Data protection policy


This information is in compliance with the Data Protection Act, Chapter 440 of the Laws of Malta as subsequently amended and/or any substitutions and the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council) of the 27th April, 2016.

1. Introduction

1.1.  Moby SPL  Limited need to process certain types of personal data.  This personal data must be processed appropriately irrespective of the medium on which it is held or stored, whether in paper or electronic format.

1.2.  This policy (hereinafter “the Policy”) is aimed at ensuring that the processing of personal data shall be in terms of the General Data Protection Regulation.

2.1.  Definitions

2.1. For the purposes of this Data Protection Policy, the definitions contained in Article 4 of the General Data Protection Regulation (hereinafter “GDPR”) shall apply; so however that the following terms shall have the following meanings:-

“the Controller” shall refer to Moby SPL Limited, a limited liability company, incorporated in Malta, bearing registration number C78021 and having its registered office at 18/2, South Street, Valletta, VLT 1102, Malta.

“the Data Subject” shall refer to all clients and passengers of the Controller, including but not limited to prospective passengers, past passengers and all other natural persons who may have provided the Controller with their own personal data for any reason whatsoever in relation to the services provided by the Controller and “you” and “your” shall refer to all said clients and passengers of the Controller.

2.2.  Contact Information of the Controller

The Controller may be contacted as follows:-

Postal Address:                       Level 2, Number 18,        

                                                  South Street,




Telephone Number:-               00356 2123 2606


Email address:-             


2.3.  How does the Controller obtain your Personal Data?

Your Personal Data are acquired by the Controller during booking, purchase, check in and services also online (e.g. “Need help? Lost and Found”) and are handled for purposes (hereinafter “the Purposes”) concerning the procedures of ticket purchase, also online, the fulfilling of contractual, accounting and tax obligations, programming activities and internal control services, the management of any health emergencies and assistance to Data Subjects. These operations may involve sending emails or telephoning in the case of technical requirements, mistaken interruption of processes, requests for integration of information or documents.

The Personal Data may be processed by telephone, telematic methods (including the use of the email address supplied during the purchasing procedure) or by post.

2.4.  Types of Personal Data processed

The Controller processes your name, address, all contact information which you provide to the Data Controller, your VAT number, your identity card number and/or your passport number and/or details relative to your passport and details relative to your Visa.

3.  Principles relating to the processing by the Controller of Personal Data

3.1.  The Controller hereby declares and undertakes that the Controller processes Personal Data in terms of and in full observance of the following principles:-

(i) lawfully, fairly and in a transparent manner in relation to the Data Subject;

(ii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Hence, the Controller processes the data only for the Purposes.

(iii) the Personal Data collected  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); To this end, the Data Subject shall only be required to provide all the personal data which are strictly necessary for the purposes of processing by the Controller.

(iv) The Data Controller shall ensure that all Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(v) The Data Controller shall keep the Personal Data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

(vi) All Personal Data shall be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the Data Subject(‘storage limitation’);

(vii) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

These principles essentially mean that:-

1. The Controller shall not use the Personal Data in any manner which is not in line with the Purposes and, consequently, the reasons why the Personal Data had been given to the Controller  in the first place;

2. The Controller shall not sell or use the Personal Data for any commercial purposes, other than any Purposes;

3. The Controller shall not retain data for longer than necessary;

4. The Controller shall not destroy data unless the Controller is authorised to do so by law;

5. The Controller shall not ignore any requests by the Data Subjects for restriction of processing or objection to same.

4. Lawfulness of Processing

4.1. The Controller undertakes that all processing of Personal Data shall be lawful and the processing shall only be executed and performed:-

  (i)  wherever the Data Subject has given consent to the processing of his or her Personal Data for the Purposes; and/or

  (ii) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

  (iii) processing is necessary for compliance with a legal obligation to which the Controller is subject.   

5A.  Rights of the Data Subjects

5.1. The Controller hereby declares that the data subjects shall have the following rights with respect to their Personal Data and, further, undertakes to protect and promote same:-

(a) Transparency: the present privacy policy is aimed at providing Data Subjects with all the relative information necessary for the Data Subject to have all information in relation to how his Personal Data is being processed and all the rights available to him. 

(b)  The right to access to their own Personal Data and the right to request that they be provided with a copy of their data free of any charges, unless such requests become repetitive, frivolous or vexatious, in which case a charge shall be levied. 

(c)  The right to rectify their own Personal Data, should there be any incomplete or out-dated data or data which is, somehow, inaccurate.

(d)  The right to erasure of their Personal Data unless there are legal and/or policy obligations which impose on the Controller any retention periods. The Controller hereby declares that, in any case, no Personal Data shall be retained for longer than is necessary. With this declaration the Controller confirms that he shall not be retaining any Personal Data for longer than is strictly necessary in terms of the law. This essentially means that as soon as the prescriptive period for the exercise of an action elapses, then the Controller shall destroy the Personal Data.

(e)  The right to restriction of processing in either of the following cases:-

  (i) the accuracy of the Personal Data is contested by the Data Subject for a period enabling the Controller to verify the accuracy of the Personal Data; or

  (ii) the processing is unlawful and the data subject opposes the erasure of the Personal Data and requests the restriction of their use instead;

  (iii) the controller no longer needs the Personal Data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

  (iv) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

(f) The right to have data portability in a machine-readable format and this essentially shall mean that the Data Subject has the right to receive the Personal Data concerning him, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and also the Data Subject has the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided. Furthermore, the Data Subject shall have the right to have the Personal Data transmitted directly from one controller to another, where technically feasible.

(g)  The right to object to processing, should processing be no longer justified on the basis given in Clause 4.1. of this Policy.

(h)  The right not to be subjected to automated decision making. The Controller declares that there is no automated decision making which is being carried out on the Personal Data.

6B. Exercise of the Rights of the Data Subjects

In order to exercise any of the rights listed in Clause 6A, the Data Subject shall send an email to and request the right and/or rights which the Data Subject would want to exercise. The Controller  shall endeavour to accede to the request as soon as it is technically  possible.

7. Breach

7.1.  Should any Data Subject suspect a Personal Data breach likely to result in a high risk to his rights and freedoms he shall lodge a report to

7.2.  The Controller shall investigate such report and take all the necessary measures in terms of the General Data Protection Regulation to ensure that the rights and freedoms  and the Personal Data of the data subject are fully protected, including but not limited to, all the measures in the General Data Protection Regulation.  Should the circumstances so warrant in terms of the General Data Protection Regulation, the Controller shall report the breach to the Data Protection Commissioner in terms of the General Data Protection Regulation.

7.3. The Data Subject shall also have the right to inform and report the said breach to the Data Protection Commissioner.

8.  Data Transfers

8.1. The Controller shall also transmit and communicate the data to third parties, that is, third parties authorised to process the Personal Data, and may include the nomination of persons to be in charge of the processing if they perform or supply specific services strictly related to the execution of the contractual relationship (also via on-going processing), such as computer service companies, companies that provide payment services, approved agents, companies that provide printing, mailing, transportation and sorting services, outsourcing companies, consultants, independent professionals, and insurance companies.

8.2. The Controller hereby declares that it shall not pass on any Personal Data to any process and/or controller who do not offer the same levels of protection to Personal Data as that obtaining in terms of the General Data Protection Regulation.

8.3. Specifically, Personal Data relating to online payment of tickets shall be processed by Invoicebox OU, which is an independent data controller, in a protected and secure environment and will not be acquired or elaborated in any way by the Controller.

8.4. The Controller further hereby declares that Personal Data may be transferred to a booking office of the Controller in Russia and Personal Data be processed thereat. Consequently, the Data Subject is hereby specifically being requested to give his or her consent to such transfer in view of the fact that such transfer may have the following risks:-

(a) Russia does not offer the same level of protection of Personal Data as that afforded by European Union legislation to Personal Data and hence, as Data Subject, you are also authorising the Controller to transfer the Personal Data to our Russian booking offices;
(b) Furthermore, there is no competent authority in Russia to deal with any Personal Data breach grievance.
8.5. The Controller, however, hereby declares and undertakes to process all Personal Data in accordance with the provisions of this Policy, the General Data Protection Regulation and Maltese Law regulating Personal Data Protection.

9.  Captain’s Fidelity Programme

You may subscribe to the Catain’s Club fidelity programme by completing the online registration procedure. Personal Data requested during the registration procedure are processed manually and by computerised systems, exclusively to enable you to benefit from the advantages made available to members of Captain’s Club (insertion of personal data, attribution of points, allocation of awards, communication of the points summary, system for accessing reserved areas on the website, etc.). When subscribing, only Personal Data fields marked with an asterisk (*) are to be filled in with Personal Data. These fields must be completed in order for the subscription to be effective.

For you to continue enjoying the benefits of the Captain’s Fidelity Programme, you are hereby being requested to fill in the relative form attached hereto (LINK) and send it to

For the use of cookies please refer to the section "Information processing cookies" where appropriate information is made.

10.  Use of Personal Data for marketing purposes

You may occasionally receive communications from MOBY SPL LIMITED in relation to  commercial and promotional purposes, and to ensure satisfactory services, perform market research, or offer services by email and other channels.  You are invited to fill in the attached form to continue receiving said information. Occasionally you may receive sms on your cell phone number providing you information about new services, prices, news or other information on behalf of MOBY SPL. You can unsubscribe by calling the telephone number + 7 (921) 947-88-98 or by sending an e-mail to

Once consent is given, you are entitled to withdraw consent at nay point in time by clicking on “Unsubscribe”.

11.  Relationship with the General Data Protection Regulation

11.1..  The General Data Protection Regulation shall be observed in its entirety by the Controller.  In case of any inconsistencies between the provisions of this Policy and the General Data Protection Regulation, the latter shall prevail.