Carnival Corporation & plc Global Privacy Policy

Global Privacy Policy

Version: 1.0
Approved May 1, 2020

Business Owner: Jennifer Garone

1 of 20
 Carnival Corporation & plc Global Privacy Policy

Table of Contents
1. Scope ..................................................................................................................................................... 4
1.1. Relationship to Other Policies ....................................................................................................... 4
1.2. Where this Policy Applies.............................................................................................................. 4
2. Why Carnival Protects and Manages Personal Information ................................................................. 5
2.1. Why Protecting Personal Information is important to Carnival ................................................... 5
3. How Carnival Operates its Privacy Program ......................................................................................... 5
3.1. Privacy Governance ...................................................................................................................... 5
3.1.1. Roles and Responsibilities ..................................................................................................... 5
3.1.1.1. The Global Data Privacy Council (GDPC) ....................................................................... 6
3.1.1.2. DPO Working Group ...................................................................................................... 6
3.1.1.3. Audit Committee ........................................................................................................... 6
3.1.1.4. The Privacy Program ..................................................................................................... 6
3.1.1.5. The Data Protection Officer .......................................................................................... 6
3.1.1.6. Responsibilities of the Privacy Team............................................................................. 7
3.1.1.7. Obligations of employees & crew to protect privacy ................................................... 7
3.1.1.8. Strategic communications with other executives ......................................................... 8
3.1.2. Record-Keeping and Legal Documentation .......................................................................... 8
3.1.2.1. Registration of data processing activities ..................................................................... 8
3.1.3. International Personal Information Transfers ...................................................................... 8
3.2. Privacy Operations ........................................................................................................................ 9
3.2.1. Internally Focused Processes ................................................................................................ 9
3.2.1.1. Incident response .......................................................................................................... 9
3.2.1.2. Training & awareness.................................................................................................... 9
3.2.1.3. Data classification and handling ................................................................................... 9
3.2.1.4. Personal Information inventory .................................................................................. 10
3.2.2. Externally Focused Operations ........................................................................................... 10
3.2.2.1. Contract & vendor management (Data Processors) ................................................... 10
3.2.2.2. Privacy complaint and query handling ........................................................................ 10
3.2.2.3. Data Subject Rights ..................................................................................................... 10
3.3. Managing Privacy Risks ............................................................................................................... 10
3.3.1. Security for Privacy ............................................................................................................. 10
3.3.2. Privacy Reviews (Threshold Assessments, PIAs, DPIAs) ...................................................... 11

2 of 20
 Carnival Corporation & plc Global Privacy Policy

3.3.3. Third-Party Validation ......................................................................................................... 11

4. How Carnival Considers Privacy Throughout the Data Lifecycle ........................................................ 11
4.1. Understanding the Personal Information lifecycle ..................................................................... 11
4.1.1. Overview of the Data Lifecycle ........................................................................................... 11
4.1.2. Lawful Processing ................................................................................................................ 11
4.1.3. Notice .................................................................................................................................. 12
4.1.4. Collection ............................................................................................................................ 12
4.1.5. Use ...................................................................................................................................... 13
4.1.6. Retention and Deletion ....................................................................................................... 13
4.2. Privacy by Design and Default..................................................................................................... 14
4.2.1. Data Protection Principles................................................................................................... 14
4.2.1.1. Accountability ............................................................................................................. 14
4.2.1.2. Fairness, Transparency, and Lawfulness ..................................................................... 14
4.2.1.3. Purpose and storage limitation ................................................................................... 14
4.2.1.4. Minimization ............................................................................................................... 14
4.2.1.5. Accuracy ...................................................................................................................... 14
5. Non-Compliance ................................................................................................................................. 15
Appendix A: Corporation-wide Privacy Roles ............................................................................................. 16
Appendix B: Supporting standards and guidance ....................................................................................... 18
Appendix C: Document Management and Sign-Off.................................................................................... 18

3 of 20
 Carnival Corporation & plc Global Privacy Policy

1. Scope
1.1. Relationship to Other Policies
This Policy should be read in relation to other relevant policies, standards, implementation guidance,
and HESS documentation. A list of supporting documents can be found in Appendix C.

Because privacy laws and regulations vary between jurisdictions and may conflict on specific topics, this
Policy should be considered a baseline global set of requirements. Carnival brands may develop
supplemental local standards and guidance to reflect requirements of local law and account for local
risks and operational issues so long as they are consistent with this Policy.

Formal statement that establishes objectives for

the program or organization

POLICY
Establishes mandatory actions that
STANDARD support policies

Offers information on how to

GUIDANCE implement standards

1.2. Where this Policy Applies

Who: This Policy applies to all employees, crew, contractors, and others that handle Personal
Information (PI) on behalf of Carnival Corporation & plc (Carnival) and each of its divisions, brands, lines,
and controlled subsidiaries and affiliates. This includes third parties with whom we share Personal
Information.

What: This Policy applies to the Processing of Personal Information, also sometimes described as
personally identifiable information or personal data. (For the full definition, see Personal Information in
the Privacy Glossary.)

Where: This Policy is to be applied anywhere that Carnival operates or has customers, employees or
crew, globally.

When: This Policy applies to any use of Personal Information for any purpose.

4 of 20
 Carnival Corporation & plc Global Privacy Policy

2. Why Carnival Protects and Manages Personal Information

2.1. Why Protecting Personal Information is important to Carnival
Collecting and Using Personal Information of guests, employees, crew, and others have supported
Carnival in becoming the world’s largest leisure travel company. These Individuals expect us to treat
their Personal Information with appropriate care, and regulators around the world expect us to comply
with privacy laws and requirements that dictate how we Process Personal Information.

In line with our corporate mission and values, Carnival is committed to complying with applicable data
privacy requirements and our guests’ reasonable expectations no matter where in the world we
operate. We have created a privacy program, as described in this Policy, to manage and measure our
adherence to this commitment.

If we fail to properly meet privacy requirements and expectations, we could expose our guests,
colleagues, and families to fraud, and expose our company to legal action, adverse publicity,
reputational harm or substantial fines. Understanding and following the requirements of this Policy and
the supporting principles, standards, and guidance demonstrates Carnival’s commitment to protect and
process Personal Information in a way that satisfies our legal obligations. It also enables us to build trust
and maximize commercial opportunities from the responsible use of that data.

Given the potential impacts of non-compliance, improper, reckless or unauthorized collection, misuse,
modification or destruction of Personal Information may result in disciplinary action up to and including
dismissal.

If you are in doubt at any time about the processing of Personal Information, you must raise your
concern with your manager or the responsible Privacy Team prior to taking action.

3. How Carnival Operates its Privacy Program

3.1. Privacy Governance
This section provides an overview of Carnival’s activities related to maintaining an appropriate
understanding of Personal Information within the company and the roles and responsibilities that
support the privacy program.

3.1.1. Roles and Responsibilities

The Chief Privacy Officer, CPO is the leader of Global Information Security and Compliance Services
(GISCS) and is responsible for communicating the current privacy posture to the Board of Directors.

The Global Ethics and Compliance (E&C) group provides the “central hub” for privacy at Carnival. In this
role, E&C provides legal counsel, runs the Global Data Privacy Council (GDPC), and operates the Holland
America Group, Carnival Cruise Line, Costa privacy programs. The CUK program stands apart in the legal
department.

Carnival Corporation also has regionally based privacy programs. The “spokes” of privacy at Carnival, the
regionally-based programs are responsible for having processes to meet local laws and regulations,
corporate privacy requirements and implement privacy practices for the brands operating in their

5 of 20
 Carnival Corporation & plc Global Privacy Policy

region. Data Protection Officers (DPOs) and privacy managers are responsible for the implementation of
locally focused processes based on local requirements in addition to implementing this global policy.

3.1.1.1. The Global Data Privacy Council (GDPC)

The GDPC is the primary body responsible for oversight and implementation of privacy and data
protection initiatives within Carnival. The GDPC is made up of relevant executive officers, vice presidents
and representatives from the local offices of the brands. Its responsibilities include policy creation,
review, and adjustment, and determining privacy best practices among others.

3.1.1.2. DPO Working Group

The DPO Working Group is made up of Carnival brand DPO’s. The purpose is to engage monthly on privacy
initiatives in order to align efforts across brands.

3.1.1.3. Audit Committee

The audit committee is a committee of the Boards of Directors of Carnival. The Audit Committees shall
assist the Boards of Directors in its oversight of Carnival’s compliance with its privacy and data
protection regulatory requirements.

3.1.1.4. The Privacy Program

Carnival maintains mechanisms that provide for sufficient management, monitoring, and enforcement
within its privacy program at both the corporate and brand levels.

The corporate program is the central organization accountable for privacy. It is responsible for central
privacy governance and implementing corporate policy, standards, education and training, outreach and
implementing business processes that further corporate compliant outcomes and consistency. It also
provides updates to audit committees and other senior executives.

Brand programs must be identified and include a DPO or brand Privacy Program Owner. Group privacy
programs may be scoped to specific brands, geographies, or business functions, but should be
implemented with efficiencies in mind and with substantial coverage and support by the businesses or
regions that they serve.

For a complete chart of corporate and brand privacy roles, see Appendix B.

3.1.1.5. The Data Protection Officer

Data Protection Officers (DPOs) are responsible for oversight of data privacy within each brand and
taking steps to promote compliance with this Policy and applicable regulations. DPOs should maintain
consistent communication with business units engaged in Processing activities, the All Brands Group
(ABG) VP, Ethics and Compliance and the Chief Privacy Officer. In many regions across the globe, the role
of the DPO is assigned specific legal obligations. Each brand must ensure it is following local legislation
when allocating responsibility to the DPO.

Within the European Union, DPOs also have mandated responsibilities set out by the GDPR. These
responsibilities include:

 Informing and advising on obligations pursuant to the GDPR and local laws applicable to the
Processing PI.

6 of 20
 Carnival Corporation & plc Global Privacy Policy

 Cooperating with supervisory authorities and acting as the main contact point on all issues
related to Processing PI, including the prior consultation and consulting, where appropriate,
with regard to any other relevant matter.
 Monitoring compliance with all policies, laws, and regulations.
 Oversight and consulting on privacy impact assessments (PIAs), and when necessary, data
protection impact assessments (DPIAs).

In brands without a designated DPO or Privacy Manager, the above responsibilities fall to the individual
company ECO (Ethics and Compliance Officer) and the Corporate CECO.

3.1.1.6. Responsibilities of the Privacy Team

The ABG Ethics and Compliance Privacy Team (Privacy Team) is responsible for the creation,
management, monitoring, and enforcement of the Global Privacy Program to ensure Carnival
meets its legal, contractual and other organizational requirements for Processing Personal
Information.

The core functions of the Privacy Team include:

 Policies, Procedures, and Guidelines: The Privacy Team is responsible for defining,
communicating and supporting the implementation of privacy policies, procedures, and
guidelines that govern the usage of Personal Information at Carnival throughout its
lifecycle.
 Training and Awareness: The Privacy Team is responsible for developing and making
available training regarding the appropriate use and handling of Personal Information.
This training is made available to all employees and contractors who handle Personal
Information on behalf of Carnival. Additional specific privacy training or awareness
materials will be developed and deployed on a risk-based approach that takes into
account the nature and extent of Personal Information being handled, and
circumstances that require additional guidance, such as the environment onboard a
ship.
 Monitoring and Enforcement: To ensure Carnival is meeting its obligations to protect
Personal Information and use it lawfully, the Privacy Team will monitor and enforce
Carnival’s compliance with internal and external requirements including applicable legal
and regulatory frameworks, contractual requirements related to data handling and
other requirements identified by privacy team leadership. The privacy team does this by
testing against a list of controls via a PIA or DPIA.
 Working with regulators: Carnival recognizes the importance of aligning its initiatives
and priorities with guidance and opinions issued by relevant privacy and data protection
regulators. Where appropriate, Carnival’s Privacy Team will maintain relationships with
relevant supervisory authorities.

3.1.1.7. Obligations of employees & crew to protect privacy

Compliance with this Policy is mandatory for Carnival Personnel. Any questions or concerns about
Processing Personal Information or policies related to it should be directed to the Data Protection
Officer or Ethics hotline. Suspected violations of this Policy must be reported to a supervisor or in
accordance with the Reporting of Improprieties Policy, which may be obtained from Employee Services
or Human Resources Department or the Company’s intranet website. Company policy prohibits any

7 of 20
 Carnival Corporation & plc Global Privacy Policy

retaliation against employees who report an apparent violation or concern about a potential violation in
good faith.

3.1.1.8. Strategic communications with other executives

The DPO is responsible for appropriately informing executives and decision-makers about privacy
matters that have a business impact and require decisions to be made that could impact other strategic
organizational objectives. The frequency and content of these communications will be agreed on by all
involved parties.

3.1.2. Record-Keeping and Legal Documentation

3.1.2.1. Registration of data processing activities

Carnival is responsible for maintaining accurate records of its Processing activities. These records shall
be maintained in an electronic format and made available as necessary to cooperate with regulators and
help to respond to Data Subject Rights requests as required.

The records that must be maintained differ depending on whether Carnival is acting as a Data Controller
or a Data Processor as well as the categories of information being processed.

3.1.3. International Personal Information Transfers

Carnival recognizes that Personal Information requires additional safeguards in countries without an
adequate formally recognized baseline of data protection laws. Additionally, transferring Personal
Information across national borders may come with specific requirements and restrictions. Some
countries, such as Russia, have data localization requirements that must also be observed. Suitable
safeguards and transfer mechanisms must be in place prior to transferring PI internationally.

Accordingly, such transfers will only be conducted if:

 The transfer is necessary to protect the vital interests of the Individual;

 The transfer is necessary to enter or perform a contract with (or for the benefit of) that
Individual;
 The transfer is conducted pursuant to Legitimate Interest;
 The transfer is necessary for important reasons of public interest;
 The transfer is necessary for the establishment, exercise or defense of legal claims; or
 The individual has consented to the transfer.

The Privacy Team must be consulted if Carnival designs, builds, procures, or outsources a system or
process that might transfer Personal Information internationally. Privacy will then advise on the
required steps before Processing can take place.

The brands of Carnival have executed an Inter-group agreement (IGA), providing safeguards for sharing
data globally.

8 of 20
 Carnival Corporation & plc Global Privacy Policy

3.2. Privacy Operations

Privacy Operations consists of the processes and activities that are operated day-to-day by the Privacy
Team and its internal partners to deliver privacy outcomes.

3.2.1. Internally Focused Processes

3.2.1.1. Incident response
Carnival defines a Data Incident as an incident leading to the accidental or unlawful destruction, loss,
theft, fraud, alteration, unauthorized disclosure of, or access to, Personal Information transmitted,
stored, or otherwise processed by or on behalf of Carnival.

The following are examples of a Data Incident:

 Carnival’s servers are hacked exposing guest information.

 Carnival crew members leave a Manifest unattended on a table onboard a ship’s restaurant.
 A Carnival executive leaves their work-issued cell phone at a restaurant.
 An unauthorized Carnival employee tailgates, such as by entering without a badge swipe,) into a
server room and utilizes a flash drive to obtain guest information.
 Paper files containing passengers’ health information are found missing from a company file
room.
 The email of a third party is hacked, and Personal Information of Carnival guests is exposed.

Carnival has created and maintains a Cybersecurity and Privacy Incident Response Manual and a
Playbook that details initial response, investigation, communication, notifications, and remediation
steps to take in the event of a Data Incident. Carnival must maintain records and documentation for
Data Incidents and track the remediation through to completion.

The Corporate Privacy Program has processes to track incident/breach information to determine
whether changes to the Corporate Privacy Program and/or our practices are needed. The Corporate
Privacy Program is informed of all Data Breaches. The DPO documents the brand incident response
program, documents all incidents and breaches, and notifies the Corporate Privacy Program. The
Corporate Privacy Program manages all Severity level 1 and 0 incidents. The brand privacy programs
manage all Severity level 2 and 3 incidents.

All suspected or confirmed Data Incidents are to be reported to the brand Privacy Team. Quarterly
reports by a brand must be submitted to the Corporate Privacy Program for reporting to the Board.

3.2.1.2. Training & awareness

Carnival’s privacy training and awareness activities promote understanding of data privacy threats and
concerns, and employees’ responsibilities to protect Personal Information. All employees & crew shall
receive adequate annual training and regular updates regarding privacy policies, privacy principles, and
related standards and procedures as relevant to their role. The DPO ensures that the required training is
implemented and tracked through to completion.

3.2.1.3. Data classification and handling

Processing certain categories and combinations of Personal Information bring a greater likelihood and
severity of the risk to Data Subjects. Carnival employees who handle Personal Information must take

9 of 20
 Carnival Corporation & plc Global Privacy Policy

appropriate means to protect it in accordance with Carnival’s Data Classification and Handling
Standards. Data classification and tools will be reviewed annually and updated accordingly by GISCS.

3.2.1.4. Personal Information inventory

All Personal Information shall be inventoried according to risk to assist in assigning security controls and
enable compliance with applicable regulations. Inventories and mapping Information that should be
included in a Personal Information inventory includes, but is not limited to, specific data types,
categories of data types, sources of the data, and with whom we have shared the data. Inventories and
data-flow mapping will be reviewed annually.

3.2.2. Externally Focused Operations

3.2.2.1. Contract & vendor management (Data Processors)
Carnival and its brands may engage external business partners, third parties, service providers, vendors
and suppliers (external parties) for various Processing activities. Prior to engaging any external partners,
Carnival must evaluate their privacy practices. Additionally, periodic privacy reviews must continue
throughout the engagement. Privacy complaint and query handling

Privacy complaints are a significant source of regulatory inquiries and lawsuits, so it is important that we
quickly identify problematic practices and handle them effectively. Carnival has rules and guidance on
responding to questions and complaints about our processing of Personal Information.

3.2.2.2. Data Subject Rights

Carnival’s privacy program is designed to respect the legal rights of Data Subjects, including but not
limited to our guests, employees, and crew. The rights offered to Data Subjects depending on
geographical considerations, the specific processing activities, the types of Personal Information being
Processed and other regulatory requirements. Brand Privacy Programs must develop and maintain
supplemental local policies and procedures to reflect the requirements of local law. It is important that
Carnival has a clear process for handling Data Subject Rights requests and that we respond in a complete
and accurate manner within the legally mandated time periods.

Carnival offers Data Subjects multiple channels to exercise their rights, including the ability to call the
customer service center, complete an online form and email.

3.3. Managing Privacy Risks

Carnival is committed to identify and mitigate risks associated with the processing of Personal
Information. We have developed administrative, technical and physical controls to ensure risks are
identified and Personal Information is protected at a level commensurate with the risk of harm to Data
Subjects.

3.3.1. Security for Privacy

Carnival must implement and operate security controls over Personal Information based on the level of
sensitivity as described in the Carnival Data Classification and Handling Standards and according to
applicable legal requirements.

Appropriate GISCS directed physical, technological and administrative safeguards must be in place to
maintain the security of Personal Information from the point of collection to the point of destruction.

10 of 20
 Carnival Corporation & plc Global Privacy Policy

These measures include but are not limited to encryption, incident detection and mitigation
technologies and procedures, risk assessments, monitoring of controls, and following and maintaining
appropriate security policies.

More information can be found in Carnival’s information security policies and standards available on
each brand’s intranet website.

3.3.2. Privacy Reviews (Threshold Assessments, PIAs, DPIAs)

The Carnival privacy review process is integral to building respectful privacy practices into our business
functions. The Privacy Program provides controls, standards, templates, and tools to enable Privacy
Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA) to be completed when
required for Processing Personal Information. Privacy reviews are conducted using a risk-based
approach and are documented in a format that is auditable and shareable with other Brands and the
Corporate Privacy Program, as needed.

The privacy review process should be viewed as an iterative process and repeated or re-assessed
whenever business owners notify the relevant DPO that changes to the proposed Processing activity
occur.

3.3.3. Third-Party Validation

Carnival must validate entities, both internal and external to Carnival, prior to engaging them in
processing activities involving Personal Information. Data Processors and Joint Controllers are expected
to follow the necessary standards when processing the Personal Information of Carnival guests,
employees or crew.

4. How Carnival Considers Privacy throughout the Data Lifecycle

This section describes Carnival’s overall approach to managing privacy risks and how it aligns with our
strategy and values. It offers an overview of Carnival’s activities related to maintaining an appropriate
understanding of, and control environment for, Personal Information within Carnival.

4.1. Understanding the Personal Information lifecycle

4.1.1. Overview of the Data Lifecycle
Carnival’s responsibility to protect Personal Information begins at the point of collection and continues
until the Personal Information is transformed into non-Personal Information through aggregation or an
approved anonymization process or is otherwise erased or destroyed. The Privacy Program is designed
and intended to ensure that Personal Information is used, managed and protected throughout its
lifecycle.

4.1.2. Lawful Processing

Carnival may Process Personal Information only where we can demonstrate a legal basis for doing so.
Legal bases include:

 Consent of the individual;

 Performance of a contract to which the Individual is a party or taking steps at the request of the
Data Subject prior to entering into a contract;

11 of 20
 Carnival Corporation & plc Global Privacy Policy

 Compliance with a legal obligation; e.g., Carnival must obtain and package Personal Information
into manifests that are provided to port state control officials in relation to purchases of cruise
vacations;
 Necessary to protect the vital interests of the Individual or another natural person;
 Necessary for the performance of a task carried out in the public interest, e.g. notifying
authorities of individuals who may have been exposed to a communicable disease; and
 Necessary for the purposes of the legitimate interests of Carnival or of a third party.

Where the legal basis or purpose might change, Carnival must verify that the new legal basis is valid; for
example, if Personal Information or special categories of personal information such as medical data,
genetic/biometric data was collected for the performance of a contract and there is a desired secondary
use, such as for marketing purposes, Carnival must ensure there is a legal basis to use the information
for marketing purposes (e.g., the consent of Data Subjects).

Any Processing that will be conducted pursuant to the legitimate interests of Carnival must undergo a
privacy assessment and a Legitimate Interest Assessment (LIA) to determine the validity of the
Processing. Privacy assessments and LIAs must be reviewed and approved by the brand DPO prior to
Processing.

4.1.3. Notice
Notification and legal justification to process Personal Information are fundamental principles of privacy
laws worldwide. Individuals whose Personal Information will be Processed by Carnival must be provided
with a Privacy Notice at the time their Personal Information is collected by Carnival or a third party on
behalf of Carnival, certain regions may require guests consent in addition to the notification.

Privacy Notices are required regardless of whether Personal Information is collected directly or
indirectly. Where Personal Information is collected indirectly (e.g., via a travel agent), Carnival shall
ensure the Individual is notified of such Processing as soon as reasonably possible. In this case, the
Privacy Notice should also indicate the source of the Personal Information and the categories of
Personal Information concerned. Privacy Notices must be in clear and plain language and should be
delivered in writing or electronically.

4.1.4. Collection
Direct Collection of Personal Information: Where Carnival collects Personal Information directly from
individuals, we must ensure that we handle it according to our policies and principles as well as
applicable regulations. It is important that we only collect the amount of Personal Information necessary
for a stated business purpose.

Collection using cookies and other technologies: Carnival is responsible for providing clear information
about the way it uses cookies and similar technologies and ensuring that it only collects Personal
Information as notified to users in its “Cookie & Tracking Technology section of the Privacy Notice.” In
addition, for Carnival websites targeting potential guests where legally required by the use of cookies or
other similar technologies, user consent must be obtained prior to collection.
Acquisition of Personal Information from Third Parties: Carnival may purchase, rent or
otherwise acquire Personal Information from third parties. If Personal Information is being
acquired from a third party, then a contract must be signed between Carnival and the third
party that includes provisions regarding how the data can be legally used and provisions

12 of 20
 Carnival Corporation & plc Global Privacy Policy

regarding the privacy roles of Carnival and the third party (e.g., the data controller, data
processor, joint controllers). The contract must be approved by Legal and will govern Carnival’s
use of the acquired information.

4.1.5. Use
Carnival begins using Personal Information at the moment we collect or otherwise acquire it,
and the use ends when the Personal Information is either transformed into non-Personal
Information through aggregation or an approved anonymization process or is otherwise erased
or destroyed. We may only use Personal Information in ways that have been notified to
individuals in the relevant Privacy Notice communicated to them when their Personal
Information was collected.

To use Personal Information, we must:

 Assess the use with a Data Protection Risk Assessment or Privacy Risk Assessment process to
determine the appropriate protections.
 Have a defined legal basis for the use of Personal Information.
 Have appropriate protections based on the potential risk.

4.1.6. Retention and Deletion

The longer Personal Information is retained, the higher the likelihood of accidental disclosure, theft or
corruption of that information. In some cases, regulators require that specific retention periods are
assigned to each data set.

Personal Information shall be used and stored for only as long as necessary to meet documented
Business Purposes unless there is a specific legal reason to retain it longer (e.g. retaining transaction
records for tax reasons). Use a secure method to dispose of the information once no valid business or
legal reason remains for retaining Personal Information.

Personal Information shall be kept in an identifiable form

 no longer than is necessary,
 for the purposes for which it was originally collected and,
 in accordance with the local Data Retention Schedule.

In the event that Carnival may need to retain Personal Information longer than is required for Business
Purposes, Carnival shall retain such information in a de-identified format. Prior to extending the length
of retention, an assessment must be conducted to determine the appropriate de-identification
methods.

Upon the expiration of applicable timelines in the Data Retention Schedule, Personal Information shall
be deleted, anonymized, or de-linked using the appropriate approved method.

Where a particular category of Personal Information is not specifically addressed in the Data Retention
Schedule, teams must define, implement, and document a data retention plan, prior to processing such
data. In defining such periods, teams should look to retain data for no longer than absolutely necessary,
where Carnival has no overriding legal interest in retaining the data, and for no longer than is necessary
to satisfy the purposes for which the data was originally collected.

13 of 20
 Carnival Corporation & plc Global Privacy Policy

4.2. Privacy by Design and Default

Privacy by design and default comprises a set of principles that engrains data protection into the culture
and practices of an organization. The principles offer guidance on ways to ensure privacy is considered
throughout the lifecycle of processes, projects, and systems that interact with Personal Information.
Where possible, Carnival will seek opportunities to enhance individual privacy protections through the
implementation of privacy-by-design-and-default principles.

4.2.1. Data Protection Principles

The following principles guide Carnival’s privacy program in its effort to treat our Guests’ and
employees’ Personal Information with care and respect. This policy and its supporting standards and
implementation guidance strive to ensure these data protection principles are part of the culture of
Carnival and its brands and subsidiaries.

4.2.1.1. Accountability
Carnival’s Privacy Program is designed and operated to ensure that Personal Information is processed
according to our policies and standards. The Privacy Team is responsible for governing the program and
enforcing policies related to the Processing of Personal Information. More information on privacy roles
within Carnival can be found in Appendix B.

4.2.1.2. Fairness, Transparency, and Lawfulness

Carnival must process Personal Information fairly and lawfully. It is essential that we inform individuals
of the types of Personal Information we collect and process it only in ways we tell them we will. Carnival
has established rules for the lawful processing of Personal Information that are documented in local
Standards. .

4.2.1.3. Purpose and storage limitation

Carnival only uses the Personal Information we collect for purposes notified to individuals via our
privacy notices, and we keep it only as long as it’s needed for those purposes. If we would like to use
Personal Information for a purpose other than those we’ve notified to individuals, we must determine a
lawful basis (for example, the consent of the individual) prior to using it for that purpose and we must
provide Data Subjects with information on that other purpose and with any relevant further information
prior to starting the further processing of Personal Information.

4.2.1.4. Minimization
Carnival only collects Personal Information we need for a specific Business Purpose. It is important that
we collect and retain only information that is relevant and necessary to fulfill the purpose for which it is
being collected. This protects both Carnival and the individual from having information exposed in a
data incident.

4.2.1.5. Accuracy
Carnival must take steps to ensure that the Personal Information we hold is accurate, up-to-date, and
complete. To that end, we annually review the quality of our information, amend inaccurate
information, and delete or destroy out-of-date information. We also allow individuals the right to access
and correct their Personal Information.

14 of 20
 Carnival Corporation & plc Global Privacy Policy

5. Non-Compliance
While the goal of this Policy is to have a global approach and the Policy is created with input from all
privacy officers so that the Company provides an equitable and ethical data privacy experience to all
regardless of their citizenship or residency, there are instances where there local or national laws may
be changed or elevated over the requirements set forth herewith. Where a conflict between this Policy
and applicable law arises or otherwise becomes apparent then suitable legal advice shall be taken, and
an appropriate course of action determined.

If it is not possible to comply with the requirements of this Policy for other reasons, then the following
shall be undertaken:

1. Exceptions must be sought as soon as possible from the Privacy Team, who will escalate to the
Vice President of Ethics and Compliance where appropriate. All exception requests
must state the scope of the non-compliance, the justification for the non-compliance, and the
name of the Manager who will take responsibility for this non-compliance.
2. The Privacy Team shall assess the risks in allowing an exemption and involve other relevant
parties and risk stakeholders as appropriate; and
3. The Corporate Privacy Program, with advice from the Privacy Team and VP of Ethics and
Compliance, shall determine whether the exception is granted.

15 of 20
 Carnival Corporation & plc Global Privacy Policy

Appendix A: Corporation-wide Privacy Roles

Chief Privacy Officer (CPO)
Chief Ethics and Compliance Carnival has an Ethics and Compliance Department that reports
Officer (CECO)
VP, Ethics and Compliance (VP- As the individual that is accountable for privacy governance, the VP-
E&C)
North American Privacy Officer Responsible for privacy across the North American brands, ensuring
Carnival Legal team
RAAS
GISCS
Ethics & Compliance Officers
Brand Privacy Roles
Data Protection Officers (DPOs) Carnival, as required by law, has designated individuals as DPOs.
Carnival has a CPO. This person represents the company in privacy
matters externally and manages the Corporate Privacy Program.
The CPO is required to provide an annual report to the CEO and
Carnival Board on the state of Carnival’s privacy program. Jointly
owns the Cyber Security and Privacy Incident Response Plan and
the Third-Party Risk Management (TPRM) program.
directly to the CEO. This program is responsible for ethics,
environmental compliance, privacy, records retention,
investigations and other compliance programs. Most of the global
privacy programs report up to this department. Enables
appropriate resourcing and funding.
E&C is responsible for implementing Carnival’s privacy
accountability model and assisting brands with privacy compliance.
In running the Corporate Privacy Program, they partner with the
CPO, the GDPC and others to implement corporate privacy
initiatives, projects, programs, policies, awareness, training and the
management of processes that enable a baseline of privacy at
Carnival. Jointly owns the Cyber Security and Privacy Incident
Response Plan and the Third-Party Risk Management (TPRM)
program.
that the brands have clear compliance processes, guidance, and
tooling. Accountable for managing the brand PPOs in all North
American brands. Member of the GDPC; leads the North American
Privacy Leadership Board.
Provides legal counsel and guidance on privacy regulations and laws
worldwide as requested.
Performs privacy compliance audits of specific privacy risks,
privacy operations, and controls.
Owns and manages information security policy, standards and
program, enables implementation of the Cyber Security and
Privacy Incident Response Plan and TPRM. Manages exception
process.
Support the local programs as indicated by responsibility and
organization structure.
The Carnival CPO is the DPO for the company which includes Brand
activities. Carnival has designated DPOs for each region in which it
operates. These roles are frequently also the “Privacy Program
Owners.”

16 of 20
 Carnival Corporation & plc Global Privacy Policy
Privacy Program Owners (PPOs)
Privacy Managers
Regional or Brand Legal Counsel
Carnival has group PPOs who are accountable for implementing
privacy requirements and processes within the Brands, this is a
similar role as the DPO without the GDPR designation. They
collaborate with legal, privacy managers, records & information
management, IT, etc. and subject matter experts within their group
and independent verification teams to achieve privacy compliance.
As owners of privacy programs within the Company, PPO’s are
members of the Global Data Privacy Council (GDPC) and should
work with other Brand PPO’s and further privacy education and
awareness, implementation, and compliance at Carnival.
Every Carnival privacy group may have people who are responsible
for implementing privacy practices in Brand processes. This
includes group-level privacy managers, subject matter experts, and
others identified as having privacy compliance responsibilities at
the Brands. Prior to involvement in group privacy processes, Privacy
Managers must meet all education and training requirements
established by their group programs.
Support the brands and specific privacy governance functions to
enable compliant outcomes.
17 of 20
 Carnival Corporation & plc Global Privacy Policy

Appendix B: Supporting standards and guidance

Each brand may have standards and guidance to support this policy. Below are where those can be
found.

North American Brands [Include links in this column or just link the document
names when completed)
Cookies and Similar Technologies
Standard
Cross-border Personal Information
Transfer Standard
Employee and Crew Data Handling
Standard
Lawful Processing of Personal
Information Standard
Personal Information Retention
Standard
Personal Information Record-keeping
Standard
Data Subject Rights Standard
Privacy by Design and Default Standard
Privacy Complaint and Query Response
Standard
Privacy Notice Standard
Third-Party Management and
Assessment Standard
Cookies and Ad Tracking Guidelines
Data Subject Rights Response Handbook
Personal Information Retention
Guidelines
Personal Information Transfer
Guidelines
Privacy Notice Guidelines
Privacy Policy Management Lifecycle
Guidance
Shipboard Specific Guidance
Intra-group Agreement

Appendix C: Document Management and Sign-Off

This document is formally revised annually to reflect changes in Carnival’s regulatory obligations and the
privacy landscape in general. Changes to this document will be reviewed and approved by the Global
Data Privacy Council (GDPC) prior to publishing. There may be instances where it is important to change
this document outside the formalized update schedule; in these circumstances, changes will
be managed through the Carnival Corp Privacy Team and communicated out.

18 of 20
 Carnival Corporation & plc Global Privacy Policy

Version Control Log

Version Date Section Description Modified by
0.2 7/17/2019 Revisions and responses based on Neda’s initial Emily Leach
review.
0.3 7/22/2019 Added TOC and logs, revised doc mgmt. & sign-off, Emily Leach
added header, pg, accepted tracked changes,
removed resolved comments
0.4 7/24/19 All Final review Neda Roessler
0.5 8/5/19 All Provided final review feedback with some Jen
changes
0.6 8/6/19 All Modified the document based on the Neda & Emily
feedback
0.7 12/6/19 4.1.3 Changed the cookie notice to be “Cookie & Neda & Emily
Tracking Technology section of the Privacy Notice
to align with privacy notice. Made the same
change in the cookie guidance document
0.8 3/12/19 All Incorporated feedbacks received from all Neda
other global DPOs

Document Sign-Off Log

Versio Date Title Name Comments

n
1.0 May 1, Privacy Director, North America Jennifer Garone
2020
1.0 5/1/20 Director, Privacy and DPO, UK Darren Hampton
20
1.0 5/4/20 Legal Counsel | Compliance & Henry Neulitz-Braun
20 Privacy (AIDA Cruises).
1.0 5/4/20 Ethics and Compliance, Costa Cristina Porcelli
20
1.0 VP, Global Ethics & Compliance Martha De Zayas
(ABG)
1.0 Chief Info Security Officer Gary Eppinger
(ABG)
1.0 May 1, GDPC
2020

19 of 20
Carnival Corporation & plc Global Privacy Policy

20 of 20