Fundamentals for Processing of Personal Data

Personal data controller:
Smartwings, a.s., IČ (company ID): 256 63 135, registered office: Praha 6, K Letišti 1068/30, postal code: 160 08 (hereinafter referred to as the “Controller” or “SW CZ”)

and

Smartwings Slovakia, s.r.o.,
registered office Ivanská cesta 30/B, Bratislava 821 04
IČO (company ID): 47 880 627
(hereinafter referred to as “SW SK”)

and

Smartwings Poland Sp. z o.o.,
registered office ul. Gordona Bennetta 2B, Warszawa, 02-159, Poland
REGON: 142926546
(hereinafter referred to as “TVS PL”)

and

Smartwings Germany Gmbh,
registered office Theatinerstraße 23, c/o Baker&McKenzie, 80333 München
Numer der Firma: HRB 221461
(hereinafter referred to as “SW DE”)

(SW CZ, SW SK, SW PL and SW DE are hereinafter jointly referred to as “Joint Controllers” or “SW” and individually as “Each Controller”)

Contact e-mail of the Controller: This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Protection Officer of the Controller SW CZ: Mgr. František Kubečka, KUBEČKA & PROKOP, advokátní kancelář s.r.o., IČ: 036 90 121, registered office: Praha 2, Kladská 1489/5, postal code: 120 00 (hereinafter referred to as the “Data Protection Officer”)

Contact details of the Data Protection Officer of SW CZ: www.ipoverenec.cz; This email address is being protected from spambots. You need JavaScript enabled to view it.

Other personal data controllers in Smartwings Group:

Smartwings Hungary Kft.,
registered office: Wesselényi u. 16/A, Budapest, 1077, Hungary
company numer: 01-09-693315
(hereinafter referred to as “SW HU”)

and

České aerolinie a.s.,
registered office: Evropská 846/176a, Vokovice, 160 00 Praha 6
IČO: 457 95 908
(hereinafter referred to as “ČSA”)

In Smartwings Group, SW HU and ČSA have reserved the right to issue and apply their own general principles for personal data processing. These Principles do not apply to them (except for informing the public about joint controlling of certain personal data). SW CZ, SW SK, SW PL and SW DE as well as SW HU and ČSA are Joint Controllers of certain personal data in accordance with Article 26 of GDPR.

INTRODUCTION

These Principles describe the handling of your personal data and constitute a general basis and information source for the processing of your personal data. These Principles contain information for you about the intended purpose of processing, legal ground of processing, restriction of storage of collected personal data and about other important matters. The Principles also contain information about your rights, namely the rights:

  • to obtain access to the personal data processed
  • to withdraw consent to personal data processing
  • to have inaccurate or incorrect data rectified
  • to have personal data erased
  • to restrict personal data processing
  • to obtain extract of personal data in a structured and machine-readable format for yourself or for another controller (right to data portability)
  • to object in relation to personal data
  • not to be subject to automated decision-making.

If you do not like the way we process your personal data, you may contact us at the e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or may lodge a complaint with the supervisory authority, which is:

for SW CZ: Úřad pro ochranu osobních údajů (www.uoou.cz)

for SW PL: Biuro Generalnego Inspektora Ochrony Danych Osobowych, web: http://www.giodo.gov.pl

for SW SK: Úrad na ochranu osobných údajov Slovenskej republiky, web: http://www.dataprotection.gov.sk

for SW HU: Nemzeti Adatvédelmi és Infotmációszabadság Hatóság , web: http://www.naih.hu/

for SW DE: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit , web: http://www.bfdi.bund.de

Unless explicitly set out otherwise below, these Principles apply to Each Controller (do not apply to SW HU and ČSA).

1. Basic information

  • 1. The Controllers offer services in the field of civil air transport in accordance with the legal regulations governing civil aviation on the national and supranational level.
  • 2. Partners of the Controllers are legal entities and natural persons which participate in the process of sale of tickets or in the process of provision of a service consisting in the transport of persons or items.
  • 3. Clients are you – passengers who fly with us for your dream holiday or to a business meeting.
  • 4. The Controllers process personal data of Clients in accordance with the national personal data protection legislation as well as Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and in accordance with the national civil aviation legislation and Directive (EU) 2016/681 of the European Parliament and of the Council on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (hereinafter referred to as “PNR Directive”), in particular.
  • 5. The Client is not obliged to provide the Controllers with any personal data the Controllers do not need for the provision of the service or any personal data the collection of which is not required from the Controllers by law. However, if the Client refuses to provide the Controllers with the personal data defined in the preceding sentence, the Controllers have the right to refuse to provide the service to the Client. Other personal data, such as your telephone number or e-mail address are collected by the Controllers to be able to send you an electronic ticket or to inform you about a delay or cancellation of a flight or about other complications. If the Controllers process your personal data they do not need for the provision of the service or the collection of which is not required from them by law, they will only do so with your voluntary consent or on the grounds of their legitimate interest. In no case the Controllers will require your consent to the processing of your personal data as a precondition for the provision of a service.

2. Purpose of personal data processing

Your personal data are processed for the purpose of providing a transport service, in particular. If we provide a transport service to you, we will keep a part of your personal data on the grounds of your and our judicial protection in relation to your rights from the transport contract and rights to compensation for damage.

Your personal data may also be processed for the purpose of direct marketing of the Controller but only if you give voluntary consent to such processing, which may be withdrawn at any time. The Controller may also use your personal data in relation to direct marketing if the Controller has a legitimate interest to do so.

3. Subject-matter of personal data processing

The Client acknowledges that the Controllers collect the data, some of which are personal data, the Controllers need for the provision of a service and the collection of which is required from the Controllers by the national legislation in the field of civil aviation and PNR:

A) Identification, contact and descriptive personal data under the national legislation in the field of civil aviation:

  • 1. name(s)
  • 2. surname(s)
  • 3. day, month and year of birth
  • 4. citizenship
  • 5. number and type of the travel document the passenger presented
  • 6. place of entry into the territory of the Czech Republic
  • 7. flight number
  • 8. date and time of the departure and arrival
  • 9. initial place of boarding for transport
  • 10. total number of passengers carried on the flight.

B) Identification, contact and descriptive personal data that may be collected by the Controllers under the PNR Directive (some data overlap with the data required under the national legislation)

  • 1. name(s)
  • 2. address and contact details (telephone number, e-mail address)
  • 3. all information about payment methods, including billing address
  • 4. general remarks (including all available information on unaccompanied minors under 18 years of age, such as the name and gender of the minor, age, language(s) spoken, the name and contact details of a guardian on departure and relationship to the minor, the name and contact details of a guardian on arrival and relationship to the minor, and departure and arrival agent)
  • 5. number and other names of travellers on the PNR
  • 6. all advance passenger information (API) collected (including the type, number, country of issuance and expiry date of any identity document, citizenship, surname(s), name(s), gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time)
  • 7. PNR record locator
  • 8. date of reservation/issue of ticket
  • 9. date(s) of intended travel
  • 10. complete travel itinerary for specific PNR
  • 11. frequent flyer information
  • 12. travel agency/travel agent
  • 13. travel status of passenger, including confirmations, check-in status, no-show or go-show information
  • 14. split/divided PNR information
  • 15. ticketing field information, including ticket number, date of issuance of the ticket and one-way tickets, automated ticket fare quote (ATFQ) fields
  • 16. seat number and other seat information
  • 17. code share information
  • 18. all baggage information
  • 19. all historical changes to the PNR listed in numbers 1 to 18.

C) Sensitive and descriptive personal data in special cases

C1) The carrier takes care of the well-being and safety of passengers. Details are set out in the Rules of Transport or in Regulation (EC) No. 1107/2006 of the European Parliament and of the Council of 5 July 2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air. In this context the carrier may refuse to transport persons with health restrictions as defined in the transport terms and conditions and, in such cases, the air carrier shall process the following personal data (information about health restrictions) for a limited period of time:

  • 1. data about reduced mobility
  • 2. myocardial infarction (21 days or less before the planned trip)
  • 3. stroke (10 days or less before the planned trip)
  • 4. new-born babies (7 days and less after the childbirth
  • 5. decompression (caisson) disease
  • 6. pneumothorax (14 days or less after the event)
  • 7. requirement to have a stretcher
  • 8. inability to sit upright
  • 9. head injury (14 days or less before the planned trip)
  • 10. fractures (except for non-complicated fractures of upper limbs and fingers of upper limbs)
  • 11. plaster (except where upper limbs and fingers of upper limbs are in plaster
  • 12. deep vein thrombosis
  • 13. severe mental disorder (such a person must travel with an accompanying person for whom the seat next to him/her is secured)
  • 14. any serious or acute infectious disease (including chickenpox)

C2) In the event of contracted transport of injured persons (assistance service) the Controllers may process data on the patient’s diagnosis (as part of securing the transport safety), identification data of the attending physician and the address of the hospital where the patient is treated.

The Client acknowledges that the Controllers may collect personal data that relate to the health of the data subject and that must be collected by the Controllers under Regulation (EC) No. 1107/2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air. These personal data, which are a special category of personal data, are collected by the Controllers, because such data are necessary for the fulfilment of a legal obligation and are covered by the exceptions from the prohibition of processing that are referred to in Article 9(2) of GDPR. The personal data stated under section C) are erased immediately after the aircraft landing at the target destination.

The Client acknowledges that the Controllers may process the IP address in the event of making a transport contract with a Controller by electronic means of distance communication (online), and your contact data may also be used by the Controllers for commercial communication if the legitimate interests of the Controllers override the Client’s interests.

4. Restriction of storage

Your personal data collected by the Controllers for the purpose of fulfilment of obligations under the national legislation on civil aviation and under the PNR Directive shall be destroyed by the Controllers within 24 hours from the aircraft landing, namely those stated in sections A) and B) of article 3 of these Principles, except for the personal data collected by the Controllers on the grounds referred to in the following sentences of this article.

The Controllers shall always keep the following personal data of yours:

  • 1. name
  • 2. surname
  • 3. flight number
  • 4. date and time of departure and arrival
  • 5. initial place of boarding for transport
  • 6. total number of passengers carried on the flight
  • 7. date of reservation/issue of ticket
  • 8. date(s) of intended travel
  • 9. travel agency/travel agent
  • 10. travel status of passenger, including confirmations, check-in status, no-show or go-show information
  • 11. seat number and other seat information
  • 12. all baggage information

on the legal grounds consisting in the legitimate interest in mutual judicial protection and the demonstration of compliance with regulations in the field of civil air transport (e.g. compensation for damage, denied boarding, aircraft safety and balancing, prevention of health risks and terrorist threats).

The Controllers shall also keep the following personal data of yours:

1) date of birth
but only for minors for the purpose of determining their eligibility to a separate seat

2) e-mail address
but only if the ticket is purchased directly from the Controller and is sent by the Controller to the e-mail address or if the e-mail address is used for communication with the data subject

3) banking details
in the event of exercise of passenger’s claims from the air transport within the scope of fulfilment of a legal obligation, or ordering supplementary services

Mutual judicial protection follows from regulations, such as Montreal Convention; Regulation (EC) No. 261/2004 of the European Parliament and of the Council of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights, or national law in relation to the rights to compensation for damage. These personal data will be kept by the Controllers for 6 years. Afterwards the Controllers will destroy all the personal data.

The Controllers will keep your personal data if you gave your voluntary consent to their processing, for 5 years unless you withdraw your consent earlier.

The Controllers will keep your personal data that are not stated in the preceding sentences of this article (e.g. the personal data you provided to the Controllers in connection with filing a claim for compensation for damage due to cancellation or delay of a flight) for 6 years, provided that they have a relevant purpose for their processing. The legal ground for personal data processing is based by the Controller on the legitimate interest consisting in judicial protection.

5. Personal data transfers

The Client acknowledges that the Controllers may transfer obtained personal data, including special categories of personal data, to a Partner of the company but only for a purpose defined in article 2 of these Principles.

Personal data controllers may transfer your personal data to a recipient in a third country, in particular to the airports in the countries of arrival or to the national authorities that fulfil the role of the national aviation authority, or to a Partner of the company in a third country, but only for a purpose defined in article 2 of these Principles.

Transfers of your personal data are subject to appropriate safeguards consisting in an adequacy decision of the Commission (if you fly to a country where adequate protection of personal data is guaranteed according to such a decision) or in international conventions. Other personal data transfers subject to appropriate safeguards are set out in Article 46 of GDPR, and we inform you about them at the contact e-mail addresses of the Controller referred to in the Introduction of these Principles.

Partners of the company mean in particular:

  • 1. operators of public international airports
  • 2. handling companies and handling agents (entities handling the aircraft)
  • 3. tour operators and travel agencies
  • 4. Civil Aviation Authority (Úřad civilního letectví)
  • 5. national authorities of other countries that fulfil the tasks of the national aviation authority
  • 6. departments of the Police of the Czech Republic under Act No. 326/1999 Sb. (of the Collection of Laws of the Czech Republic), on the stay of foreigners in the territory of the Czech Republic
  • 7. other persons participating in the provision of a service consisting in the transport of passengers and goods

The Client acknowledges that the Controllers may transfer personal data to public authorities for purposes set out by legal regulations.

6. Source of personal data

Your personal data come directly from you if you ordered tickets on our website or in another form (by e-mail, telephone, in writing).

Your personal data come from tour operators, travel agencies or other vendors from which you ordered the transport service.

Your personal data come from the “General Sales Agent” (GSA) of the Controller SW CZ, which is AIR WORLD SERVICE a.s., IČ: 274 36 578, registered office Milady Horákové 382/75, Praha. GSA could obtain personal data in a form similar to the one in which we obtained them.

7. Client’s rights

I.Right to receive basic information about processing – we are obliged to provide you with such information at the time when personal data are collected if they are collected directly from you, and if they are not collected directly from you, then within one month from the collection of the personal data or at the moment of mutual communication if the personal data are used for the purposes of such communication, or at the latest when the personal data are first disclosed if we disclose them to a third party.

II. Right to access to personal data – at your request we are obliged to confirm to you whether we process your personal data and to inform you under GDPR e.g. about the purpose, time of processing, right to erasure, etc. We will also provide you with a copy of the personal data processed, provided that this will not infringe the rights and freedoms of third parties.

III. Right to rectification – if we have inaccurate personal data, we are obliged to rectify or complete them at your request.

IV. Right to erasure – at your request we are obliged to erase your personal data without undue delay in particular if:

  • you have withdrawn your consent and we do not have any other legal ground to process them,
  • we no longer need your personal data for the specified purpose for which they were processed,
  • we have processed your personal data unlawfully,
  • by erasing them we comply with a legal obligation under legal regulations,
  • you object to the personal data processing on the grounds of legitimate interests and there are no overriding legitimate grounds for the processing,
  • you object to the personal data processing for the purposes of direct marketing, including profiling.

Even if you request erasure, we are not obliged to erase personal data in particular on the following grounds:

  • establishment, exercise or defence of legal claims,
  • compliance with a legal obligation under legal regulations,
  • exercise of the right of freedom of expression and information.

V. Right to restriction of processing - we are obliged to restrict processing of your personal data if:

  • you contest accuracy of the personal data,
  • the personal data processing by the Controller is unlawful, but you do not want the Controller to erase the personal data,
  • the Controller no longer needs the personal data for any of the specified purposes, but you require the Controller to keep them for the establishment, exercise or defence of legal claims,
  • you objected to the processing on the grounds of a legitimate interest under article IV, and we are waiting for the verification whether the Controller’s interests override your legitimate grounds.

At the time when personal data processing is restricted, the Controller may only process such data by storing them, except for a situation when you give us your consent or for the establishment, exercise or defence of legal claims or for the protection of rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Controller will inform you in advance if the restriction of processing is going to be lifted.

VI. Right to data portability - if we process personal data on the grounds of your consent or on the grounds of a concluded contract and the processing is fully automatic, you may require the Controller to:

  • provide personal data in a structured, commonly used and machine-readable format,
  • transmit such data directly to another controller if this is technically feasible.

VII. Right to object – if we process your personal data on the grounds of a legitimate interest or if we carry out profiling, you may object to such processing at any time. Then we will restrict the processing until everything has been clarified, and if we do not demonstrate compelling legitimate grounds for the processing afterwards, we will no longer process the data. If we use the data for direct marketing, we will stop processing your personal data without further notice after you object.

VIII. Right to protection by national authorities - you have the right to contact the supervisory authority for personal data protection, namely:

for SW CZ: Úřad pro ochranu osobních údajů (www.uoou.cz)

for SW PL: Biuro Generalnego Inspektora Ochrony Danych Osobowych, web: http://www.giodo.gov.pl

for SW SK: Úrad na ochranu osobných údajov Slovenskej republiky, web: http://www.dataprotection.gov.sk

for SW HU: Nemzeti Adatvédelmi és Infotmációszabadság Hatóság , web: http://www.naih.hu/

for SW DE: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit , web: http://www.bfdi.bund.de

In addition, you have the right to a judicial remedy (e.g. petition to initiate proceedings under Section 100 of the Slovak Personal Data Protection Act (zákon o ochrane osobných údajov)). You may lodge a complaint with a supervisory authority or bring an action before a court if you believe that your rights protected by GDPR were infringed in the consequence of processing by the Controllers.

EXERCISE OF RIGHTS AGAINST THE CONTROLLER

You may exercise your rights against the Controller electronically, in particular, by sending an e-mail to the address: This email address is being protected from spambots. You need JavaScript enabled to view it., or by sending a letter to any address of the controllers referred to on the first page. If you contact us electronically, the Controller will also reply electronically because we like to save our forests. But you may ask us for a different manner of communication.

We will process your requests and will reply to them as soon as possible within the bounds of our capacities and possibilities, being required by GDPR to reply within 1 month from receipt of the request at the latest. This period may be extended by further two months where necessary, taking into account the complexity and number of the requests. However, we will inform you about any extension within one month from the receipt of the request, together with the reasons for the delay.

If we have doubts concerning your identity, we will ask you to provide us with additional information necessary to confirm your identity. The reason is the protection of your data, so that personal data are not given to a person who is not the person they pretend to be.

We handle requests free of charge, but there are certain exceptions:

  • your request is unfounded,
  • your request is excessive, and if the Controller comes to the conclusion that any of the aforesaid exceptions occurred, we will refuse to act on the request or will charge you a reasonable fee to cover the administrative costs associated with handling the request.

Notification concerning the Joint Controllers:

SW SK, SW PL, SW DE, SW HU and ČSA are members of the group controlled by SW CZ. These companies have entered into a joint controller agreement concerning certain personal data in accordance with Article 26 of GDPR due to their mutual economic and organizational interconnection in SmartWings Group. For reasons consisting in the pre-flight preparation, flight planning, service provision and client service (e.g. information service, complaints, compensations) these companies share, to a necessary extent, some of the personal data provided or obtained.

Published on 15 February 2020

Smartwings, a.s.

Smartwings Slovakia, s.r.o. Smartwings Poland Sp. z o.o., Smartwings Germany Gmbh