Part of the
Hurtigruten Group

Privacy Policy for HX – Hurtigruten HX Expeditions

Introduction 

Your privacy is important to us at HX – Hurtigruten HX Expeditions (hereafter HX) and we are concerned with safeguarding your personal data.

We process personal data about you when you travel with HX. In order to offer you a great experience, we collect personal data from you on different occasions, e.g., when you travel with us, use our services, visit our website or mobile phone applications or otherwise interact with us. All information that HX processes about you is information that you have personally provided. We do not collect data from other sources.

We want you to understand how we use your personal data, how we protect them and what rights you have. Therefore, this Privacy Policy describes:

  • what data we collect about you

  • why they are collected

  • how we use, share and secure these data and 

  • your choices regarding use, access and rectification of your personal data.  

We encourage you to read this interim Privacy Policy.

Data Controller 

Under the transitional arrangements, HX is Data Controller in respect of all personal data held in relation to HX business. HX holds this data independently of the Hurtigruten Group of Companies (hereafter Hurtigruten). HX shares data with Hurtigruten in accordance with the terms of a Data Sharing Agreement. IN addition, HX works with several providers including government agencies, medical personnel, other business partners and providers, and may share personal information if:

  • we have a legitimate reason

  • it is permitted by law, or

  • you have given your consent  

Hurtigruten HX Expeditions offers services worldwide and has branches and partners in all European countries, the Pacific Rim, Africa and South, Central and North America. Depending on from which country the booking was made and to provide you with specific services, we share information about you with the companies in our Group. All of the companies process personal data in compliance with the GDPR.

2024 Transitional Arrangements

As we proceed through the process of separation of Hurtigruten and HX, we have certain transitional arrangements in place in relation to your personal data. If you provided Data to Hurtigruten prior to the publication of this policy, that Data was provided to the Hurtigruten Group under the terms of their Privacy Policy. Hurtigruten Group has opted to share all Customer Data with HX in line with the terms of that Policy. These transitional arrangements will remain in place until the end of 2024.

What Data do we collect about you and for how long do we store them?

HX stores the personal data we collect in a manner that allows for identification of you for as long as is necessary for the purposes for which the personal data are collected and processed in each individual case and in any case no longer than as specified by applicable laws.

How long do we store data about you depends on, among other things:

  • when you booked your ticket

  • when you travelled

  • statutory storage requirements in different countries

  • whether you have given your consent

We have guidelines for the storage of personal data. These determine how long we store personal data and what personal data we process.  

We store your personal data for as long as is necessary to fulfil the purposes that are described in this Privacy Policy. This mainly entails the following: 

Identity and contact information, including name, address, phone number, email address, sex, date of birth and nationality.

You provide us with these data if you book a trip, register to receive our newsletter, join our Loyalty Programme or use our digital platforms or interact with our social media accounts (including by participating in competitions) or if you are in contact with our customer service centre. All information we have about you is information you have personally provided. We do not collect data from other sources.

We store this information from and including the time of booking and until 5 years after your trip has ended or until your consent has been withdrawn.

We may store your personal data for longer if you want us to store them for your next trip and you have given your consent to do so.

Upon registering via HX’s portal, the information you have provided in the portal will be stored for as long as you are registered as a user of this portal.

Passport information, including photo of face upon boarding one of our ships. 

When you book a trip with us you provide information regarding valid travel documents and visas, where this is relevant. We process this information in order to comply with statutory requirements in the ports of call. We may also take a photo of your face upon boarding our ships for security reasons, as described below. We process this information in order to comply with statutory requirements in the ports of call.

All information we have about you is information you have personally provided. We do not collect data from other sources.

We store this information from and including the time of booking and until 90 days after your trip has ended or until your consent has been withdrawn. In some circumstances, we may be required to store the data for longer in according with legislation.

Information regarding next of kin 

For security reasons, we ask that you provide contact information for next of kin on some of our trips. We are only in possession of information about you that you have provided and do not collect data from other sources.

We store this information from and including the time of booking and until 90 days after your trip has ended or until your consent has been withdrawn.

Transaction data - Transaction information including credit and debit card information, payment method and purchase history

In order to process payments and invoicing when you make a purchase, either in connection with a trip or products and services such as land excursions, we will process your payment information to process the transaction.

We store payment method for up to 5 years. All other transaction data and financial data are stored for up to 10 years or in accordance with local bookkeeping rules.

Payment information and activity information, including information relating to booked trips and excursions, flight bookings, hotel bookings, travel itinerary, travel companies, activities you have participated in while on a trip with us etc.

All data relating to bookings and activity information are collected when you make a booking or purchase with us. We are only in possession of information about you that you provide and do not collect data from other sources.

We store information regarding destination and travel date for up to 5 years. In some circumstances, we may be required to store the data for longer in according with legislation.

Communication between you and us including recordings of conversations with our customer service centres, email correspondence, chat, comments and reviews that are collected through surveys or that you have published on our channels or on social media.

We maintain an overview of communication between you and us in order to be able to respond to your enquiries, to maintain good service and to fulfil our agreement with you. We are only in possession of information about you that you have provided and do not collect data from other sources.

We store your communication with us for up to 5 years, or for as long as is required by local legislation, so that we may process possible claims or enquiries from you.

Digital information, including IP address, browser data, communications data, booking history, conduct on social media or user pattern. If you subscribe to our newsletters, we may collect data regarding what newsletters you open, your location when you open them and whether you use possible links in the newsletters.

We collect data about you when you use our website, mobile phone applications and other digital platforms in order to provide you with the best possible experience and to understand what you might be interested in. It is your device that provides us with this information, whether you are logged into your account or have accepted cookies. When you visit our digital platforms and use our services, this entails that we have to identify you (e.g., when you book a cruise, log into your account, when you want us to identify you as a member of our Loyalty Programme and when we need to remember your preferences).

We store such information for 6 months or until consent is withdrawn.

Health information, including information regarding allergies, disability or medical conditions.

You provide these details if you are informing us of medical conditions upon making a booking with us, checking in for a cruise, visiting our medical facilities during a cruise and/or registering for an excursion, trip or entertainment on board the cruise. We receive such information via a self-declaration form that you fill out. For some trips, we have simple forms wherein we collect information to prevent the spread of infectious diseases on board (e.g., COVID-19 or the flu). For security reasons, we have more comprehensive forms for some expedition cruises. At times, it may be necessary to perform certain examinations, such as screening for symptoms of disease, temperature measurement, testing for COVID-19 and contact tracing. We are only in possession of information about you that you provide and do not collect data from other sources.

We store this information from and including the time of booking and until 24 months after your trip has ended. In some circumstances, we may be required to store the data for longer in according with legislation.

Recordings from video surveillance 

For security reasons, we operate closed-circuit television (CCTV) cameras on board our ships, including at all access points and in all public spaces. More on this in point 4 (e)

We store recordings from video surveillance for up to 30 days. If we believe it is necessary to hand over recordings from video surveillance to the police – e.g., when a criminal offence has been committed – we may store the recordings for up to 90 days.

How do we have the right to process your data?

Legitimate Interests

If you book an expedition with HX, we will thereafter continue to rely on our legitimate interests in providing you with information about similar products and services that we can provide to you whilst we hold your data. You can ask us to stop providing you with this information at any time.

General Consent

Where you provide your consent to us to use your personal data, we shall use that data for marketing and other purposes and will share that data with other like-minded organisations. You can withdraw your consent at any time.

Explicit Consent

Where you have provided us with your clear, unambiguous and freely given consent to process data which reveals your racial or ethnic origin, your political opinions, your religious or philosophical beliefs, your trade union membership, your genetic data, your biometric data, your health data or data that concerns your sex life or sexual orientation as this data constitutes special category data protected under Art. 9 of the GDPR.

Contractual Necessity

Where you book an expedition with HX, we will process your data in order to provide you with important information relating to your trip both prior to and throughout the course of your expedition.

Exercise or defence of legal claims

Where HX has to process your data either to bring a legal claim or to take steps to defend itself.

International transfer of information

Sharing outside the EEA

Both HX and Hurtigruten have partners, branches, agents and cooperation partners located outside the EEA and may transfer information to them. We will both ensure that your personal data are protected in an appropriate manner by the receiving party in these countries. Appropriate protection means e.g., ensuring that the receiving party is contractually obliged to ensure that they offer the same degree of data protection and information security as us. You may at any time request more information or to receive a copy of the security measures we utilise to ensure that your personal data are transferred in a legally justifiable manner.

Data sharing with law enforcement authorities: As a travel operator, we are required to share information regarding our passengers with local port bureaus and authorities for immigration purposes. Data may also have to be shared in connection with special incidents, such as contact tracing. These data are shared and transferred based on the legal obligation Hurtigruten has in relation to the relevant authorities and only the necessary data are communicated.

Safety Measures

We ensure that your personal information is protected against accidental or unlawful alteration or loss, or against unauthorized use, disclosure or access in accordance with our data security guidelines. To ensure such protection, we have implemented appropriate technical and organizational measures.

Awareness Training: We do regular security awareness training to help employees identify and avoid cyber-threats in the workplace. We also conduct mandatory privacy management training for all employees and conduct refresher training from time to time and following any highlighted data incident. This is done to reduce or limit the risk of human error and insider threats from causing data breach.

Third Party Management: To ensure that your data is appropriately protected when it is processed by a third party on our behalf, we have data processing agreements in place with all third party suppliers which meet the requirements of either the General Data Protection Regulation or local Regulations (whichever provides the most protection for our customers). We look to implement the terms of our Data Processing Agreement wherever possible but, where we are required to agree to the terms provided by the third party supplier, we undertake risk assessments, due diligence, suggest amendments and take all reasonable steps necessary to ensure that your data is covered by an equivalent level of protection. In all instances, we ensure that any third party agreement meets the requirements of both this policy and both the EU and UK Standard Contractual Clauses.

Audit and Risk Assessment: we regularly assess our practices and systems to ensure that they are in compliance with this policy. Exceptions are reported internally and recommendations for improvements made.

Your Privacy Rights

You may at any time contact us if you wish to be granted access to or rectify your personal data. You may also request a copy of the information we have collected about you.

Access and data portability: You may at any time contact us if you wish to be granted access to your personal data. You have the right to receive personal data that you have provided to us in a machine-readable format.

Rectification or erasure: In principle, you have the right to request us to rectify incorrect data about you and request us to erase personal data about you. However, we are required to store the information that is required in order to fulfil our agreement with you, as well as information that is necessary in order to comply with relevant laws and rules or requirements from authorities.

Complaints to the Data Protection Authority: If you disagree with the manner in which we process your personal data, you may submit a complaint to the UK Information Commissioners Office. We appreciate it if you contact us first, so that we may clarify any misunderstandings.

Notification and Reporting in the case of a Data Incident: Whenever we are made aware of an incident that has (or could) affect your personal data we will promptly investigate that incident and take any necessary remediation action to ensure that it doesn’t happen again. Where the incident constitutes a data breach that is likely to result in a risk to your rights and freedoms, we will notify the appropriate Regulator of that incident and follow any remediation that they require. If a data incident is likely to result in a high risk to your rights and freedoms, we will report the details of that incident to you without delay.

Cookies

A cookie is a small text file that contains the information that is stored on your computer or device. When you visit our website, we use cookies to provide you with a better online experience, to follow up the services on our website or to make our website more relevant for you. The data will not be used to identify individual visitors, with the exception of HX’s logged in customers. You may specify or change settings in your browser in order to accept or reject cookies. If you choose to reject cookies, you may still use our website and certain services but access to some functions and areas of our website or services may be significantly limited.

For more information regarding cookies, click here.

Changes to this Privacy Policy

We are continuously working to develop and improve our services in relation to our customers. This may alter that the manner or scope of our processing of personal data. Occasionally, we will therefore adjust and update this Privacy Policy. Changes will be published on our website. All changes will first take effect after they have been communicated/published.

Contact Info

We have a Data Protection Officer who assists HX in ensuring good data protection. If you have questions regarding the processing of data, you may contact us by email at:

[email protected]

or send an enquiry to:

Data Protection Officer, HX Hold Co Ltd, 210 Pentonville Road, London, N1 9JY

Please note: If you have questions regarding your booking or wish to unsubscribe to our newsletters or mail, we ask that you contact [email protected]

Penguins perched on the ice of Cuverville Island, Antarctica. Credit: Espen Mills / HX Hurtigruten Expeditions

Sign up for our newsletter

Be the first to hear about our latest offers, exciting itineraries and inspirational articles.

Sign up here