Privacy Policy - SkyUp Airlines
Wait

PRIVACY POLICY

  1. DEFINITIONS
  2. LEGISLATION REGULATING THE PROCESSING OF PERSONAL DATA
  3. MAIN OBJECTIVES OF THE PROCESSING
  4. THE CONSENT TO THE PROCESSING OF PERSONAL DATA AND OTHER LEGAL BASIS
  5. CATEGORIES OF PERSONAL DATA
  6. SPECIFIC PURPOSES OF DATA PROCESSING
  7. SOCIAL NETWORKS AND THE WEBSITE
  8. COOKIE FILES
  9. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING
  10. TRANSFER OF PERSONAL DATA AND RECIPIENTS OF THE DATA
  11. BOOKING ON BEHALF OF ANOTHER PERSON
  12. RIGHTS OF THE DATA SUBJECT
  13. PROTECTION OF PERSONAL DATA
  14. RETENTION PERIOD
  15. LEGAL LIABILITY
  16. CONTACT DETAILS
  17. REPRESENTATIVE OF THE CONTROLLER (ART. 27 GDPR)

This Privacy Policy governs the privacy terms of using the Website (skyup.aero, hereinafter the Website) regarding the registration procedure available at the Website, booking / purchasing a ticket via the Website and newsletters subscription function.

According to Article 13 GDPR this Privacy Policy also indicates the following information: the identity and the contact details of the controller and the controller’s representative; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the categories of recipients of the personal data; where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 GDPR, or the second subparagraph of Article 49 (1) GDPR, reference to the appropriate or suitable safeguards and their general description.

This Privacy Policy is binding on SkyUp (legal entities according to a description in the DEFINITIONS section below) and any Website user, who is performing the subscription and/or registration procedure using appropriate subscription and/or registration form available at the Website and/or using the Website to book / purchase a ticket (order the SkyUp services).

SkyUp reserves the right to make changes to this Privacy Policy at any time. The Privacy Policy, its new version and relevant changes come into force from the moment of their publication on the Website. By accessing the Website, Users agree to abide by the Privacy Policy in effect at the time of obtaining such access. If the User refuses to comply with any provisions of the Privacy Policy, such User should stop using the Website and its functions.

Access to the use of the Website is possible only for persons over 16 years of age.

1. DEFINITIONS

Website – a website that is controlled and used by SkyUp, namely: skyup.aero. The Website gives Users an opportunity to book / purchase tickets and subscribe to the SkyUp newsletters and advertising materials.

User (Users) – means a person who uses the Website in order to perform the registration procedure, to book / purchase tickets and/or to receive advertising and informational materials.

Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The SKYUP AIRLINE LIMITED LIABILITY COMPANY (a legal entity registered and operating in accordance with the legislation of Ukraine, address: 02121, Ukraine, Kyiv, Kharkivske highway, 201 / 203-2a) and the SKYUP MT LIMITED (a legal entity registered and operating in accordance with the legislation of Malta, address: Ewropa Business Centre, Level 3, Suite 701, Dun Karm Street, Birkirkara, BKR 9034, Malta) are the controllers in relation to the processing of your personal data under these terms. Both legal entities act as individual controllers. However, in relation to the marketing related activities, providing some joint services, and interaction with SkyUp counterparties, the SKYUP AIRLINE LIMITED LIABILITY COMPANY and the SKYUP MT LIMITED (together named as SkyUp or SkyUp companies) are considered as joint controllers.

Joint Controllers – where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. Data subjects may exercise their rights in respect of and against each of the joint data controllers. SKYUP AIRLINE LIMITED LIABILITY COMPANY is primarily responsible for providing you with information regarding personal data processing as set out in this Privacy Policy. If you need more details regarding the joint controller and/or related data processing, please contact us using the contact details indicated at CONTACT DETAILS section bellow.

Processor – a legal or natural person (other than an employee of the data controller) authorized by the Controller to process personal data.

СData subject – is a natural person from whom the Controller receives data and whose data it processes.

Personal data – any information relating to an identified or identifiable natural person (Data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Recipient of the data – a legal or natural person to whom personal data are disclosed – whether or not it is a third party.

Processing any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Automatic data processing – data processing operations performed in whole or in part by automated means.

Sensitive personal data – data related to a person’s race or ethnic origin, political, religious, philosophical or other beliefs, trade union membership, health, genetics, biometrics, sexual life. Consent to the processing of sensitive personal data must be explicitly expressed in writing, in another equivalent form, which clearly demonstrates the Data subject’s intention to process such personal data for one or more specific purposes.

Consent – a voluntary expression of the Data subject’s consent to the processing of his or her Personal data for a purpose that has been communicated to the Data subject.

Third party – a legal or natural person who is not a Data subject, the Data Controller, the Data Processor and persons who have been directly authorized by the Data Controller or the Data Processor to process the data.

2. LEGISLATION REGULATING THE PROCESSING OF PERSONAL DATA

The processing of personal data of Users takes place in accordance with the requirements of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (General Data Protection Regulation (hereinafter referred to as the GDPR).

3. MAIN OBJECTIVES OF THE PROCESSING

In order to ensure proper access and use by Users of the Website, ordering services provided by SkyUp, communication of Users on issues related to SkyUp services, SkyUp collects and processes Personal data of Users.

In the case of the collection and processing of Personal Data of natural persons under the age of 16, SkyUp confirms that the relevant consent to the processing of such personal data has been obtained from persons authorized to represent the interests of persons under the age of 16, and that the Personal data of such persons were provided to SkyUp by authorized persons.

The Controller processes the personal data provided voluntarily by the Data subject via the Website during the newsletter subscription and/or registration procedure. Data subject personal data also could be obtained during conclusion of an agreement (between the Data subject and SkyUp companies and/or SkyUp agents) and/or during consideration of possible Data subject claims and requests.

Information obtained from the Data subject may not be disclosed to Third parties without legal justification, except for persons who participate in or facilitate the provision or implementation of the SkyUp business activities related to interaction with the User (Data subject), provision the Data subject with air carrier and related services. The personal data of the Data subject may also be transferred to the Data Processors with whom the Controller has entered into a personal data processing or other agreement specifying the requirements for the processing and storage of personal data. In this case, the legal liability for violations or losses of personal data processing lies with the Controller who is responsible for the violations or losses. In other cases, personal data may only be disclosed to Third parties if required by law. Personal data may also be transferred to public administration and law enforcement authorities, if such an obligation of the Controller is enshrined in law.

The information received from the Data subject is processed and used for the following objectives:

  • for the purpose of direct marketing, including sending newsletters with information and advertising materials (personal data is also used for the purpose of providing the Data subject with relevant commercial information / individualization of the commercial newsletters);
  • for implementation of the functions of the Website and built-in ticket booking system;
  • to administer our Website and/or provide User with related services;
  • for interaction and communication between SkyUp and the User on technical and other issues;
  • for communication with the Data subject in order to conclude agreements and to perform concluded agreements;
  • for performance of other Controller`s obligations;
  • to meet the requirements of public administration institutions and legal acts.

Specific purposes of data processing are indicated in the “SPECIFIC PURPOSES OF DATA PROCESSING” section below.

Personal data is collected only in accordance with the law, by receiving it directly from the Data subject, requesting the necessary information from the subjects who process this Personal data or who have the right to provide this data, on the basis of agreements and legislation, by connecting to separate databases, registers and information systems in which Personal data are stored on the basis of data provision agreements or one-off requests.

By providing the Controller with personal data, the Data subject voluntarily agrees that the Controller processes the personal data of the Data subject in compliance with the requirements specified in this Privacy Policy and other legal acts.

SkyUp does not collect or process the following categories of Personal Data: data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, criminal convictions, as well as data on sexual or genetic data of Users.

In the process of providing services, SkyUp may process personal data that can be used to determine the physical or mental health of Users. Such information relates to special or sensitive personal data in accordance with the law. SkyUp collects this personal data only if it is necessary directly for the transportation services or the User has knowingly provided it to SkyUp. SkyUp has the right to collect such data in the following cases:

  • for safety - due to a certain state of health of the User and he must be notified and, if necessary, provide us with a medical certificate or undergo a medical examination;
  • if the User requests special services or assistance during the flight, this may disclose to us information about his health (for example, if the User requests a mobility aid);
  • if the choice of food on board can lead to a conclusion about the health or religion of the User, SkyUp does not use this information in any other way than to provide services to the User.

If the User does not allow SkyUp to process any personal data of special categories, it may mean that SkyUp will not be able to provide the User with special services that he has ordered.

SkyUp undertakes to ensure that all available measures are taken to protect Users' Personal Data, taking into account the provisions of current legislation on personal data protection (including the provisions of the GDPR) and the specifics of the scope of SkyUp activities.

4. THE CONSENT TO THE PROCESSING OF PERSONAL DATA AND OTHER LEGAL BASIS

By sending the personal data to the Controller (via the Website), the Data subject gives the consent to the Controller to process the Data subject`s personal data and to transfer it to Third parties in accordance with the terms set out in this Privacy Policy.

According to Art. 6 GDPR the processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

When processing personal data of the Data subject, the Controller acts mostly on the legal basis defined in point "a", "b", "c" and point "f" of Art. 6 GDPR. Controller processes the Personal Data of Website Users on the following specific legal basis:

  • consent to the processing of personal data;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • compliance with a legal obligation to which the Controller is subject;
  • legitimate interest;
  • protection of vital interests of the data subject or other natural person;
  • performing a task performed in the public interest or for the exercise of official duties assigned to SkyUp;
  • for the purposes and legitimate interests pursued by SkyUp or a third party, except where such interests are outweighed by the fundamental rights and freedoms of the data subject, which require the protection of personal data, especially if the data subject is a child.

Regarding the Controller`s data processing activities under this Privacy Policy the point "c" of Art. 6 GDPR is mostly referred to AVSEC (Aviation Security) standards and the Controller`s obligations under the applicable AVSEC regulations.

5. CATEGORIES OF PERSONAL DATA

Categories of Personal Data, purpose and legal basis for their collection and processing are divided depending on how Users use the Website. The scope, method, purpose and legal basis for the collection and processing of Personal Data may vary. The Controller processes automatically and manually the data voluntarily provided and indicated by the Data subject, including:

  • last names, first names, patronymics of Users;
  • gender and date of birth of Users;
  • e-mail addresses of Users;
  • mobile phone numbers of Users;
  • city and country of residence of Users;
  • passport data (number, expiration date, country of issue, nationality);
  • health information (if the User reports it and / or wants to use special services);
  • bank details (if indicated in a User`s complaint);
  • city, country, postal code, company name, registration number of the enterprise (when paying on behalf of a legal entity).

We also process such data as cookies, technical data for the Website, User requests regarding the work of the Website, its related services and other issues.

Data collected from all the Users, including non-registered: We collect the data from running the Website and use information, provided to us by you, sent to us by your computer, mobile phone, or other access device, which may include the following technical data: IP address, device information and standard web log information, such as your browser type, and the pages you accessed on our Website.

6. SPECIFIC PURPOSES OF DATA PROCESSING

SkyUp collects and processes the data of Website Users in accordance with the following specific purposes:

  • tracking Users' preferences in order to provide personalized information about SkyUp services;
  • providing answers to users' search and information requests about SkyUp services within the Website;
  • ensuring the participation of Users in surveys, promotions, SkyUp loyalty programs, as well as other projects;
  • managing the subscription to the SkyUp newsletter;
  • providing information exchange from the SkyUp Website via email or social networks;
  • conducting marketing research and trend analysis to improve SkyUp services;
  • implementation of SkyUp marketing campaign using phone calls, e-mail or social networks;
  • sending information and advertising materials about SkyUp services and activities;
  • sending commercial (marketing) messages, making commercial (marketing) calls;
  • booking / purchase of tourist services;
  • booking / purchasing a ticket;
  • booking management;
  • booking / purchase of insurance policy;
  • improving the performance of the SkyUp Website.
CATEGORIES OF DATA
PURPOSE
LEGAL BASIS
  • cookies
  • technical data
  • tracking Users' preferences in order to provide personalized information about SkyUp services
  • providing answers to search and information requests of Users about SkyUp services
  • improving the operation of the Website
  • visiting and using the website
  • user Consent
  • legitimate interest
  • anonymized data
  • conducting marketing research and trend analysis to improve SkyUp products
  • legitimate interest
  • IP address
  • the Website cookies
  • posts, messages, comments, questions on social networks addressed to SkyUp, as well as comments under SkyUp publications or about SkyUp on social networks
  • legitimate interest
  • user Consent
  • name
  • surname
  • date of birth
  • gender
  • email address
  • nationality
  • phone number (s)
  • passport data
  • individual tax number
  • information about the state of health (in case of its notification by Users and / or for the purpose of using special services)
  • city, country, zip code (in case it is necessary according to User's local legislation)
  • billing address (not processed by the Controller)*
  • payment card details (not processed by the Controller)*
  • company name, registration number of the enterprise (when paying on behalf of a legal entity)
  • purchase of additional services
  • booking / purchasing a ticket
  • booking management
  • fulfillment of the terms of the concluded agreement
  • name
  • surname
  • date of birth
  • gender
  • email address
  • phone number
  • residence address
  • passport data
  • nationality
  • duration and period of travel
  • country of travel
  • individual tax number
  • acquisition of an insurance policy
  • fulfillment of the terms of the concluded agreement
  • user consent
  • email address
  • name
  • surname
  • date of birth
  • address
  • phone number
  • information on using SkyUp services
  • sending commercial (marketing) messages, making commercial (marketing) calls
  • user consent
  • name
  • surname
  • booking number
  • Bank details
  • phone number
  • email address
  • residence address
  • other personal information you could provide to us indicating in a complaint and/or request
  • complaints and requests
  • appeal
  • legitimate interests

* - Data such as «billing address» and «payment card details», by default, is not processed by the Controller. When you are paying for any of our services with a bank card, payment processing (including entering the card number) occurs on a secure page of the processing system. This means that your confidential data (billing address, payment card details, etc.) is not transferred to us. Such data processing is protected and no one can receive specified cardholder data. When working with payment card data, the information security standard (Payment Card Industry Data Security Standard (PCI DSS) developed by the international payment systems Visa and Master Card is applied. PCI DSS ensures secure processing of payment card details and cardholder data. PCI DSS includes implementation of Secure Sockets Layer (SSL) protocols and other security method.

7. SOCIAL NETWORKS AND THE WEBSITE

The function of transition to pages of social networks which are carried out by the third parties is available on the Website. By making such a login, Users thereby agree to provide SkyUp with access to Personal Data to the extent due to the settings for access to Personal Data on the relevant social network.

8. COOKIE FILES

When You access the Website and/or use our services we (or Google Analytics or similar service provider on our behalf) may place small data files called cookies on your computer or other device. We use these technologies to recognize you as our User; customize our Website and advertising; measure promotional effectiveness and collect information about your computer or other access device to mitigate risk, help prevent fraud, and promote trust and safety.

Most browsers are initially configured to accept cookies. You may control the use of cookies within your internet browsers’ settings. You should refer to the instructions of your browser, the "Help" section or similar resource to learn more about how to manage cookies and possibly reset your browser settings to refuse all cookies. Or you could specify in your browser settings that you want to be notified when cookies are sent. However, if you do not accept cookies, some pages on our Website may not display correctly and/or some functions may be impaired. If you have any questions regarding the rules of disabling cookies, please check with your browser vendor. Please review our COOKIE POLICY for more detailed information.

SkyUp uses cookies:

  • to provide Users with stable access to the functionality of the Website;
  • to improve and facilitate the use of the Website by Users;
  • to provide Users with access to the exchange of information from the Website through social networks;
  • to study the indicators related to the audience of the Website (analysis of traffic, usage trends).

SkyUp pre-requests Users' consent to the use of cookies before using the Website by sending an appropriate notification (in banner format). Users have the following options for cookies (including via the User's web browser preferences and settings):

  • allow automatic saving and use of cookies;
  • warn about the use of cookies;
  • always block the use of cookies (possible restrictions on the use of the Website in the form of inability of users to set individual settings).

Use of the Website involves the use of the functionality of other resources, including:

  • social networks (the use of cookies is regulated by the relevant policies of such companies);
  • Google Analytics to collect general statistics about your use of the Website (such information is used by the Company solely to improve the content and services used by the Website). The operation of Google Analytics is governed by applicable company policies.

The user agrees to the use of cookies and their transfer to Rakuten Advertising.

SkyUp warns that blocking the use of cookies may lead to incorrect operation of the Website. Users have the right to block the use of cookies in whole or in part (certain types of cookies) by making changes to the web browser settings of the devices they use to access the Website.

9. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING

Personal data may only be processed for direct marketing purposes after the Data subject has given his or her consent. Consent to the processing of personal data for direct marketing purposes can be given in various ways: by deciding to subscribe to the Controller’s newsletters, by expressing a wish in writing, in a contract, on a website or in another data storage medium, by expressing consent (by signing, clicking on the relevant box, in other ways) to receive commercial and other services provided by the Controller and other offers related to the activities of the Controller.

If the Controller, having provided services, has previously received a personal e-mail from the Data subjects, these data may be used without the separate consent of the Data subject only for the purposes of marketing the Controller’s services. The Data subject has the right to refuse the use of Personal data for marketing purposes by electronic or registered letter, as well as in another express form, informing the Controller thereof.

The purposes of processing your personal data in relation to marketing communications and newsletters are to carry out customer satisfaction surveys for analytical purposes, for quality improvements, for service developments, to improve the performance of the website, to measure the success of our advertising campaigns or to tailor services to your needs or send you newsletters through the contact channel of your choice.

The Data subject’s Personal data for direct marketing purposes is stored during the period of validity of any contractual relationship between the Controller and the Data subject and/or till the moment the Data subject unsubscribe from the Controller`s news lettering (the moment Data subject’s request for refusal to receive direct marketing notifications is received by the Controller).

10. TRANSFER OF PERSONAL DATA AND RECIPIENTS OF THE DATA

SkyUp transfers Personal Data to Recipients of the data (including cross-border transfers of Personal Data) only to the extent necessary to fulfill the purpose of collecting and processing Personal Data in respect of which such collection and processing were previously carried out by SkyUp.

SkyUp carries out such transfer of Personal Data only in case of need, in the minimum necessary for this purpose, for the minimum term. In order to properly fulfill its contractual obligations, in particular to improve the operation and maintenance of the Website, SkyUp may transfer Personal Data:

  • SkyUp affiliates;
  • SkyUp partner companies;
  • SkyUp contractors (including ground handling companies);
  • hotels, transfer and similar service providers (in case of flight delays or cancellations);
  • government agencies (in case of compliance with the law).

By transferring Users' Personal Data to Recipient of the data, SkyUp takes all available legal, organizational and technical measures to ensure the protection of Personal Data. We require all processors and sub-processors to have appropriate technical and operational security measures in place to protect your personal data, in line with GDPR.

11. BOOKING ON BEHALF OF ANOTHER PERSON

If the User makes a reservation or orders SkyUp services on behalf of another person (persons), the User is obliged to obtain the prior consent of such persons to perform the reservation / order of the service, notifying SkyUp of their personal data and disclosing their personal data accordingly. Such Users are responsible for the accuracy of such data. In the process of booking / ordering a service, such a User represents the legitimate interests of such a person, he must inform this person about the conditions of booking / ordering the service and the terms of this Policy.

All operational messages sent to one participant of the reservation will also be sent to other persons specified in one reservation. To prevent such disclosure, each User has the opportunity to place a separate order for the service, providing their contact information.

12. RIGHTS OF THE DATA SUBJECT

User as the Data subject has the rights in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679. The Data subject has the right:

  • to know (be informed) about the processing of your Personal data;
  • to get acquainted with your Personal data and the way they are processed;
  • to transfer your Personal data (you have the right to receive a copy of your Personal data in a structured, printed format);
  • to request the correction, deletion of your Personal data or the suspension of the processing of Personal data, except for their storage, if the data is processed without complying with the regulatory enactments regarding the legal protection of Personal data;
  • to object the processing of your Personal data;
  • to restrict the processing of your Personal data or do not consent to the processing of your Personal data / withdraw consent, unless otherwise provided by law and the Regulations.

You also have the right to lodge a complaint to a data protection authority on your personal data processing issues. For more information, please contact your local data protection authority in the European Economic Area (EEA). We recommend you contact us to resolve all your questions and inquiries to the extent permitted by law, and we will reply promptly. The following paragraphs describe a way to implement some of your rights under the provisions of the General Data Protection Regulation.

12.1. ACCESS TO PERSONAL DATA

When submitting an identity document in accordance with the procedures prescribed by law or by electronic means of communication that ensure proper identification of a person, the Data subject has the right to get acquainted with his/her Personal data free of charge and to receive information from which sources and Personal data are collected, the purposes for which they are processed and the recipients to whom they have been submitted during the last year. Upon receipt of the Data subject’s request, the Controller shall provide the requested data in writing or indicate the reasons for the refusal to comply with this request no later than within 30 calendar days from the date of receipt of the Data subject’s request.

You can request access to your Personal data or make corrections by writing to us at the email address provided in the “CONTACT DETAILS” section. If the information is not available or changed, we will inform you of the reasons for that. Please note that we may ask you to verify your identity before responding to such requests.

The Data subject also has the right to refuse to provide Personal data, but in this case the Controller will not be able to provide the desired services and/or Website functionality to the Data subject, and the Data subject may not bring claims for non-provision of the service or absence of the relevant Website functions.

12.2.DATA DELETION

You have the right to require deletion of your Personal data by sending us an email to the email address provided in the “CONTACT DETAILS” section. We will process your request in accordance with applicable data protection laws. We may need to retain certain information for record-keeping purposes and/or to complete transactions that you began prior to requesting any deletion of Personal Data. You also can revoke your consent to Personal data processing at any time. In the event that you withdraw your consent to Personal data processing and we will have no legal basis to continue processing your data, we will stop processing your Personal information. If we have legal grounds for processing your information, we have the right to continue using Personal data within the limits provided by law.

13. PROTECTION OF PERSONAL DATA

Taking into account the nature of your personal data and the risks of processing, we have put in place appropriate technical and organizational measures as required by applicable legal provisions to ensure an appropriate level of security and to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorized access to these data. The Processing and protection of Personal data within the limits of its competence is ensured by every employee of the Controller. The Controller has implemented an internal regulation on the personal data processing, appropriate technical and organizational measures.

In order to prevent the accidental or unauthorized destruction, alteration, disclosure and other unauthorized Processing of Personal data, persons performing Personal data Processing functions must store documents and data files in an appropriate and secure manner and avoid making unnecessary copies. Copies of the Controller`s documents containing Personal Data must be disposed of in such a way that these documents cannot be restored, and their contents cannot be recognized. Data subjects’ documents and their paper and/or electronic copies, archives or other files containing Personal data shall be stored in lockers, drawers or safes, and provided that they are not accessible and are protected with reasonable effort.

The Controller`s employees whose computers store Personal data must use a password. Passwords are unique, they must be created from at least 8 characters without the use of personal information. Passwords must be changed regularly and kept confidential. Passwords may not match the personal data of an employee of the Controller or his/her family members. Passwords must be changed if necessary (when an employee changes, there is a danger of computer intrusion, etc.).

The computers of the Controller’s employees, which store Personal data, must have an automatically updated antivirus program. Files on the computers of employees of the Controller, in which Personal data is collected, must not be accessible by the employees whose activities do not use Personal data.

Every employee of the Controller who processes Personal data signs a commitment to confidentiality. An employee of the Controller must immediately inform the management of the Controller or its authorized representative of an event that may pose a threat to the security of Personal data and make every precautionary effort to avoid such cases.

The implemented technical and organizational measures also include:

  • Measures of encryption of personal data;
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing;
  • Measures that ensure the use of the system of identification and authentication (authorization) of subjects who have access to personal data. Procedures for detecting and preventing intrusions and unauthorized access are also provided;
  • Measures for the protection of data during transmission and during storage;
  • Measures for ensuring physical security of locations at which personal data are processed;
  • Measures for internal IT and IT security governance and management;
  • Measures for ensuring data quality and accountability;
  • Measures for allowing data portability and ensuring erasure.

In the event that the Controller suffers a breach involving your personal data and this breach creates a high risk to your rights, we will inform you about the breach, the likely consequences of it and the measures we have put in place to protect you and others in accordance with the GDPR requirements.

Personal data is stored on computer storage devices, in particular in Germany. However, your Personal Data may be temporarily stored and processed in other jurisdictions. We reserve the right to store, process and transfer your Personal Data (for the purposes of data processing set out in this Privacy Policy) to various jurisdictions, where our facilities and/or our service providers are located. It may also be processed by staff operating who work for us and/or for one of our service providers. Staff may be engaged in the fulfillment of our services and/or the processing of your data. By submitting your Personal data, you agree to this transfer, storing and/or processing. We will take all steps reasonably necessary to ensure that your Personal data is treated securely and in accordance with the terms of this document.

We require all processors and sub-processors to have appropriate technical and operational security measures in place to protect your personal data, in line with GDPR. In case of transfer of personal data to a third country or an international organization outside the EU we ensure that standard data protection clauses adopted by the Commission are in place in relations with processors and sub-processors.

14. RETENTION PERIOD

Personal data shall be kept for no longer than is necessary for the purposes of the processing, taking into account the type of document or file in which the data are contained. At the end of the storage period of the document in which these data are indicated, a decision on their liquidation shall be made, and the document shall be liquidated in accordance with the procedures prescribed by law. Permanently stored documents containing Personal data must be sent for archiving in accordance with the procedures prescribed by law.

SkyUp processes each of the categories of Personal Data for the period necessary to fulfill each of the above purposes, after which such Personal Data must be deleted. In any case, SkyUp has the right to store Personal Data for the period necessary to fulfill the obligations to Users to provide SkyUp services, as well as to fulfill the obligations under applicable law. If the storage of Users' personal data is not necessary for the provision of services, specified purposes of the processing and is not required by law, SkyUp will delete them.

The retention period regarding the Personal data processed under this Privacy Policy, except financial documentation containing personal data, the technical data and the data processed for the purpose of direct marketing, is the period of validity of any contractual relationship between the Controller and the Data subject plus 5 years after termination of such contractual relationship (data regarding the ordered flight stored during 5 years after the termination of relationship with a customer; customer`s account retention period - if the customer has not used the account for 5 years (and provided that there are no funds on the account balance), the account is automatically deactivated). The Website browsing history and similar technical data stored 3 months. According to the applicable legislation financial documentation containing personal data stored 10 years.

The Personal data is also deleted in the event of receiving a corresponding request from the Data subject and in the absence of other legal basis for personal data processing.

15. LEGAL LIABILITY

The Data subject shall provide the Controller only with the correct Personal data. The Data subject should immediately inform the Controller about the relevant changes in the Personal Data of the Data subject.

The Controller shall not be liable for damages caused to the Data subject or third parties if the Data subject, indicating his/her personal data, has provided erroneous, inaccurate or incomplete Personal data or has not duly informed about its changes.

16. CONTACT DETAILS

If you have questions regarding your personal data processing, please contact us at the contact information indicated below:

SKYUP MT LIMITED
Ewropa Business Centre, Level 3, Suite 701, Dun Karm Street, Birkirkara, BKR 9034, Malta
Email: [email protected].

SKYUP AIRLINE LIMITED LIABILITY COMPANY
02121, Ukraine, Kyiv, Kharkivske highway, 201 / 203-2a
Email: [email protected].

17. REPRESENTATIVE OF THE CONTROLLER (ART. 27 GDPR)

Відповідно до ст. 27 GDPR ТОВАРИСТВО З ОБМЕЖЕНОЮ ВІДПОВІДАЛЬНІСТЮ АВІАКОМПАНІЯ СКАЙАП визначило представника у ЄС. Суб’єкт даних може надсилати запити як Представнику, так і безпосередньо Контролеру. Нижче наведена контактна інформація представника контролера:

GLOBAL TRAVEL SOLUTIONS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, registered and acting under the laws of Poland, having its Head office at UL. LENARTOWICZA 5/3, 31-138 KRAKÓW, Poland.
Representative`s Email: [email protected].