Privacy Policy

This Privacy Policy explains how Irish Ferries ("we", "us", "our", or "the Company") collects, uses, stores, shares, and protects your personal data when you visit our website at irisshferries.com, make a booking, or otherwise interact with our services. We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Acts 1988–2018 of Ireland.

Please read this Privacy Policy carefully. By using our website or services, you acknowledge that you have read and understood how we handle your personal data. If you do not agree with any part of this policy, please discontinue your use of our website and services.

1. Who We Are (Data Controller)

Irish Ferries is the data controller responsible for your personal data collected through this website and our associated services. As the data controller, we determine the purposes and means by which your personal data is processed.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we process your personal data, please contact us using the contact details provided in Section 14 of this policy.

2. Legal Basis for Processing Your Personal Data

We process your personal data only when we have a valid legal basis to do so. Under the GDPR and the Data Protection Acts 1988–2018, we rely on the following legal bases:

• Contractual Necessity: Processing is necessary to perform a contract with you or to take steps prior to entering into a contract (e.g., processing a ferry booking).
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject under Irish or EU law.
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms.
• Consent: Where you have provided clear and unambiguous consent to the processing of your personal data for specific purposes (e.g., marketing communications).
• Vital Interests: Processing is necessary to protect the vital interests of you or another person in emergency situations.

Where we rely on your consent, you have the right to withdraw that consent at any time, and withdrawal of consent will not affect the lawfulness of any processing carried out prior to such withdrawal.

3. What Personal Data We Collect

We collect various categories of personal data depending on how you interact with us. The types of data we may collect include:

3.1 Identity and Contact Information

• Full name (first name and surname)
• Date of birth and age verification information
• Gender (where relevant to booking requirements)
• Postal address (billing and/or correspondence address)
• Email address
• Telephone number (including mobile number)
• Nationality and passport or travel document details (where required for international crossings)

3.2 Booking and Travel Information

• Travel itinerary details (routes, departure and return dates, times)
• Passenger numbers and details (including details of accompanying passengers)
• Vehicle registration information (where applicable)
• Cabin or seat preferences
• Special assistance or accessibility requirements
• Dietary requirements or preferences
• Loyalty programme membership details

3.3 Payment and Financial Information

• Payment card details (credit or debit card numbers, expiry dates, CVV codes — processed securely and not stored in full)
• Billing address
• Transaction history and booking reference numbers
• Bank account details (where direct debit or bank transfer is used)

3.4 Usage and Technical Data

• IP address and approximate geolocation data
• Browser type and version
• Device type, model, and operating system
• Screen resolution and language preferences
• Pages visited on our website, time and duration of visits
• Referring website or search engine
• Clickstream data and interaction data
• Error and performance logs

3.5 Communications Data

• Correspondence and communications sent to us via email, phone, or our contact forms
• Customer service enquiry records and complaint logs
• Feedback and survey responses
• Social media interactions with our official accounts

3.6 Cookie and Tracking Data

We collect data through cookies and similar tracking technologies when you visit our website. Please refer to Section 10 of this Privacy Policy and our dedicated Cookie Policy available on our website for full details.

3.7 Special Categories of Personal Data

In limited circumstances, we may collect special categories of personal data, such as health or medical information (for example, if you require wheelchair accessibility or have a specific medical need that affects your travel arrangements). We process such data only with your explicit consent or where necessary to protect your vital interests or to comply with legal obligations. We handle all special category data with the highest level of care and confidentiality.

4. How We Use Your Personal Data

We use the personal data we collect for a number of purposes, all of which are carried out in accordance with applicable data protection law:

4.1 Service Provision and Booking Management

• To process and manage your ferry bookings, reservations, and ticket purchases
• To communicate booking confirmations, itinerary details, and boarding information
• To process payments and manage refunds or cancellations
• To arrange special services such as accessibility assistance or dietary accommodations
• To manage your customer account, if you have registered with us
• To handle customer service queries, complaints, and disputes

4.2 Legal and Regulatory Compliance

• To comply with Irish and EU maritime, transport, and passenger rights regulations
• To fulfil obligations under the EU Passenger Rights Regulation (EU) No 1177/2010 concerning sea and inland waterway transport
• To comply with immigration, border control, and customs requirements
• To maintain accounting, tax, and financial records as required under Irish law
• To respond to lawful requests from regulatory authorities, law enforcement, or courts

4.3 Safety and Security

• To ensure the safety and security of passengers, crew, and vessels
• To prevent fraud, identity theft, and unauthorised access to our systems
• To monitor for suspicious or potentially harmful activity on our website
• To manage emergency situations that may arise during travel

4.4 Marketing and Communications

• To send you promotional offers, special deals, and news about our services, where you have consented to receive such communications
• To personalise our marketing communications based on your travel history and preferences
• To conduct customer satisfaction surveys and gather feedback on our services
• To manage our loyalty programme and related communications

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email, by contacting us at [email protected], or by updating your communication preferences in your online account.

4.5 Analytics and Service Improvement

• To analyse website usage patterns and improve the functionality and user experience of our website
• To conduct internal research and analysis to better understand our customers' needs
• To develop new services, features, and products
• To monitor and measure the effectiveness of our marketing campaigns
• To generate aggregated and anonymised statistical reports

5. Sharing Your Personal Data with Third Parties

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. However, we may share your personal data with trusted third parties in the following circumstances:

5.1 Service Providers and Business Partners

We engage carefully selected third-party service providers who assist us in operating our business and delivering our services. These may include:

• Payment processing companies and financial institutions
• IT infrastructure, cloud hosting, and software service providers
• Customer relationship management (CRM) platform providers
• Email marketing and communications platform providers
• Analytics and website performance monitoring services (e.g., Google Analytics)
• Port operators and terminal service providers
• Travel insurance partners and ancillary service providers
• Customer support and call centre service providers

All third-party service providers are required to process your data solely in accordance with our instructions and applicable data protection law, and they are bound by appropriate data processing agreements.

5.2 Legal and Regulatory Authorities

We may disclose your personal data to government bodies, regulatory authorities, law enforcement agencies, or courts where we are legally required or authorised to do so under Irish or EU law. This includes disclosure to:

• An Garda Síochána (Irish Police) or other law enforcement agencies
• The Data Protection Commission (DPC) of Ireland
• Revenue Commissioners of Ireland
• Immigration and border control authorities in Ireland and other jurisdictions we serve
• Port authorities and maritime safety bodies

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, your personal data may be transferred to the relevant third party as part of that transaction. We will notify you of any such change and ensure that your data continues to be protected in accordance with this Privacy Policy.

5.4 With Your Consent

We may share your personal data with other third parties where you have provided your explicit consent to such sharing, for example, when you agree to receive communications from our carefully selected partners.

6. International Data Transfers

As an Irish-based company operating ferry services across multiple international routes, some of your personal data may be transferred to, stored in, or processed in countries outside the European Economic Area (EEA). This may occur when we use service providers, partners, or technology platforms based outside the EEA.

Where we transfer personal data outside the EEA, we take all necessary steps to ensure that your data receives an adequate level of protection, including:

• Transferring data only to countries that the European Commission has determined provide an adequate level of data protection
• Using Standard Contractual Clauses (SCCs) approved by the European Commission
• Relying on binding corporate rules or other approved transfer mechanisms
• Ensuring appropriate technical and organisational safeguards are in place

You may request further information about the specific safeguards in place for international data transfers by contacting us at [email protected].

7. Data Security

We take the security of your personal data extremely seriously and implement a robust range of technical and organisational security measures to protect your data against unauthorised access, loss, destruction, alteration, or disclosure. Our security measures include, but are not limited to:

7.1 Technical Security Measures

• Encryption of data in transit using Secure Socket Layer (SSL) / Transport Layer Security (TLS) technology
• Encryption of sensitive data at rest, including payment information
• Secure firewalls and intrusion detection systems
• Regular security vulnerability assessments and penetration testing
• Multi-factor authentication for access to internal systems
• Secure and audited access controls limiting data access to authorised personnel only
• Regular data backups and disaster recovery procedures

7.2 Organisational Security Measures

• Staff data protection training and awareness programmes
• Confidentiality obligations for all employees and contractors with access to personal data
• Data protection impact assessments (DPIAs) for high-risk processing activities
• Clear data breach detection, reporting, and response procedures
• Regular review and updating of our security policies and procedures

While we implement these robust measures, no method of data transmission or storage is completely secure. In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Data Protection Commission (DPC) in accordance with our legal obligations under the GDPR (within 72 hours of becoming aware of the breach where feasible).

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods we apply depend on the category of data and the purpose for which it is held:

When your personal data is no longer required, we will securely delete or anonymise it in accordance with our data retention and disposal procedures. Where anonymisation is not possible, we will continue to store your data securely and restrict its use until deletion is possible.

9. Your Data Protection Rights

Under the GDPR and the Data Protection Acts 1988–2018, you have a number of important rights regarding your personal data. We are committed to upholding these rights and will respond to any valid request within one month of receipt (which may be extended by a further two months in complex or multiple requests).

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you, along with information about how we process it. This is known as a Subject Access Request (SAR). We will provide this information free of charge in most circumstances.

9.2 Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay.

9.3 Right to Erasure ("Right to be Forgotten")

In certain circumstances, you have the right to request that we delete your personal data. This right applies, for example, where the data is no longer necessary for the purpose for which it was collected, or where you withdraw your consent and there is no other legal basis for processing. Please note that this right is not absolute and may be subject to certain exceptions.

9.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, where you contest the accuracy of the data or object to our processing activities.

9.5 Right to Data Portability

Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

9.6 Right to Object

You have the right to object to the processing of your personal data where we rely on our legitimate interests as the legal basis for processing. You also have an unconditional right to object to your personal data being used for direct marketing purposes at any time.

9.7 Rights Related to Automated Decision-Making and Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you, unless such processing is necessary for entering into or performing a contract, is authorised by law, or is based on your explicit consent.

9.8 Right to Withdraw Consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing carried out prior to the withdrawal.

10. Cookies and Tracking Technologies

Our website, irisshferries.com, uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and support our marketing activities. Cookies are small text files placed on your device when you visit our website.

10.1 Types of Cookies We Use

• Strictly Necessary Cookies: These are essential for the website to function properly and cannot be switched off. They are typically set in response to actions you take, such as logging in or completing a booking form.
• Performance and Analytics Cookies: These cookies collect information about how visitors use our website, such as which pages are visited most often. This data is used to improve website performance. We use tools such as Google Analytics for this purpose.
• Functional Cookies: These cookies allow the website to remember your preferences and settings (such as language selection or login details) to provide a more personalised experience.
• Targeting and Advertising Cookies: These cookies are used to deliver relevant advertisements to you on our website and on other websites you visit. They track your browsing habits and are generally placed by our advertising partners.

10.2 Your Cookie Choices

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can also manage or withdraw your cookie consent at any time through your browser settings or our Cookie Preference Centre on the website.

Please note that disabling certain cookies may affect the functionality of our website and your ability to complete bookings or access certain features.

For detailed information about the specific cookies we use, their purposes, and how to manage your preferences, please refer to our full Cookie Policy available on our website.

11. Children's Privacy

Our website and online booking services are not directed at children under the age of 18 years. We do not knowingly collect personal data from individuals under the age of 18 for the purpose of creating accounts or entering into contracts through our website.

Where children are included as passengers on a booking, their personal data is collected from and provided by the adult responsible for making the booking (a parent or legal guardian), who is responsible for ensuring that the child's information is provided appropriately and with proper authority.

If we become aware that we have inadvertently collected personal data from a child under 18 without appropriate parental or guardian consent, we will take immediate steps to delete that data from our records. If you believe that we may have collected personal data from a child without appropriate authorisation, please contact us immediately at [email protected].

12. Links to Third-Party Websites

Our website may contain links to third-party websites, applications, or services that are not operated or controlled by Irish Ferries. This Privacy Policy applies solely to our website and services. We are not responsible for the privacy practices or content of any third-party websites or services. We encourage you to read the privacy policies of any third-party websites you visit through links on our website.

13. Changes to This Privacy Policy

We reserve the right to update, amend, or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. When we make significant changes to this policy, we will notify you by:

• Posting a prominent notice on our website
• Sending you an email notification (where we hold a valid email address for you)
• Updating the "Last Updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of our website or services following the posting of changes to this policy will constitute your acknowledgement of those changes.

14. How to Contact Us

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data processing practices, or if you wish to exercise any of your data subject rights, please contact us using the following details:

We will acknowledge your request promptly and aim to respond fully within 30 days of receipt. In complex cases, we may extend this period by an additional two months, in which case we will notify you accordingly.

15. How to Lodge a Complaint with the Data Protection Commission

We take your privacy rights very seriously and will do our utmost to resolve any concerns you raise with us directly. However, if you are not satisfied with our response or believe that we are processing your personal data in a manner that is not compliant with applicable data protection law, you have the right to lodge a complaint with the Data Protection Commission (DPC), which is the supervisory authority for data protection in Ireland.

You also have the right to seek judicial remedy through the Irish courts if you believe that your rights under the GDPR have been infringed. We would, however, encourage you to contact us in the first instance so that we may have the opportunity to address your concerns directly before escalating to the supervisory authority.