installations and on board sea or river vessels
  • Biometric data
  • E-mail
  • Telephone (in the case of employees)
  • In the purchase of tickets, marketing products or other materials purchased in physical stores or on Group ships, including catering services

Personal data may be collected indirectly in the following ways:

  • Import of the content of the Curriculum Vitae for the human resources registration record.
  • Data import with shared responsibility with contracted business partners
  • Marketing outlets, catering services, or the like
  • Job Seeker Screening Companies
  • Medical service companies
  • Life Insurance Service Companies

The collection of sensitive personal data will only be carried out in cases that are strictly necessary and justifiable by the activity carried out by PLURIS and its Group and in accordance with the legislation in force.

2. For situations involving web tools

Personal data is collected directly through the organization’s official web tools, namely online shopping websites, or indirectly through marketing automation and online advertising tools from duly authorized subcontracting partners and in full compliance with our personal data privacy management policy.

Indirect collections may also occur through subcontracting partners regarding the placement of orders, namely, the acquisition of ticketing for access to exhibitions or company services.

The cookie management policy complements this theme by presenting the “opt-in” and “opt-out” options that are available for this component of the websites.
The holder of personal data may also “opt-out” of online advertising services on social tools, namely Facebook, Google Ads, Instagram and Linkedin.

Pluris guarantees that no manual or computerized form will have previously filled in options, and all alternatives will be selected by the data subject.

Personal data will be collected on the basis of the legal grounds set out in this policy and in compliance with the principle of minimisation.

b) Processing of personal data

1. For situations that don’t involve web tools

There will be no use of personal data for the purpose of creating and using sales profiles or indicators of products, regions or trends.

2. For situations involving web tools

Such activities include:

c) Sharing of personal data

1. For situations that don’t involve web tools

In addition to the sharing purposes described below, no other purposes may be carried out, unless previously and expressly authorized by the Data Protection Officer.

Purposes arising from the activity of Pluris Investment SA and companies of its Group, inter alia:

– Social security;
– Communication with Tax Authority, Customs or other legal entities;
– Communication of complaints or privacy violations;
– Communication with the DPO;
– Port security and immigration control;
– Labour registration & payroll;
– Issuance of the medical certificate for maritime or similar purposes;
– Compliance with registration and union obligations;
– Creation and registration of insurance policy;
– Compliance with tax and customs obligations.

Personal data may be shared with subcontracted entities for the purposes referred to above, under the terms of the contracts entered into with them. Pluris only uses processors that ensure, in accordance with the law, the implementation of appropriate technical and organizational measures for the protection of your data through subcontractor agreements, thus ensuring the defense of your rights under the applicable data protection law.
The sharing of data classified as sensitive will only be carried out with legal entities, partners, medical service providers and the like.
As a rule, this data sharing will take place within Europe.
There are specific situations that require the sharing of data for entities outside the European space, namely:

  • With port authorities: for the purposes of security and immigration control on seagoing cruise ships, in accordance with the applicable legal provisions.
  • With Group companies: to support activities of legitimate interest, ensuring the minimization of the processing of personal data

2. For situations involving web tools

In addition to the sharing purposes described below, no other purposes may be carried out, unless previously and expressly authorized by the Data Protection Officer.

Purposes arising from marketing, electronic payments and other services involving the use of electronic tools:

– Conducting advertising campaigns;
– Advertising in virtual places such as Google Ads, Facebook, Instagram and Linkedin;
– Operational needs in the interconnection with HiPay and Paypal and other electronic payment gateways using credit cards;
– Sending news, campaigns and personalized offers to the customer.

Data is shared with formally authorized subcontractors for digital marketing purposes, and the personal data involved in these shares are subject to the consent of the respective owner, with the possibility of opt-out at any time.

These shares may give rise to data transfers outside the European area, in the case of segmentation of digital marketing campaigns with intercontinental subcontracting partners. In these cases, the organization will take care to implement security controls appropriate to each risk situation identified, as well as to ensure the guarantee of the unconditional execution of their rights and all the requirements of the General Data Protection Regulation.

d) Retention of personal data

The period of time for which personal data will be stored varies according to the purpose for which the data is processed.

Retention is understood as the secure storage of data, in digital or paper format, ensuring the conditions of access management to guarantee confidentiality, integrity, availability of information and non-repudiation, as well as its preservation in the appropriate conditions of use according to the defined time.
Legal requirements requiring the retention of personal data for a minimum period for each purpose will be complied with.
Where such a minimum period is not imposed, personal data will be kept only for the period strictly necessary for the pursuit of the purposes for which the data were collected or are subsequently processed or, if and when applicable, for the period determined by the competent data protection authority, after which the data will be permanently deleted in secure mode.

8. Use & Purpose of Cookies

Cookies are used to personalise content and advertisements according to the characteristics of the visitor, interact with social media features, analyse website traffic, as well as support implemented security controls.

Depending on the choices of the visitor to the pages of the websites, data may be shared with our social media partners, for advertising purposes, for traffic analysis and navigation through the pages of the websites and social media tools within the scope of this policy.
Under no circumstances will personal data be collected through cookies.

a) Types of Cookies:

Cookies are text files that can be used by websites to make the user experience more efficient.

In accordance with the legislation in force, cookies may be stored and operated on the equipment to which the visitor accesses them if they are strictly necessary for the operation of the website.
For all other types of cookies, we allow the personal data subject to exercise their right to informed consent.
Some cookies may be installed automatically by our business partners, always in a way that is explicit to the visitor.

b) Websites may use the following types of cookies:

Ba) Required
Necessary cookies support the execution of basic functions such as navigation between pages and their traceability.

It is important to note that the website may not function properly without these cookies, and as such, they are considered fundamental and justified.
Bb) Statistical or Functional
Statistical cookies help the website operator to understand how the visitor interacts with the pages that compose it, collecting and processing information anonymously.
Bc) Marketing
Marketing cookies are used to track the visitor’s access to and sequence of page usage.
They allow the personalization of advertisements or other marketing materials to be displayed and that are relevant and appealing to the visitor, making the browsing experience more personalized and dynamic.

The visitor to the website, and as such a holder of personal data, must select, in each box available, the type of cookies he authorizes.
By clicking on the “I accept” button, you acknowledge the acceptance of this cookie policy and the confirmation of authorization for the type of cookies selected.

9. Holders' rights

Data subjects will be guaranteed the conditions to exercise their rights provided for by the General Data Protection Regulation. The Data Protection Officer appointed by the group will be involved in all issues related to the protection of personal data, and should preferably be put in writing through the email address dpo.mysticinvest@mysticinvest.com all questions that the holders of personal data deem necessary. If the data subject wishes to file a complaint or report a privacy violation, the data subject may communicate via email complaint.mysticinvest@mysticinvest.com or directly with the supervisory authority of their choice. Alternatively, the data subject will have at his/her disposal a web communication portal, where he/she can carry out all the interactions mentioned above and obtain information about the processing of such requests. Following the registration of a complaint or breach of privacy, the Group undertakes to inform the data subject of each step and progress in the process of filing a complaint, without prejudice to compliance with the deadlines defined by the regulation.

10. Review and continuous improvement

This policy will be reviewed annually, or whenever there are significant changes in the inventory of personal data and/or in the computer or documentary media.

Each of these revisions will give rise to a new version of this document.

11. Dissemination and publication

The Privacy Management Policy is classified as publicly accessible information. (cf. Information classification policy) and will be available for consultation through the Internet, either on the institutional website, on the Internet tools to support the business and also on the group’s social networks.
During the onboarding process, new employees will be made aware of this Policy, as well as the mandatory participation of those in the training and awareness actions on security, privacy and personal data protection that will be part of the onboarding process will be part of this process.
After publication and dissemination of the policy, employees are obliged to:

➢ Protect the information assets in your charge;
➢ Collaborate in the management of their risk;
➢ Participate in any event that may jeopardize the security of information;
➢ Comply with and enforce this policy.

Employees may consult this Policy at any time through the document management platform of the group’s internal network.

Entities/employees who, for reasons inherent to their function, do not have access to the platform, will be aware of this policy by sharing it in the appropriate format for each case.

12. Term of the Policy:

This policy has been approved by the Board of Directors of the Pluris Group and becomes effective on the date it is published.

Any subsequent changes will be effective immediately upon their posting.