1.3. airBaltic Training knows the importance of personal data protection in this modern information age. airBaltic understands that appropriate data protection has impact on trust of its customers and employees, as well as on reputation and sustainability of the company. Therefore, airBaltic pays attention to appropriate data protection and is working to comply with the applicable regulatory enactments and apply data protection regulations in everyday work.
1.4. airBaltic Training is a subject to the General Data Protection Regulation No. 679/2016 (GDPR) of the European Parliament and of the Council as well as relevant national regulatory enactments, which impose obligations to ensure appropriate processing and protection of personal data. airBaltic Training aims to ensure inter alia:
Lawfulness – airBaltic Training respects data protection and privacy laws and aim to comply with obligation provided by such laws;
Security – airBaltic Training aims to protect personal data pursuant to the industry standards, including having access control in place and encryption solutions, as well as updating security measures when necessary to comply with industry standards.
1.5. We aim to ensure processing of accurate and true personal data. However – as it is in any relationships – also in our cooperation you may help us to achieve this. Therefore, each time you provide us with your data, please verify accuracy of such information with due care, for example, when you make reservation or apply for any service, in particular, when you provide airBaltic Training with contact information. We rely that information provided by you is accurate and true. If you notice any mistake, please feel free to contact us as soon as possible in order we could make appropriate changes to the data and thus ensuring processing of accurate data, in particular – accurate contact details. In case you mistakenly indicate wrong contact details, information on service may be sent to wrong recipient and accordingly you may not receive important information from us concerning the service.
We collect information about you in the following ways:
- you visit websites on any airBaltic Training domain or enter information into them;
- you book our service;
- third parties provide us with information about you;
- you talk with us or our agents and employees on our communication channels, for example, via social media, the phone or contact them by e-mail or online chat;
- you file a claim or any other request with us, or you have contacted us;
- your participation is registered for event organized by us;
- you participate in any event organized by us;
- our partner has shared information about you as its representative;
- we may ask you to provide us with data for autentification purposes and to verify whether you are a person who made reservation or to verify whether you are the individual who you declare to be;
- we may contact you in course of cooperation or corporate communication (for example, we may obtain contact information);
3.1. Taking into account that we may check your ID only after you visit us, so we assume that a person booking a service is you or is entitled to share your personal data with us on your behalf.
3.2. We may collect the following categories of personal data:
3.2.1. Basic data (e.g., name, surname, gender, age);
3.2.2. Identification data (e.g., birth data, identification data, data of passport);
3.2.3. Contact data (for example, e-mail, phone number, emergency contact information, in some cases – address, accommodation data etc.);
3.2.4. Settlement data (for example, payment information, fees, bank account information, taxes, debt information);
3.2.5. Media data (for example, photo, video images, audio recording – e.g., call recordings, video surveillance data);
3.2.6. Communication data (e.g., language, communication channel, consents, claims, opinion, correspondence etc.);
3.2.7. WEB data (e.g., IP address, operating system, cookies, access, website visit session, clicks, visited website sections information, reviewed information on website, reviewed destinations.)
3.4. We process your data for the following purposes and based on the following legal ground:
3.4.1. Conclusion and fulfilment of agreement (e.g., service provision legal ground – agreement with data subject or steps taken prior conclusion of agreement.);
3.4.2. Fulfilment of lawful rights, obligations and execution of law (for example, providing information to the relevant authorities based on request, legal ground – fulfilment of law and lawful rights and obligations);
3.4.3. Monitoring of fulfilment of the agreement
3.4.4. Providing services and products and its administration and improvements, this purpose is related to agreement with data subject, which serves as a legal ground for such processing, in some cases to improve the services we may review services purchased by client, some proposals, such processing is based on a legitimate interest;
3.4.5. Quality and experience control and improvement (incl., surveys, customer satisfaction and claim reviews, review of communicatin ( including, correspondence and call recordings) to verifying whether our employees has provided services according to our quality standard. Legal ground – legitimate interest);
3.4.7. Provision, management and improvement of the website, as well as ensuring its continuity and security (for example, processing of data related to service bookings, habits of website visitors, legal ground – agreement with data subject and legitimate interest to ensure operation of website, its security and improvements);
3.4.8. Statistic and analytics of services and website experience;
3.4.9. Administration and management of corporate communication and event organization (e.g., administrating list of event participants, contact information of journalist for communication purposes, for example, to answer to questions of journalist);
3.4.10. Recording of historical events, ensuring historical succession, continuity and archiving purposes, legal basis – legitimate interest and in some cases Archives Law, for example we may take photo images and video recordings from events organized by airBaltic based on a legitimate interest to record historical fact. Before the event, visitors are informed separately about taking photos / videos during the event);
3.4.11. Claim management and debt recovery (for example, complaints related to delayed services, bringing a claim against the customer in connection with the damages caused as a result of his actions etc.)
3.4.12. Organizational, resource, IT system and infrastructure (for example, information systems, software, data bases, network maintenance, improvement and security) and financial management, as well as management and administration of settlement and transactions (e.g., organizational management of insurance, management of processes);
3.4.13. Audits, revisions, due diligences, reorganization and restructuring or preparation for such processes or transactions, including we may process data in case of mergers or divisions, different acquisitions and/or transfer of liabilities, business and assets in full of partially, as well as within different legal proceedings, for example, legal protection proceeding, liquidation, insolvency proceeding. Additionally, in case of reorganization and/or acquisition and transfer of assets, liabilities and business, before such transaction data may be processed with the purpose to get acquainted with business transaction content and to evaluate its value. In any such case we will assess necessary scope of personal data with due care and will reduce personal data processing as much as possible to achieve the purpose and ensure appropriate protection of personal data, as well as conclusion of appropriate agreement with partner. We will inform you in cases any of such transaction has an impact our liabilities towards you or may involve transfer of your personal data to another company. Such processing may be based on law (for example, Commercial law, audits and revisions may be based on Law on Revision) and legitimate interest;
3.4.14. Protection of lawful interest, for example, data processing in relation to claim, obtaining and submitting necessary evidences in case of dispute or in case airBaltic shall prove to authorities or others that airBaltic has complied with any its lawful obligations, as well as any other processing necessary to protect legitimate interest.
In general, we shall store your personal data until we have fulfilled the purpose of processing.
In this regard, we apply the following criteria when we determine period of time for processing and storage of the data:
5.1. we process/store the data until fulfilment of the purpose;
5.2. period of time, which is necessary to ensure fulfilment of contractual relationships, for example, to allow you to use the service and provide the service for;
5.3. period of time necessary to ensure processing, which is based on your consent. If the consent is withdrawn, processing, which is based on such a consent, is terminated;
5.4. period of time specified by the applicable regulatory enactments. airBaltic Training is a subject of various laws and regulations, which determine strict obligations, as well as some of them determine period of time for which information shall be stored;
5.5. period of time necessary to protect lawful interests, including period of time necessary to review and resolve the dispute or claim, as well as period of time necessary to prove that appropriate processing was carried out and appropriate measures taken (including, to have proofs to present to appropriate competent authorities that airBaltic Training has complied with its lawful obligations);
5.6. limitation period for different requests and claims, including those, which may be addressed towards airBaltic Training by data subject and those, which airBaltic Training may address to data subjects when exercising its lawful rights – for example, requesting data subject to cover the debt;
5.7. period of time during which a person or authority may exercise its rights and contact airBaltic Training.
We have implemented various tools and services that facilitate our cooperation and communication and achievement of purposes of personal data processing. Therefore, we may disclose your data to the categories of data recipient as mentioned below.
Please note that we disclose your personal data only when there is a legal ground for disclosure of data.
The categories of data recipients:
6.1. we may disclose your data to auditors, service provider of accountancy and financial services, as well as payment service providers (for example, to bank or other financial institution) to ensure payment for services or other services;
6.2. we may disclose your data to marketing service providers, for example, companies which provide consultations on marketing, IT solutions for marketing needs, service providers, which ensures solution for sending newsletters, offers and information (Mailchimp service provider, Rocket Science Group LLC service provider, which data centres are located outside European Union in United States of America, information on privacy protection measures are available at: https://mailchimp.com/legal/privacy/ . Rocket Science Group LLC, MailChimp are relying on Standard Contractual Clauses approved by European Union’s Commission to protection personal data, when data are transferred to USA;
6.3. we may disclose your data to partners, which provide us with the following services – insurance services providers, IT service and support providers and telecommunication companies. For example, service providers ensuring recording of our call in order we could ensure selling of tickets over the phone.
6.4. we may disclose personal data to the relevant state or local government authorities in cases and under procedure provided by law.;
6.5. your data may be disclosed to the website service providers, with whom we have concluded the agreement to ensure operation of the website;
6.6. hotels and accommodation service providers may receive information about you in some specific cases, for example, you are representative of our partner and we have arrangement that we will organize accommodation reservation for you.
6.8.we may disclose personal data in certain cases to consultants, debt recovery service providers, lawyers;
6.9. we may disclose your data when it is necessary and by applying principle of data minimization to persons involved in transactions of reorganization, acquisition and/or transfer of assets, liabilities and business, and any others, who provide support or consultations for preparation and execution of such transactions, as well as those, who are involved in evaluation of such transaction before it is commenced;
Our partners are always obliged to adequately safeguard your personal information and process it in accordance with instructions stated in our mutual agreement.
We apply technical and organizational measures to protect your privacy and data.
We update and test our security technology on a regular basis. We restrict access to your personal data only to authorized staff in order to provide services to you. We also train our staff about personal data protection, the importance of confidentiality to ensure the privacy and security of your information.
We use different encryption solutions to ensure security of information.
We have implemented the Privacy Program, within which we have approved several policies and procedures aiming to support personal data processing in accordance to the provisions of the regulatory enactments, including with the purpose to ensure secure processing data. As well as we have implemented procedure, which ensure that in case of suspected data breach, such events are investigated with due care and steps are taken to ensure protection of your data.
We may approach you in the following situations:
8.1. General information and confirmation on service you have bought with us. For example, confirmation of your reservation, information about reservation, invoice on purchased services, description of services, conditions, information about execution of your order, information about irregularities or any other changes or information which may have impact to service ordered by you.
Legal ground and your rights: Legal ground for providing such information is the performance of a contract or in order to take steps prior to entering into a contract. Such communication is essential for our mutual contractual relationships.
8.2. We may invite you to participate in a survey and give your opinion on our offered or provided service, or invite you to participate in any other survey with the purpose to improve our operation and services.
Legal ground and your rights: Legitimate interest to evaluate and improve our operation and quality of services. You have rights to choose freely whether you would like to participate in such a survey or refuse participation. You may also object and refuse any further communication in relation to particular survey by unsubscribing from reminders about survey in e-mail received from us. In case you do not want to receive any further invitation to participate in any further surveys, then write an e-mail to [email protected] at any time (writing e-mail from e-mail address to which you would not like to receive invitations to survey), by indicating your objection (for example, I object receiving any invitation to surveys in a future).
8.3. We may congratulate you with celebration, for example to send you a birthday greeting. We care about our passengers and as anyone you cares about the other, we would like to greet you in celebrations, therefore, we may send you some greetings.
Legal ground and your rights: Legitimate interest to congratulate with celebration and to strengthen relationships with clients. You have rights to object such messages:
- Objection after receiving message – unsubscribe from such communication in an email you have received from us;
- Objection at any time – additionally, we have provided you with an opportunity to object any such communication at any time, by sending objection to [email protected] from your e-mail address registered with booking for communication purposes – and specifying scope of your objection (for example, objecting receiving greetings).
8.4. We may contact person indicated by client and a person to contact in case of emergency. According to law, airBaltic Training shall offer clients a possibility to indicate a person whom to contact in case of emergency. Beside law, we consider this also as legitimate right of client to inform relatives.
Therefore, in case of emergency we may contact such a person, if client has indicated such contact details in reservation.
Legal ground and your rights: You have rights to choose whether you submit contact details of other person in case of emergency. If you choose to indicate such person, please make sure that such person is informed and consented that its data is delivered to airBaltic Training of emergency contact purposes.
8.5. We may contact you in relation to some complaint or application, or request, or any liabilities. During business, there might be a necessity to contact you in relation to different matters, for example, to answer to your claim, to contact you in case there is some debt, to contact you in case of your request or application, to provide you with answer, to provide you with requested data. The purpose of such communication is to ensure contact with you and provide you with necessary information. Such communication may be based on requirement of law (for example, obligation to answer of consumer claims), based on conclusion or execution of contract with you, as well as in separate situations based on legitimate interest to contact you for different matters.
Legal ground and your rights: You have rights to object communication when it is based on legitimate interest. However, in case of objections we may not be able to ensure you with requested answer if provision of answer is based on legitimate interest. Therefore, in case there are some objections towards our communication, please do not hesitate to contact us to [email protected] and we will investigate situation with due care and try to find the best solution in a particular situation.
8.6. We may contact you in any other meaningful situations, for example, to inform you on changes in operation of the company, to inform you on some restrictions in country due to emergency state.
Legal ground for such communication is legitimate interest to ensure clients with meaningful information in relation to the company and its operation, as well as in some specific situations it may be requirement of law, when applicable regulatory enactments imposes obligation to provide certain information. In case information is provided due to obligation of law, then rights to object do not apply (unless clearly stated by law). In case of legitimate interest, you have rights to object.
Legal ground and your rights: You have rights to object communication when it is based on legitimate interest, by following the scope of law and writing to [email protected]
airBaltic Training may conduct video surveillance at airBaltic Training facilities, such as the airBaltic Training administration office and its adjoining area, to ensure the security of persons, information, property, aviation and infrastructure, prevention of illegal or other threats (including preventive), as well as facilitating the detection of criminal offenses at the facilities and adjacent territory. Video surveillance may be carried out based on a legitimate interest.
We place warning signs at airBaltic Training facilities, which are under video surveillance.
airBaltic Training ensures that video cameras are not placed in areas with increased level of privacy, such as lounges, toilets, changing rooms. Before the video cameras are placed, the surveillance area is carefully selected to minimize monitoring of areas that are not relevant to reaching the purpose.
The data on video surveillance may be accessed only by the authorized persons for performance of direct duties, as well as by security guard and security and consultation service providers, law enforcement authorities and others in case provided under the applicable regulatory enactments (the mentioned may involve inter alia data subjects when they lawfully request access to such records, as far as it may not harm rights and freedoms of any other individual).
airBaltic Training carefully evaluates the facilities where video surveillance cameras are located, assessing the surveillance area and the risks associated with it. Video surveillance records may be kept for the period necessary to achieve the purpose, taking into account the specifics of the observed objects, the conditions and the risks associated with them. Depending on the observed object and its specifics, the storage times of records may differ. However, in any case the retention period for video surveillance records shall not exceed two months.
In exceptional cases, for example, if request from court or law enforcement authority is received, in case of theft or in case of suspected unlawful behaviour, specific records may be stored for longer period of time (exceeding two month) necessary for execution of request and protecting of lawful interest (for example, in order airBaltic would be able to demonstrate proofs on illegal behaviour or criminal offence or in case of suspicious on any of the mentioned, as well as to investigate some potential incident in relation to the purposes mentioned above).
We process your data; therefore, you have the opportunity to request what we do with it and how, and in some cases ask us to process it to a lesser extent by complying with the applicable regulatory enactments.
11.1. Your rights. You have the following rights according to the applicable regulatory enactments:
- to access your personal data (receive a copy of your personal data and request the purpose and basis of the data processing);
- to object the processing of your personal data when its based on a legitimate interest. In case you address to [email protected] objection towards processing of your personal data, please specify the processing towards which you address your objection.
- to withdraw consent (refuse from receiving newsletters, cookies); Take into account that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- to rectification (change your contact information, submit current information in case of change);
- to be forgotten or erased (request to delete your information from our databases, in compliance with the scope determined under the applicable regulatory enactments). Please be informed that according to the applicable regulatory enactments we may keep certain information also after the request on rights to be forgotten or erasure, for example, when the applicable regulatory enactments impose obligation to store certain information for specified period of time, for example, the Accountancy Law may impose obligation to store information on our transaction. As well as we may continue storage of information for the establishment, exercise or defense of legal claims and in other cases provided under the applicable regulatory enactments. We will examine each request with due care and will exercise your rights to be forgotten towards information which shall be deleted according to GDPR.
- to restrict processing of personal data (ask us not to use certain information about you for limited period of time);
- to data portability (receive information about yourself which you have provided to us and ask to deliver such information to another controller if it is technically feasible);
- in case you have any concerns or objections or complaints on processing of personal data carried out by airBaltic Training, we invite you to turn to us by writing message to [email protected] and we will review the issue with due care and will take steps to solve the issues as soon as possible. Nevertheless, data subjects are entitled to lodge a complaint with a supervisory authority.
Depending on the nature of information you want to access, some authentication requirements may apply to allow airBaltic Training to verify whether you are the person you declare to be, for example, if you want to obtain data generated while receiving the service or obtain special category personal data, more strict authentication requirements may be applied comparing to procedure applied in a daily course of business.