Data Protection Policy
Effective · 25 May 2018
SIA Baltic Business Aviation Center
SIA Baltic Business Aviation Center (entity code: 40003752570; Dzirnieku street 15, Riga Airport, Marupe, Marupe district, LV-1053, Latvia) (hereinafter — BBAC) is committed to respecting your privacy and protecting your personal data. This data protection policy (hereinafter — Policy) is effective from 25 May, 2018 (hereinafter — Effective Date).
All personal data is obtained, held, and processed by BBAC, in compliance with this Policy, any and all data protection related laws and regulations that are applicable to BBAC (including without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, the applicable national data protection law in Latvia, and any data protection related terms in any agreement or contract in force between BBAC and its customers in relation to the supply by BBAC of services and/or products.
Definitions
- GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal Data — any information relating to and identified or identifiable data subject as defined by applicable law.
- Data Subject — an identified or identifiable natural person.
- Customer — natural or legal person who provides BBAC with Personal Data.
- Data Protection Laws — with relation to Personal Data means GDPR and any other applicable data protection laws.
- Controller / Processor — as defined in GDPR.
- Personal Data Breach — as defined in GDPR.
- Data Processing (Process, Processing) — any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Services — any actions performed by BBAC to provide the services for the aircraft in accordance with the contracts signed between the Customer and BBAC, or Customer's documented instructions, requests, specifications, descriptions, agreements.
- Responsible Person — Responsible for Personal data protection in BBAC: privacy@bbac.aero.
- Register of Systems — Register of all systems or contexts in which Personal Data is processed by BBAC.
Data Protection Principles
BBAC is committed to Processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that Personal Data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
General Provisions
This Policy applies to all Personal Data processed by BBAC.
The Responsible Person shall take responsibility for the BBAC's ongoing compliance with this policy.
Any Personal Data provided will only be used in accordance with this Policy. This Policy applies to Personal Data that we collect, use and otherwise Process in connection with BBAC relationship with the Customer (as a client or potential client, use of BBAC Services, use of BBAC website or mobile apps, booking the Services through third parties (such as agents, brokers and other carriers).
This Policy applies to BBAC Customer whether the BBAC Services are provided on a casual basis or the Customer entered into a contract with BBAC. BBAC Services acquired by the Customer from BBAC will be subject to their own terms and conditions. In the event of any conflict between this Policy and the terms and conditions of any such Services, then the terms and conditions of those Services shall prevail.
Changes to the Policy
This Policy is effective as of the Effective Date. Last Revised Date appearing at the bottom of this Policy to determine when this Policy was last updated. Any changes or modifications will become effective with the Last Revised Date. Any changes to this Policy will be made as required. If the Policy has been changed in any way, then the latest revision of this Policy will be published on BBAC website. Customer is encouraged to check whether any changes have been made to the Policy from time to time.
Customer's access to or use of any of BBAC Services is entirely voluntary. Customer's use of Services constitutes Customer's acceptance of all of the terms and practices described in this Policy, including without limitation, the collection, use, processing, and disclosure of Personal Data as described in this Policy.
BBAC Services should not be used by the Customer if the Customer disagrees with any part of this Policy.
Any questions or concerns about this Policy or its implementation can be addressed contacting BBAC at privacy@bbac.aero.
News, publications and events
BBAC shall use the information provided by the Customer to send the news about the latest developments (news, events etc.) at the company, the scope of services that can be provided to the Customer. Personal Data will be used for this purpose until BBAC shall be informed that Customer no longer wishes to receive such information from us.
Lawful, Fair and Transparent Processing
To ensure its Processing of Personal Data is lawful, fair and transparent, the BBAC shall maintain a Register of Systems.
The Register of Systems shall be reviewed at least annually.
BBAC shall process Personal Data on the basis of:
- Customer's consent;
- legal agreement between BBAC and the Customer that establishes a basis for data processing;
- legal obligations to which BBAC is subject; and / or
The processing of Personal Data is limited to the scope of purpose for which the data was collected. Access to Personal Data will be restricted to personnel who are required to process the Personal Data to fulfil their professional responsibilities and their duties to you as the Customer. Personal Data is not stored or processed longer than is necessary with respect to the data processing purposes that are listed above.
BBAC has taken the appropriate technical and organizational measures to ensure the secure processing of Personal Data. Personal Data will be processed in such a manner to ensure confidentiality and data integrity.
Data Minimisation
BBAC shall ensure that Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
Archiving / removal of Personal Data
To ensure that Personal Data is kept for no longer than necessary, BBAC shall put in place an archiving policy for each area in which Personal Data is Processed and review this Process annually.
The archiving policy shall consider what Personal Data should/must be retained, for how long, and why.
BBAC Obligations
With respect to the Services, BBAC is the Processor of Personal Data and Customer is the Controller of Personal Data.
BBAC shall Process the Personal Data to perform the Services in accordance with Customer's documented instructions, agreements, specifications, descriptions.
BBAC shall maintain the confidentiality of any such Personal Data and shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is limited only to those individuals who need to access the relevant Personal Data for the purposes necessary to perform the Services.
To the extent that BBAC experiences a Personal data Breach with respect to the Personal Data that BBAC Processes as part of its performance of the Services, BBAC will notify Customer promptly upon becoming aware of such Personal Data Breach.
BBAC will provide all reasonable assistance to Customer with regards to any issues related to data protection to the extent required by applicable law.
After the end of the provision of Services, BBAC shall delete all copies of Personal Data Processed by BBAC in accordance with BBAC company procedures on data protection.
Upon prior written notice by the Customer, BBAC shall make available to the Customer all information necessary to demonstrate compliance with the terms set forth in this Policy.
Customer Responsibilities
In performing the Services on behalf of the Customer, BBAC is relying on the following information to be true and accurate:
- The Customer is the Controller and BBAC is the Processor acting on the Customer's behalf;
- The Customer shall comply with the applicable laws and regulations related to data protection and confidentiality;
- The Customer shall be responsible for obtaining the consent of the Data Subject for the Processing of the Personal Data;
To the extent applicable the Customer shall be responsible for notifying or otherwise gaining approval of any regulatory body to the data transfer arrangements.
Location of the Processing of Personal Data
BBAC primarily stores and Process Personal Data within the European Union. Nevertheless, it may at times be necessary that Personal Data is transferred to and stored at a destination outside the European Union. It may also be processed by data processors operating outside the EU.
By submitting Personal Data to BBAC or by consenting to the processing of Personal Data Customer agrees to the processing of Personal Data, including both data storage and data transfer, outside the EU for the purposes set out in this Policy. BBAC shall take all reasonably necessary precautions to ensure that transferred Personal Data is treated securely and in accordance with the applicable Data Protection Laws.
Transfer of Personal Data to Third Parties
Due to the nature of BBAC provided Service Personal data may be transferred to third parties, including to other countries that may not have the same data protection laws as the country where Personal Data was originally collected. Such transfer of Personal Data to third countries is necessary for the performance of contractual Services between the Customer and BBAC. Therefore, the transfer of Personal Data is hereby legitimized on the basis that such transfer is necessary for the performance of a contract between Customer and BBAC. These third-party services providers are to be considered Data Processors.
To the extent applicable it may be necessary for BBAC in fulfilment of the Services to transfer Personal Data to a third party agency or authority (including, but not limited to: various governmental agencies, airport authorities, customs officials etc.) (hereinafter “Authorities”), which may be located outside of the EEA. To the extent that Authorities make independent decisions in Processing of Personal Data, Authorities act as independent Controller, and BBAC shall not be liable for the Processing of Personal Data by the Authorities.
The Personal Data that will be transferred will be limited to the minimum that is required to ensure the provision Services.
Access, Review, Transfer and Deletion of Personal Data
BBAC shall make Personal Data available to the Customer for review pursuant to a request from the Customer. Customer among other rights has the right to request from BBAC erasure of Personal Data or restriction of processing.
Applicable Law
Any dispute arising from or related to the acceptance, interpretation or observance of this Policy shall be submitted to the exclusive jurisdiction of the competent Court of Latvia which shall apply the laws of Latvia.