FlyGR8 (herein after referred to as The Company) is committed to protecting personal data and avoiding its improper use. This policy creates a standard for processing personal data and it applies to all employees, management, contractors and customers, acting for and on behalf of the Company. Moreover, it applies to personal information that we collect, store and transmit, process and retain. The Company shall take all appropriate technical measures to guarantee that the processing of personal data is compliant with this policy and all legal provisions. Questions regarding this policy, and the lawful processing of personal data can be addressed to the following contact details: firstname.lastname@example.org
1. Legal Basis
This policy is in accordance with European Union Regulation 2016/679. The Company will only use your personal data when the law allows us to. Most commonly, we will use your personal data when:
We need to perform the contract we are about to enter into or have entered into with you, through the Charterer.
It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We need to comply with a legal or regulatory obligation.
You have provided us with your explicit consent to do so.
Personal data is information that can be related to an individual. Examples are the name and contact details, address, e-mail etc.
Sensitive personal data is data related to health, religion, ideological & political views, genetic or biometric information, racial and ethnic origin.
Profiling is any form of automated processing of personal data consisting of the use of personal data in order to evaluate certain personal aspects relating to an individual.
Data subject is a physical person to whom personal data relates.
Data processing is any activity and operation performed on personal data.
Data file means any structured set of personal data which are accessible in such a way as to make it possible to deduce the person in question from the data.
Disclosure means making personal data accessible.
Data Protection Impact Assessment is the systematic process for identifying, evaluating and documenting the risks and impact of personal data processing activities to the rights of individuals.
Data controller is the legal entity who decides and determines the purpose, content and procedure of processing personal data.
Data protection officer (DPO) is the physical or legal person that processes personal data as instructed by the data controller.
3. General obligations when processing personal data
a. Data processing principles
For compliance purposes with the applicable law, The Company must collect, process and store personal information in accordance with the following data protection principles.
Lawful and fair processing
Personal data may only be processed fairly and lawfully. Every data processor must ensure compliance with this policy and the relevant laws and regulations.
Processing based on Consent
Before personal data may be processed, the data subject must be duly informed about each purpose of processing operation carried out by the controller. Consequently, the data subject must actively give a recorded statement / consent. The data subject may withdraw his/her consent at any time by contacting the DPO of our Company.
Purpose of processing
Personal data may only be processed for the purpose indicated at the time of collection. Some of the main purposes for which we use your personal data are:
- Complying with legal requirements.
- For management and administrative purposes.
- Improvement of website, products and services.
Adequate and not excessive processing
Personal data shall be adequate and not excessive in relation to the purpose for which it is processed.
Accuracy and quality of data
In case your personal information has changed, you are encouraged to contact the DPO for communication regarding data protection issues of The Company as soon as possible in order to update any personal data.
Data storage and retention
Personal data will be stored for as long as it is required to fulfil the purpose for which the data was collected and processed. We will review the retention period of the data we hold and delete it securely, when there is no longer a legal, business or customer need for it to be retained.
Disclosure to third parties
A third party data processor acting on behalf of the company, shall contractually agree to process personal data in accordance with this policy. The terms of this policy shall be included by reference in the relevant contracts. Furthermore the Company will have the right to audit the third party data processor for the adequacy of the relevant used controls.
Cross-border disclosure of personal data
The company operates within and outside the European Union, consequently data may need to be stored outside the European Union, or the company may need to send your personal data for legal compliance purposes abroad. Personal data may only be disclosed abroad (outside the EU) if the foreign law provides for an adequate level of data protection. In case the foreign law does not provide an adequate level of data protection, personal data may only be transferred to such country if the data subject has explicitly consented to the transfer.
The Company shall take appropriate personnel, technical and organizational measures to minimize the risk of accidental or intentional breach, destruction, or loss of personal data.
b. Data Protection Impact Assessment (DPIA)
The Company will ensure that a DPIA is conducted whenever a planned processing activity may pose a high risk to the data subject’s rights and freedoms. Where the DPIA results in the conclusion that there is a high risk for data subjects, the supervisory authority must be notified and its view on adequate measures to reduce the risks must be obtained.
c. Data subjects’ rights
All individuals who are subject of personal data held by the company have the right to obtain information from the company about the processing of their personal data. In particular, data subjects may exercise their rights in terms of access, rectification, erasure, restriction, data portability in a structured, commonly used and machine-readable format, objection and/or prevention of automated decision making of their personal data. Any request must be in writing while a reply to such a request can be expected within one (1) month. There is no fee for requests.
The Company shall provide the data subject in writing with a copy of information held by the Company concerning him or her, containing:
the purposes of the processing,
the type of personal data being processed,
information on the retention period,
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning them or to object to such processing,
the right to lodge a complaint with the supervisory authority,
details of a planned cross-border transfer.
d. Records of processing activities
The company shall maintain a record of all processing activities under its responsibility that contain personal data. The record shall include the following minimum information:
name and contact details of the data controller,
name and contact details of the data protection officer,
purpose of processing,
description of categories of data subjects,
description of categories of personal data being processed,
description of categories of data recipients,
description of cross-border data transfer,
a general description of the technical and organizational security measures, where possible.
e. Training and raising awareness
The Company is responsible for ensuring that every employee is trained in data protection and data security matters.
4. Privacy by design and by default principles
When new data processing systems are introduced, the controller must ensure a high standard of data protection. Particularly, any new systems and processes must comply with the following principles:
Technical and organizational measures must be taken to ensure systematic and secure management of personal data;
Data processing systems must be aimed at collecting as few personal data as necessary;
In case of anonymizing the data, personal data must be rendered anonymous;
Where personal data cannot be anonymized, security measures appropriate to the nature of the data must be taken, such as pseudonymization, encryption, or access restriction;
Access to personal data shall be granted according to the “need-to-know” principle;
Data processing systems must be adequately protected from unauthorized access;
Data subjects must be provided with transparent, user-friendly and effective means of control concerning their personal data;
Data processing systems must be setup in a way that the strictest privacy settings apply automatically;
More extensive processing of personal data is only permitted if the data subject gives its explicit consent to extended processing.
The Company is responsible for the lawful processing of personal data and compliance with data protection and data security requirements as set out in this policy or pursuant to applicable law.
Data protection officer
The data protection officer is responsible for processing personal data according to the instructions received from the data controller. Furthermore, the data processor is responsible for notifying the data controller of a data protection breach without delay and specifically within 24 hours.
6. Breach of Data protection policy
The potential penalties and damages resulting from a data protection infringement are serious for both the person committing the violation and for the company. Any violation of this data protection policy may result in regulatory penalties.
a. Data breach recording
The Data Protection Officer systematically documents disclosed breaches and evaluates the reasons for the breaches. Furthermore, he initiates further required measures to remedy the situation and to prevent breaches from recurring.
b. Data breach notification
The Company must notify a data breach to the Greek Data Protection Authority within 72 hours after becoming aware of it. Furthermore, if the personal data breach is likely to result in a high risk to the data subject’s rights and freedoms the data subject must be informed without delay.