Access to the use of the Website is possible only for persons over 16 years of age.
Website – a website that is controlled and used by SkyUp, namely: skyup.aero. The Website gives Users an opportunity to book / purchase tickets and subscribe to the SkyUp newsletters and advertising materials.
User (Users) – means a person who uses the Website in order to perform the registration procedure, to book / purchase tickets and/or to receive advertising and informational materials.
Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The SKYUP AIRLINE LIMITED LIABILITY COMPANY (a legal entity registered and operating in accordance with the legislation of Ukraine, address: 02121, Ukraine, Kyiv, Kharkivske highway, 201 / 203-2a) and the SKYUP MT LIMITED (a legal entity registered and operating in accordance with the legislation of Malta, address: Ewropa Business Centre, Level 3, Suite 701, Dun Karm Street, Birkirkara, BKR 9034, Malta) are the controllers in relation to the processing of your personal data under these terms. Both legal entities act as individual controllers. However, in relation to the marketing related activities, providing some joint services, and interaction with SkyUp counterparties, the SKYUP AIRLINE LIMITED LIABILITY COMPANY and the SKYUP MT LIMITED (together named as SkyUp or SkyUp companies) are considered as joint controllers.
Processor – a legal or natural person (other than an employee of the data controller) authorized by the Controller to process personal data.
СData subject – is a natural person from whom the Controller receives data and whose data it processes.
Personal data – any information relating to an identified or identifiable natural person (Data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Recipient of the data – a legal or natural person to whom personal data are disclosed – whether or not it is a third party.
Processing any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Automatic data processing – data processing operations performed in whole or in part by automated means.
Sensitive personal data – data related to a person’s race or ethnic origin, political, religious, philosophical or other beliefs, trade union membership, health, genetics, biometrics, sexual life. Consent to the processing of sensitive personal data must be explicitly expressed in writing, in another equivalent form, which clearly demonstrates the Data subject’s intention to process such personal data for one or more specific purposes.
Consent – a voluntary expression of the Data subject’s consent to the processing of his or her Personal data for a purpose that has been communicated to the Data subject.
Third party – a legal or natural person who is not a Data subject, the Data Controller, the Data Processor and persons who have been directly authorized by the Data Controller or the Data Processor to process the data.
The processing of personal data of Users takes place in accordance with the requirements of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (General Data Protection Regulation (hereinafter referred to as the GDPR).
In order to ensure proper access and use by Users of the Website, ordering services provided by SkyUp, communication of Users on issues related to SkyUp services, SkyUp collects and processes Personal data of Users.
In the case of the collection and processing of Personal Data of natural persons under the age of 16, SkyUp confirms that the relevant consent to the processing of such personal data has been obtained from persons authorized to represent the interests of persons under the age of 16, and that the Personal data of such persons were provided to SkyUp by authorized persons.
The Controller processes the personal data provided voluntarily by the Data subject via the Website during the newsletter subscription and/or registration procedure. Data subject personal data also could be obtained during conclusion of an agreement (between the Data subject and SkyUp companies and/or SkyUp agents) and/or during consideration of possible Data subject claims and requests.
Information obtained from the Data subject may not be disclosed to Third parties without legal justification, except for persons who participate in or facilitate the provision or implementation of the SkyUp business activities related to interaction with the User (Data subject), provision the Data subject with air carrier and related services. The personal data of the Data subject may also be transferred to the Data Processors with whom the Controller has entered into a personal data processing or other agreement specifying the requirements for the processing and storage of personal data. In this case, the legal liability for violations or losses of personal data processing lies with the Controller who is responsible for the violations or losses. In other cases, personal data may only be disclosed to Third parties if required by law. Personal data may also be transferred to public administration and law enforcement authorities, if such an obligation of the Controller is enshrined in law.
The information received from the Data subject is processed and used for the following objectives:
Specific purposes of data processing are indicated in the “SPECIFIC PURPOSES OF DATA PROCESSING” section below.
Personal data is collected only in accordance with the law, by receiving it directly from the Data subject, requesting the necessary information from the subjects who process this Personal data or who have the right to provide this data, on the basis of agreements and legislation, by connecting to separate databases, registers and information systems in which Personal data are stored on the basis of data provision agreements or one-off requests.
SkyUp does not collect or process the following categories of Personal Data: data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, criminal convictions, as well as data on sexual or genetic data of Users.
In the process of providing services, SkyUp may process personal data that can be used to determine the physical or mental health of Users. Such information relates to special or sensitive personal data in accordance with the law. SkyUp collects this personal data only if it is necessary directly for the transportation services or the User has knowingly provided it to SkyUp. SkyUp has the right to collect such data in the following cases:
If the User does not allow SkyUp to process any personal data of special categories, it may mean that SkyUp will not be able to provide the User with special services that he has ordered.
SkyUp undertakes to ensure that all available measures are taken to protect Users' Personal Data, taking into account the provisions of current legislation on personal data protection (including the provisions of the GDPR) and the specifics of the scope of SkyUp activities.
According to Art. 6 GDPR the processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When processing personal data of the Data subject, the Controller acts mostly on the legal basis defined in point "a", "b", "c" and point "f" of Art. 6 GDPR. Controller processes the Personal Data of Website Users on the following specific legal basis:
Categories of Personal Data, purpose and legal basis for their collection and processing are divided depending on how Users use the Website. The scope, method, purpose and legal basis for the collection and processing of Personal Data may vary. The Controller processes automatically and manually the data voluntarily provided and indicated by the Data subject, including:
We also process such data as cookies, technical data for the Website, User requests regarding the work of the Website, its related services and other issues.
Data collected from all the Users, including non-registered: We collect the data from running the Website and use information, provided to us by you, sent to us by your computer, mobile phone, or other access device, which may include the following technical data: IP address, device information and standard web log information, such as your browser type, and the pages you accessed on our Website.
SkyUp collects and processes the data of Website Users in accordance with the following specific purposes:
* - Data such as «billing address» and «payment card details», by default, is not processed by the Controller. When you are paying for any of our services with a bank card, payment processing (including entering the card number) occurs on a secure page of the processing system. This means that your confidential data (billing address, payment card details, etc.) is not transferred to us. Such data processing is protected and no one can receive specified cardholder data. When working with payment card data, the information security standard (Payment Card Industry Data Security Standard (PCI DSS) developed by the international payment systems Visa and Master Card is applied. PCI DSS ensures secure processing of payment card details and cardholder data. PCI DSS includes implementation of Secure Sockets Layer (SSL) protocols and other security method.
The function of transition to pages of social networks which are carried out by the third parties is available on the Website. By making such a login, Users thereby agree to provide SkyUp with access to Personal Data to the extent due to the settings for access to Personal Data on the relevant social network.
When You access the Website and/or use our services we (or Google Analytics or similar service provider on our behalf) may place small data files called cookies on your computer or other device. We use these technologies to recognize you as our User; customize our Website and advertising; measure promotional effectiveness and collect information about your computer or other access device to mitigate risk, help prevent fraud, and promote trust and safety.
Use of the Website involves the use of the functionality of other resources, including:
Personal data may only be processed for direct marketing purposes after the Data subject has given his or her consent. Consent to the processing of personal data for direct marketing purposes can be given in various ways: by deciding to subscribe to the Controller’s newsletters, by expressing a wish in writing, in a contract, on a website or in another data storage medium, by expressing consent (by signing, clicking on the relevant box, in other ways) to receive commercial and other services provided by the Controller and other offers related to the activities of the Controller.
If the Controller, having provided services, has previously received a personal e-mail from the Data subjects, these data may be used without the separate consent of the Data subject only for the purposes of marketing the Controller’s services. The Data subject has the right to refuse the use of Personal data for marketing purposes by electronic or registered letter, as well as in another express form, informing the Controller thereof.
The purposes of processing your personal data in relation to marketing communications and newsletters are to carry out customer satisfaction surveys for analytical purposes, for quality improvements, for service developments, to improve the performance of the website, to measure the success of our advertising campaigns or to tailor services to your needs or send you newsletters through the contact channel of your choice.
The Data subject’s Personal data for direct marketing purposes is stored during the period of validity of any contractual relationship between the Controller and the Data subject and/or till the moment the Data subject unsubscribe from the Controller`s news lettering (the moment Data subject’s request for refusal to receive direct marketing notifications is received by the Controller).
SkyUp transfers Personal Data to Recipients of the data (including cross-border transfers of Personal Data) only to the extent necessary to fulfill the purpose of collecting and processing Personal Data in respect of which such collection and processing were previously carried out by SkyUp.
SkyUp carries out such transfer of Personal Data only in case of need, in the minimum necessary for this purpose, for the minimum term. In order to properly fulfill its contractual obligations, in particular to improve the operation and maintenance of the Website, SkyUp may transfer Personal Data:
By transferring Users' Personal Data to Recipient of the data, SkyUp takes all available legal, organizational and technical measures to ensure the protection of Personal Data. We require all processors and sub-processors to have appropriate technical and operational security measures in place to protect your personal data, in line with GDPR.
If the User makes a reservation or orders SkyUp services on behalf of another person (persons), the User is obliged to obtain the prior consent of such persons to perform the reservation / order of the service, notifying SkyUp of their personal data and disclosing their personal data accordingly. Such Users are responsible for the accuracy of such data. In the process of booking / ordering a service, such a User represents the legitimate interests of such a person, he must inform this person about the conditions of booking / ordering the service and the terms of this Policy.
All operational messages sent to one participant of the reservation will also be sent to other persons specified in one reservation. To prevent such disclosure, each User has the opportunity to place a separate order for the service, providing their contact information.
User as the Data subject has the rights in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679. The Data subject has the right:
You also have the right to lodge a complaint to a data protection authority on your personal data processing issues. For more information, please contact your local data protection authority in the European Economic Area (EEA). We recommend you contact us to resolve all your questions and inquiries to the extent permitted by law, and we will reply promptly. The following paragraphs describe a way to implement some of your rights under the provisions of the General Data Protection Regulation.
When submitting an identity document in accordance with the procedures prescribed by law or by electronic means of communication that ensure proper identification of a person, the Data subject has the right to get acquainted with his/her Personal data free of charge and to receive information from which sources and Personal data are collected, the purposes for which they are processed and the recipients to whom they have been submitted during the last year. Upon receipt of the Data subject’s request, the Controller shall provide the requested data in writing or indicate the reasons for the refusal to comply with this request no later than within 30 calendar days from the date of receipt of the Data subject’s request.
You can request access to your Personal data or make corrections by writing to us at the email address provided in the “CONTACT DETAILS” section. If the information is not available or changed, we will inform you of the reasons for that. Please note that we may ask you to verify your identity before responding to such requests.
The Data subject also has the right to refuse to provide Personal data, but in this case the Controller will not be able to provide the desired services and/or Website functionality to the Data subject, and the Data subject may not bring claims for non-provision of the service or absence of the relevant Website functions.
You have the right to require deletion of your Personal data by sending us an email to the email address provided in the “CONTACT DETAILS” section. We will process your request in accordance with applicable data protection laws. We may need to retain certain information for record-keeping purposes and/or to complete transactions that you began prior to requesting any deletion of Personal Data. You also can revoke your consent to Personal data processing at any time. In the event that you withdraw your consent to Personal data processing and we will have no legal basis to continue processing your data, we will stop processing your Personal information. If we have legal grounds for processing your information, we have the right to continue using Personal data within the limits provided by law.
Taking into account the nature of your personal data and the risks of processing, we have put in place appropriate technical and organizational measures as required by applicable legal provisions to ensure an appropriate level of security and to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorized access to these data. The Processing and protection of Personal data within the limits of its competence is ensured by every employee of the Controller. The Controller has implemented an internal regulation on the personal data processing, appropriate technical and organizational measures.
In order to prevent the accidental or unauthorized destruction, alteration, disclosure and other unauthorized Processing of Personal data, persons performing Personal data Processing functions must store documents and data files in an appropriate and secure manner and avoid making unnecessary copies. Copies of the Controller`s documents containing Personal Data must be disposed of in such a way that these documents cannot be restored, and their contents cannot be recognized. Data subjects’ documents and their paper and/or electronic copies, archives or other files containing Personal data shall be stored in lockers, drawers or safes, and provided that they are not accessible and are protected with reasonable effort.
The Controller`s employees whose computers store Personal data must use a password. Passwords are unique, they must be created from at least 8 characters without the use of personal information. Passwords must be changed regularly and kept confidential. Passwords may not match the personal data of an employee of the Controller or his/her family members. Passwords must be changed if necessary (when an employee changes, there is a danger of computer intrusion, etc.).
The computers of the Controller’s employees, which store Personal data, must have an automatically updated antivirus program. Files on the computers of employees of the Controller, in which Personal data is collected, must not be accessible by the employees whose activities do not use Personal data.
Every employee of the Controller who processes Personal data signs a commitment to confidentiality. An employee of the Controller must immediately inform the management of the Controller or its authorized representative of an event that may pose a threat to the security of Personal data and make every precautionary effort to avoid such cases.
The implemented technical and organizational measures also include:
In the event that the Controller suffers a breach involving your personal data and this breach creates a high risk to your rights, we will inform you about the breach, the likely consequences of it and the measures we have put in place to protect you and others in accordance with the GDPR requirements.
We require all processors and sub-processors to have appropriate technical and operational security measures in place to protect your personal data, in line with GDPR. In case of transfer of personal data to a third country or an international organization outside the EU we ensure that standard data protection clauses adopted by the Commission are in place in relations with processors and sub-processors.
Personal data shall be kept for no longer than is necessary for the purposes of the processing, taking into account the type of document or file in which the data are contained. At the end of the storage period of the document in which these data are indicated, a decision on their liquidation shall be made, and the document shall be liquidated in accordance with the procedures prescribed by law. Permanently stored documents containing Personal data must be sent for archiving in accordance with the procedures prescribed by law.
SkyUp processes each of the categories of Personal Data for the period necessary to fulfill each of the above purposes, after which such Personal Data must be deleted. In any case, SkyUp has the right to store Personal Data for the period necessary to fulfill the obligations to Users to provide SkyUp services, as well as to fulfill the obligations under applicable law. If the storage of Users' personal data is not necessary for the provision of services, specified purposes of the processing and is not required by law, SkyUp will delete them.
The Personal data is also deleted in the event of receiving a corresponding request from the Data subject and in the absence of other legal basis for personal data processing.
The Data subject shall provide the Controller only with the correct Personal data. The Data subject should immediately inform the Controller about the relevant changes in the Personal Data of the Data subject.
The Controller shall not be liable for damages caused to the Data subject or third parties if the Data subject, indicating his/her personal data, has provided erroneous, inaccurate or incomplete Personal data or has not duly informed about its changes.
If you have questions regarding your personal data processing, please contact us at the contact information indicated below:
SKYUP MT LIMITED
Ewropa Business Centre, Level 3, Suite 701, Dun Karm Street, Birkirkara, BKR 9034, Malta
Email: [email protected].
SKYUP AIRLINE LIMITED LIABILITY COMPANY
02121, Ukraine, Kyiv, Kharkivske highway, 201 / 203-2a
Email: [email protected].
Відповідно до ст. 27 GDPR ТОВАРИСТВО З ОБМЕЖЕНОЮ ВІДПОВІДАЛЬНІСТЮ АВІАКОМПАНІЯ СКАЙАП визначило представника у ЄС. Суб’єкт даних може надсилати запити як Представнику, так і безпосередньо Контролеру. Нижче наведена контактна інформація представника контролера:
GLOBAL TRAVEL SOLUTIONS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, registered and acting under the laws of Poland, having its Head office at UL. LENARTOWICZA 5/3, 31-138 KRAKÓW, Poland.
Representative`s Email: [email protected].