Fundamentals for Processing of Personal Data
(hereafter the "Fundamentals“)
Personal data controller: Travel Service, a.s., business ID No: 256 63 135, having its registered office at the address Praha 6, K Letišti 1068/30, postcode: 160 08 (hereafter the "Controller")
Contact email address of controller: firstname.lastname@example.org Data protection officer: Mgr. František Kubečka, KUBEČKA & PROKOP, advokátní kancelář s.r.o., business ID No: 036 90 121, having its registered office at the address Praha 2, Kladská 1489/5, postcode 120 00 (hereafter the "Officer")
These Fundamentals describe the handling of your personal data and constitute the foundation and information source for the processing of your personal data. These Fundamentals inform you of the designated purpose of processing, legal title of processing, restrictions on the saving of gathered personal data and about other important things. In the Fundamentals you will read about your rights, these being:
- to access to the processed personal data
- to withdrawal of consent to the processing of personal data
- to correction of inaccurate or incorrect data
- to erasure of personal data
- to restriction on the processing of personal data
- to list of personal data in structured and machine-readable format for yourself or other controller (portability right)
- to lodging of objection against personal data
- to right not to be a subject of automatic decision-making
If you do not like how we process your personal data, you can contact us on the email address email@example.com, or you have the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection (www.uoou.cz).
1. Basic information
- The Controller offers services in the field of civil air carriage, this being in compliance with laws regulating civil aviation at the national and international level.
- The partner of the Controller is a legal or natural person who participates in the process of selling air tickets or in the process of provision of a service consisting of the carriage of persons or things.
- You - the passengers flying off with us to your dream holiday or a business meeting - are the Client.
- The Controller processes personal data of Clients in compliance with Act No 101/2000 Coll., on personal data protection (hereafter the "ZoOOÚ"), and also in compliance with the Regulation of the European Parliament and the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter the "GDPR") and in compliance with Act No 49/1997 Coll., on civil aviation (hereafter the "ZCL") and Directive (EU) 2016/681 of the European Parliament and of the Council on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (hereafter "PNR").
- The Client is not obliged to provide the Controller with personal data that the Controller does not need for the provision of the service or which the law does not require of the Controller. But if the Client refuses to provide the Controller with the personal data defined by the preceding sentence, the Controller is authorised to refuse the provision of the service to the Client. It gathers other personal data, which is your email address and your telephone number, so that it can send you a digital air ticket or inform you of a delay or cancellation of a flight or about other complications. If the Controller processes your personal data which it does not need for the provision of the service or which the law does not require the Controller to gather, it will do so only with your voluntary consent or by reason of its legitimate interest. In no case will the Controller require the provision of consent to the processing of your personal data as a condition for the provision of the service.
2. Purpose of processing of personal data
Your personal data is processed in particular with the aim of providing a carriage service. If we provide a carriage service to you, we will retain some of the personal data for the purpose of our legal protection, this being in connection with your rights from the contract of carriage and rights to compensation for loss.
Your personal data may be processed with the aim of direct marketing of the Controller, but only if you grant voluntary consent to this, which you can withdraw at any time. The Controller may use your personal data in connection with direct marketing, even if a legitimate interest suits it to this end.
3. Subject of personal data processing
The Client takes note that the Controller gathers this data, some of which is personal data, which it needs for the provision of services and which the ZCL and PNR require it to gather:
- given name or given names, and surname,
- day, month and year of birth,
- number and type of passport used by the passenger to prove their identity,
- point of entry to the territory of the Czech Republic,
- flight number,
- date and time of departure and arrival,
- initial point of boarding for carriage and
- total number of passengers carried by the relevant flight.
and during the reservation of the air ticket it also gathers:
- PNR localisation record
- Date of reservation/issue of air ticket
- Date (dates) of intended trip
- Given name (given names)
- Address and contact information (telephone number, email address)
- All information about means of payment, including billing address
- Complete route for individual record in passenger name record
- Information about traveller's loyalty programme
- Travel agency or broker
- Situation of passenger, including confirmation of departure, check-in, information about cases where the passenger did not arrive for departure or where the passenger arrived at the airport without a reservation
- Decomposed or separated information of PNR
- General observations (including all available information about unaccompanied minors under the age of 18, such as name and gender of minor, age, language (languages) which he/she speaks, name and contact data of guardian upon departure and relationship with minor, name and contact data of guardian upon arrival and relationship with minor, intermediary upon departure and arrival)
- Information about issue of air ticket, including air ticket number, date of issue of air ticket and one-way air tickets, and content of section ATFQ (Automated Ticket Fare Quote)
- seat number and other seat information
- Information about code sharing
- All baggage information
- Number and other names of passengers on single PNR record
- All gathered API data (including type, number, country of issue and date of expiry of identity document, nationality, surname, given names, date of birth, airline, flight number, departure date, arrival date, place of arrival, departure time and arrival time)
- All preceding changes to PNR records given under points 1 to 18.
The Client takes note that the Controller may gather personal data related to the state of health of a data subject which Regulation (EC) No 1107/2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air requires that the Controller gather. The Controller gathers this personal data, which is a special category of personal data, because it is essential for performing legal obligations, and the exceptions to the prohibition on processing given in article 9 paragraph 2 of the GDPR apply to it.
The Client takes due note that the Controller may process a IP address, this being in the case of conclusion of a contract of carriage with the Controller via remote electronic communication means (so-called online), and the Controller may also use your contact data for commercial messages if the legitimate interests of the Controller override the interests of the Client.
4. Limitation of storage
The Controller will liquidate your personal data which it has gathered for compliance with the duties pursuant to ZoCL and PNR within 24 hours of the plane landing, with the exception of personal data which it gathers for reasons given in the following sentences of this article.
The Controller will retain your personal data consisting of given name, surname and date of birth for the reasons of judicial redress, this being in connection with your rights from the contract of carriage (for example, Montreal Convention; Regulation of the European Parliament and of the Council (EC) No 261/2004 of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights) and rights to compensation for loss (for example section 636 of paragraph 2 of the Civil Code) for 15 years. After this it will liquidate all personal data.
The Controller retains your personal data if you yourself voluntarily express consent to its processing, and it does so for a period of 5 years, unless you withdraw your consent earlier.
The Controller will retain your personal data not given in the preceding sentences of this article if it has a corresponding purpose of processing for it, this being for a period of 4 years. The Controller bases the legal title for personal data processing on legitimate interests consisting of judicial redress.
5. Transfer of personal data
The Client takes due note that the Controller may use the gained personal data, including special categories of personal data, transfer it to a Partner of the Company, only for the purpose defined in article 2 of these Fundamentals.
The personal data Controller may transfer your personal data to recipients in a third country, in particular airports in the country of arrival or national authorities which perform the function of state aviation authority or to a Partner in a third country only for the purpose defined in article 2 of these Fundamentals.
The transfer of your personal data is based on suitable guarantees consisting of the decisions of the Commission (if you fly to a country where corresponding personal data protection is guaranteed by this decision; you can find a list of these decisions here: https://www.uoou.cz/prehled-pripadu-predavani-osobnich-udaju-do-zahranici-u-nichz-neni-nutne-zadat-urad-o-povoleni/ds-1649), or in international treaties. Other transfers of personal data based on appropriate guarantees are designated in article 46 of the GDPR, and we inform you about them in contact emails of the Controller given in the Introduction to these Fundamentals.
The Partners of the company mean in particular:
- operators of public international airports
- handling companies and handling agents (subjects ensuring aircraft handling)
- travel bureaux and travel agencies
- Civil Aviation Authority
- national authorities of other countries which perform the tasks of state aviation authority
- units of Police of the Czech Republic, pursuant to Act No 326/1999 Coll., on residence of foreigners on the territory of the Czech Republic
- other persons participating in the implementation of a service consisting of the carriage of persons and goods
The Client takes due note that the Controller can transfer personal data to state authorities for a purpose designated by legal regulations.
6. Source of personal data
Your personal data coming directly from you, if you ordered the air tickets on our web pages or in some other way (email, telephone, in writing).
Your personal data coming from travel bureaux, travel agencies or other traders from whom you ordered the carriage service.
Your personal data coming from our so-called General Sales Agent (exclusive sales representative; GSA), which is the company AIR WORLD SERVICE a.s., business ID No: 274 36 578, having its registered office at the address Milady Horákové 382/75, Prague. The GSA can obtain personal data in a manner comparable to the way we obtain it.
7. Rights of Client
I. right to provision of basic information about processing - we are obliged to inform you when we gain personal data if we get it directly from you, and if we did not get it directly from you, at the latest one month after the personal data is gained or at the moment when there is mutual communication if the personal data is used for the purposes of this communication, or at the latest after the first disclosure if we disclose it to a third party.
II. right to access to personal data - based on a request from you we are obliged to confirm for you whether we process your personal data and inform you according to the GDPR of, for example, the purpose, period of processing, right to erasure etc. We will also provide you with a copy of the processed personal data under the condition that it does not adversely affect the rights and freedoms of other persons.
III. right to correction – if we have inaccurate personal data, we are obliged to correct it or complete it at your request.
IV. right to erasure – based on your request we are obliged to erase personal data without undue delay, especially if:
- you have withdrawn consent and we have no other legal title for processing,
- we no longer need the personal data for the defined purpose for which it was processed,
- we have processed your personal data unlawfully,
- we thereby comply with the legal obligation according to legislation,
- you object to personal data processing based on legitimate interests, and there are no overriding legitimate interests here,
- you object to personal data processing for the purposes of direct marketing, including profiling.
Even if you request erasure, we are not obliged to erase the personal data, in particular for the reason of:
- establishment, exercise or defence of legal claims,
- compliance with legal obligation according to legislation,
- exercise of right to freedom of expression and right to information.
V. right to restriction of processing - we are obliged to restrict the processing of your personal data if:
- you contest the accuracy of personal data,
- the Controller processes your personal data unlawfully, but at the same time you do not want the Controller to erase it,
- the Controller no longer needs the personal data for any of the defined purposes, but you require the Controller to retain it for the establishment, exercise or defence of legal claims,
- you have objected to processing on the basis of a legitimate interest pursuant to article IV, and we are waiting for verification of whether the interests of the Controller override your legitimate reasons.
At a time when the processing of personal data is restricted, the Controller may process this data only by means of its saving, with the exception of a situation where you grant us consent, or for the establishment, exercise or defence of legal claims, in order to protect the rights of another natural or legal person or for the reason of important public interest of the Union or some Member State.
The Controller will inform you in advance should a situation occur where the restriction of processing will be cancelled.
VI. right to data portability - if we process your personal data on the basis of consent or on the basis of a concluded contract, and the processing is performed wholly automatically, you can ask the Controller for:
- provision of personal data in a structured, commonly used and machine-readable format,
- the transfer of such data directly to another controller if technically possible.
VII. right to object – if we process your personal data on the basis of a legitimate interest, or if we perform profiling, you can object to this processing at any time. We will then restrict processing until everything is clarified, and if we subsequently do not show serious legitimate reasons for processing, we will no longer process the data. If we use the data for direct marketing, we will stop processing your personal data without further ado after you raise an objection.
VIII. right to protection from the part of state authorities - you have the right to refer the matter to the supervisory authority for personal data protection - the Office for Personal Data Protection, with headquarters at the address Pplk. Sochora 27 170 00 Praha 7, web: https://www.uoou.cz/, telephone: land line: +420 234 665 111 (head office), by lodging a complaint. In addition to this you have the right to the provision of judicial redress. You can lodge a complaint with the supervisory authority and bring a court case if you feel that your rights protected by the GDPR have been breached as a result of processing from the part of the Controller.
ASSERTION OF RIGHTS AGAINST CONTROLLER
You can assert your rights against the Controller in particular electronically by sending an email to the address: firstname.lastname@example.org, or by post to Na bojišti 1473/18, Nové Město, 120 00 Praha 2. If you contact us electronically, the Controller will also answer electronically because we want to save our forests. But you can ask us for a different means of communication.
We will process your requests and react to them as soon as possible according to capacity and our possibilities, but in compliance with the GDPR we must react at the latest within 1 month from receipt of the request. We can extend this period by a further two months if needs be and with regard to the complexity and number of requests. But we will inform you of each extension within one month of the receipt of a request along with the specified reasons for the delay.
Should we have doubts about your person, we will want you to provide us with further information essential for the confirmation of your identity. The reason is protection of your data, i.e., so that the personal data is not transferred to a person who is not the person he/she is claiming to be.
We deal with requests free of charge, but there are certain exceptions to this:
- Your request is unjustified,
- Your request is excessive,
if the Controller comes to the conclusion that one of the specified reasons has occurred, it will refuse to accede to the request, or we will bill you a commensurate fee in order to cover the administrative costs associated with the handling of the request.
Travel Service, a.s.