Privacy Policy – May 2018

1. Introduction

NorthLink Ferries (“NorthLink Ferries”, “we” or “us”) is committed to ensuring that your personal information is protected and that we are being transparent about the information we hold about you.

Please read this Privacy Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.

We have developed this Privacy Policy to ensure those who use our services and otherwise interact with NorthLink Ferries, including visitors to our website (, are informed and confident about the security and privacy of their personal information.

When we handle certain personal data about you, we do so subject to the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) which applies across the European Union (including in the United Kingdom) from 25 May 2018. This Privacy Policy supplements our Conditions of Carriage and is not intended to override them.

2. Who We Are

NorthLink Ferries is operated by Serco Limited, a company incorporated in England and Wales with Company Number 00242246 and having its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.

For the purposes of this Privacy Policy, Serco Limited is the data controller.

3. Principles Of Data Protection

When using the term “personal data” or “personal information” in this Privacy Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession.

To help you understand how we handle your personal information more clearly, below is a summary of the privacy principles which guide how we use your personal information. These principles provide that personal data should be:

  • used lawfully, fairly and in a transparent way;
  • collected for lawful reasons that have been clearly explained to you;
  • relevant to the purposes you have been told about and limited only to those purposes;
  • kept accurate and up to date;
  • shared only as has been explained to you, when you ask us to or when legally required to;
  • kept only as long as necessary for the purposes you have been told about; and
  • kept securely and protected.

Our website may provide links to third party websites. NorthLink Ferries is not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties as to how they may handle your personal information.

4. How Your Personal Data Is Collected

The circumstances in which we may collect personal data about you includes when:

  • the personal data is provided to us by you (e.g. when you agree to sign up to join our mailing list or enter a competition);
  • the personal data is collected in the normal course of our relationship with you (e.g. when you are booking to travel with us via telephone, on the website or using our mobile application);
  • the personal data has been made public by you (e.g. contacting NorthLink Ferries via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
  • the personal data is received by us from third parties (e.g. third party booking websites, from your employer, tour group operators, external travel agents);
  • the personal data is collected via our IT systems, such as:
    • automated monitoring of our website, on-board Wi-Fi services and other technical systems including our computer networks and connections;
    • CCTV which operate in our terminals, freight yards and on our vessels;
    • email and instant messaging systems; and
    • the call recording system for calls received into our Customer Service Centre.
  • The personal data is created by us, such as records of your communications with NorthLink Ferries.

5. Personal Data Collected

The categories of personal information about you which we may collect and use includes:

  • Personal Details: title, full name, age range, gender, business or home address, telephone numbers, email address, nationality, marital status, job role, vehicle details, travel assistance requirements.
  • Family and Friends Information: children and dependents and contact details, work and friend’s details.
  • Public Identifiers: signatures, passport details, driving licence details, social media handles, national concession , photographs, registered weapon ownership information, voice recordings, video recordings (identifying physical characteristics).
  • Internal Identifiers: discount codes and vouchers, prize letter details, islander or friends and family number, booking reference or reservation numbers.
  • Financial Details: purchase transaction history, card payment details in accordance with PCI DSS
  • Travel Information: travel itinerary information.
  • Correspondence: responses to competitions, promotions and surveys (some details of which may be anonymised), social media postings, general correspondence.
  • Preferences: consents, permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
  • Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
  • Sensitive Personal Data: health and medical information, racial or ethnic origin, religion, philosophical beliefs.
  • Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the website, passwords to access alerts preferences.

If you do not provide certain personal information which we ask for we may not be able to process a reservation for you.

NorthLink Ferries complies with the Payment Card Industry Data Security Standards (PCI DSS). We have in place  robust controls surrounding the storage, transmission and processing of cardholder data that we handle.

6. How And Why We Use Your Personal Information

Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal justification to do this, for example:

  • it is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us;
  • to comply with our legal and regulatory obligations;
  • for our legitimate interests or those of a third party; or
  • where you have given your prior consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

Below is a summary of what we may use (process) your personal information for and our reasons for doing so:

Processing purposeOur reasons
Provision of Services: to provide the requested services to you including communicating with you in relation to those services and contacting you if an issue arises when providing those services.

  • The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or

  • or our legitimate interests or those of a third party providing the requested products and services to you.

Fraud Detection: to prevent and detect fraud against you or NorthLink Ferries such as providing proof of identity if you request a copy of your data.

  • For our legitimate interests or those of a third party to minimise fraud that could be damaging for us and for you; or

  • To comply with our legal and regulatory obligations.

Safety: to ensure safe working practices and a safe working environment and for worker administration.

  • To comply with our legal and regulatory obligations; or

  • For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you.

Security: for security purposes such as preventing unauthorised access and modifications to systems and protecting our workers, premises and vehicles with the use of CCTV, call recording and barred travel lists.

  • For our legitimate interests or those of a third party to prevent and detect criminal activity that could be damaging for us and for you, to protect the well-being of our workers and ensuring the physical and electronic security of our business, premises and assets; or

  • To comply with our legal and regulatory obligations

IT and Website Operations: for the operation and management of our website and IT systems, providing content to you and communicating and interacting with you on our website.

  • For the performance of our contract with you or to take steps at your request before entering into a contract; or

  • For our legitimate interests or those of a third party to operate our website and IT systems, including reporting faults.

Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law.

  • For our legitimate interests or those of a third party for the purpose of promotion; or

  • We have obtained your prior consent.

Claims and Complaints handling: investigating whether there is an incident, including obtaining witness statements.

  • For our legitimate interests or those of a third party to investigate accidents, incidents and complaints;

  • To comply with our legal and regulatory obligations; or

  • We have obtained your prior consent.

Internal compliance: ensuring business policies are adhered to, such as policies covering security and internet use.

  • For our legitimate interests or those of a third party for the purposes of making sure we are following our own internal procedures so we can deliver the best service to you.

Investigations: detecting, investigating and preventing breaches of policy and criminal offences.

  • For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or

  • To comply with our legal and regulatory obligations.

Legal compliance: gathering and providing information required by or in relation to audits, enquiries or investigations by regulatory bodies.

  • To comply with our legal and regulatory obligations.

Quality Assurance: operational reasons, such as improving efficiency, training and quality control including by reviewing call recordings for training purposes.

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you.

Record maintenance: updating and enhancing customer records

  • For the performance of our contract with you or to take steps at your request before entering into a contract;

  • To comply with our legal and regulatory obligations; or

  • For our legitimate interests or those of a third party to ensure that we can keep in touch with our customers about existing orders and new products.

Research: conducting market or customer satisfaction research, statistical analysis to help us manage our business such as analysing travel usage, engaging with you to obtain your views on our products and services.

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you and to meet our contractual obligations to the Scottish Ministers; or

  • We have obtained your prior consent.

Risk management: audit, compliance, controls and other risk management.

  • For our legitimate interests or those of a third party to manage risks to which our business and workers are exposed.

7. Children’s Data

Our services may be booked directly and used by individuals aged 16 years or over. However, we do not knowingly collect or solicit personal information directly from anyone under the age of 16 or knowingly allow such persons to provide us with their personal information without parent or guardian consent. School and tours may book to travel with us and may provide limited information about the children travelling with their group.

If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent’s or guardian’s permission.

In the event we learn that we have collected personal information from anyone under the age of 16, and do not have a parent or guardian’s consent, we will delete that information as quickly as possible.

If you have any concerns, please contact us at or call us on 0845 6000 449 (UK) or +44 (0)1856 885500 (International and UK mobiles)

In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy.

8. Cookies

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy.

9. When Is Special Category Collected?

Special category personal information is particularly sensitive personal information as defined by the GDPR, including information that reveals racial or ethnic origin, religious beliefs or philosophical beliefs or data concerning health and medical conditions.

NorthLink Ferries does not collect special category personal data as a matter of course, however we may on occasion handle such data where, for example, the passenger may: (i) require assistance for a disability; (ii) wish to declare specific medical conditions or dietary requirements; or (iii) share sensitive details in their communications with us. Individuals pre-diagnosed health conditions should ensure they are familiar with our Conditions of Carriage.

Where special category personal information is involved, we will handle that information in accordance with applicable laws, including where:

  • we have your explicit consent – including where you voluntarily provide us with that information;
  • the law permits us to do so, to comply with our legal obligations or to exercise specific legal rights;
  • you have clearly made the sensitive personal information public;
  • processing is necessary for the establishment, exercise or defence of legal claims; or
  • processing is necessary for reasons of substantial public interest.

10. Direct Marketing

We may use your personal information to send you updates (by email, text message, telephone or post) about our services including exclusive offers, promotions or products that we believe will be of interest to you.

We have a legitimate interest in processing your personal information for promotional purposes (see above ‘How And Why We Use Your Personal Information’). This means we do not always need your consent to send you promotional communications. However, where consent is needed, we will ask for this separately and clearly.

You can subscribe to our marketing list by selecting the option to receive marketing communications when booking on our website.

We will always treat your personal information with the utmost respect and never sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.

Where applicable, you have the right to opt out of receiving marketing communications by:

  • using the unsubscribe option included on all NorthLink Ferries marketing correspondence or selecting this unsubscribe link; or
  • sending us an email to Please ensure you correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully deleted from our direct marketing system.

11. Call Recording

We may record telephone conversations of calls which come into the Customer Service Centre telephone system on either 0845 6000 449 (UK) or +44 (0)1856 885500 (International and UK mobiles). The system does not currently record the content of any telephone conversations outside of this system.

We advise all incoming callers to the Customer Service Centre by recorded message that they are being recorded.

We record calls based on the following legitimate purposes:

  • to provide you with the services you want to reserve;
  • to establish the facts in the event of a complaint, claim or query from a caller and to monitor compliance with our customer service standards;
  • to assist in ensuring compliance with regulatory procedures and to provide evidence for any regulatory investigation;
  • to help protect Customer Service Centre workers from abusive or nuisance calls;
  • to assist in identifying any training requirements or coaching needs for Customer Service Centre workers;
  • to assist in internal NorthLink Ferries investigations; and
  • to detect and prevent crime.

Call recordings will be stored no longer than 13 months from the date of their recording unless there is a relevant to an incident, complaint, investigation, legal proceedings or legal obligation which requires us to retain the recording for longer.

The recordings shall be stored securely, with access to the recordings controlled and managed by the Customer Service Centre Senior Supervisor and Customer Care Manager Access to the recordings are only permitted to satisfy a clearly defined business need and reasons for requesting access must be formally authorised by the Customer Care Manager. Browsing of recordings without valid reason is not permitted.

12. CCTV

We currently have closed circuit television (CCTV) operating in our terminals, freight yards and on our vessels for the primary legitimate purposes of: (i) public and worker safety; and  (ii) crime prevention and detection.  For these reasons, the information processed may include visual images of personal appearance and behaviours and in certain circumstances various sound recordings of workers, passengers and general members of the public who were in the immediate vicinity of the area under surveillance.

We display signs to inform visitors and workers that they are under surveillance and there may be video and/or sound recording in operation. This information is kept in secure environments and access is restricted to NorthLink Ferries designated security trained workers and any use shall be in compliance with the NorthLink Ferries security and privacy policies.

We retain CCTV recordings centrally for up to 45 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.

13. Register As An Islander

If you qualify to join our Islander Scheme, you will be asked to complete an application which includes your name, address, telephone contact details, email contact details and the option of further communication. We will require evidence of your residence such as a bank statement or council tax bill, a copy of which will not be retained by us. This will allow you to have an Islander Number which gives exclusive privileges and allow you book quicker online, or using our mobile application.

Although not all of the information detailed above is mandatory some is required to have a valid Islander Number and we will retain that information for as long as you wish to continue being a part of the promotion. You can request to have your details be removed from the Islander Scheme records at any time, but you will forfeit your Islander Number and privileges.

Further information in the Islander Scheme is available here.

14. Declining Reservation Requests

NorthLink Ferries keeps a record of the names of individuals that will not be allowed passage aboard NorthLink Ferries vessel for a limited or unlimited period of time, based on its legitimate interests, as those individuals have interfered with the safety, security or public order, either on board one of its vessels or in a ferry terminal, or harassed or acted inappropriately to our workers in person or in other communication such as by email or on the telephone.

These individuals are personally informed (in writing where possible) that their name has been placed on the barred list and the details about how long these special security measures will apply to them.  Once their name is removed from the barred list, these details will only be retained in associated incident reports.

15. Sharing Your Personal Information With Others

We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties to whom we provide your personal data include:

  • other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
  • the Scottish Ministers, for the purposes of contract management review such as incident reports or passenger correspondence.
  • third parties we use to help deliver our products and services to you, e.g. banks and payment providers;
  • other third parties we use to help us run our business (e.g. marketing agencies, IT support service providers, port operators, analysis experts, communication platform providers);
  • third parties approved by you (e.g. when you request your details to be transferred);
  • our professional advisers (e.g. law firms, insurers and brokers); and/or
  • Government, regulatory and law enforcement bodies where we are required in order:
    • to comply with our legal obligations;
    • to exercise our legal rights (e.g. pursue or defend a claim); and
    • for the prevention, detection and investigation of crime.

We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is a change of operator for NorthLink Ferries or in the event that there is a hand back to the customer (the Scottish Ministers), provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Policy.

Less commonly, we may process and share your personal data where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.

We also impose data protection obligations on contracted third parties to ensure they can only use your data when providing services to NorthLink Ferries for the purposes listed above.  These third parties cannot pass your details on to any other parties unless instructed to by NorthLink Ferries.

16. Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers.

We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights.  To achieve this:

  • we ensure transfers within Serco Group are covered by an intra-group data sharing agreement entered into be all entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
  • we will, when transferring personal data to third parties outside the EEA:
    • put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
    • ensure that the country in which your personal information will be handled has been deemed “adequate” by the European Commission or is registered and compliant with a Privacy Shield regime.
  • we carefully validate any requests for information from law enforcement or regulators before disclosing the information.

We will always co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.

In any case, our transfer, storage and handling of your personal information will continue to be governed by this Privacy Policy. If you would like further information about the global handling of your personal information, please contact us at

17. Security Of Your Personal Information

NorthLink Ferries takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction.  We protect personal data using a variety of security measures including:

  • password access;
  • data back-up;
  • encryption;
  • firewalls;
  • destroying personal information if it is no longer needed for the purposes it was collected;
  • placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data in handled correctly; and
  • secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Please ensure that any passwords which you are given or created by you to access our services are kept secure and safe.

18. How Long Do We Keep Your Personal Information?

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy. Where your information is no longer needed, we will ensure that it is disposed of in a secure manner. If you would like further details about our retention policies, please email us at

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax and/or accounting requirements.

19. Your Legal Rights In Respect Of Your Personal Information

You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Portability of the personal information you provided us, in certain situations.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information by us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.
  • Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 10 for details about withdrawing consent to marketing).

If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion at the following details:

Data Protection Champion
NorthLink Ferries
Aberdeen Ferry Terminal,
Jamieson Quay,
AB11 5NP
Telephone: 0845 6000 449 (UK) or +44 (0)1856 885500 (International and UK mobiles).

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.

20. Requests About Your Child’s Information

We hold very little data about children and do not actively market to them. Children have the same rights over their own personal information as an adult. However, as young children may not understand these rights or are not capable of exercising these right, in some cases their parents may do so on their behalf.

21. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy. If you have any questions about this Privacy Policy or how we handle your personal information, please address to:

Data Protection Officer
NorthLink Ferries
Serco Ltd
Enterprise House
18 Bartley Wood Business Park
Bartley Way
RG27 9XB

Alternatively, please email or call +44 (0)1256 745900.

22. Complaints

You also have the right to contact the Information Commissioner’s Office and file a complaint. ( or telephone: 0303 123 1113). The Information Commissioner’s Office will then investigate your complaint accordingly.

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your  Information Commissioner’s Office at any time.

23. Changes To This Privacy Policy

We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. This Privacy Policy was last reviewed and updated in May 2018.

Please regularly check this page for the latest version of this Privacy Policy. If we change this Privacy Policy, we will post the details of the changes on this page.

Share this page
Print this Page