ACIA AERO LEASING
PRIVACY POLICY
- Introduction
- This is the Privacy Policy of the ACIA Aero Leasing, which is referred to as the “Company”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.
- Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.
- Background and Purpose
- The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices.
- In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us.
- The Company as a Data Controller
- The Company will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the operation and administration of the Company. Such individuals will generally include the following:
- customers;
- employees;
- suppliers;
- website visitors; and
- business partners.
- Personal Data is processed by the Company for the following purposes:
- The Company will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the operation and administration of the Company. Such individuals will generally include the following:
|
Purpose of Processing |
Lawful Basis under GDPR |
|
Customer administration purposes. |
Such processing is necessary for the performance of a contract between the Company and customers. |
|
Know your customer purposes. |
Such processing is necessary for the performance of a contract pursuant to Article 6(1)(b) GDPR and pursuant to Article 6(1)(c) for compliance with legal obligations to which the Company is subject. |
|
Customer services delivery, management and improvement e.g. to identify helicopters and services which are most popular among ACIA Aero Leasing’s customers and to promote such to ACIA Aero Leasing’s customers in a customised manner. |
Such processing is necessary for the legitimate interests pursued by the Company. |
|
Communicating with and maintaining contact details of customers. Website updates and other customer communications. |
As necessary for the performance of ACIA Aero Leasing’s legitimate interests as a Company. |
|
General correspondence with members of the public (by post or the ACIA Aero Leasing email address) for example where an individual sends correspondence to inquire about the Company or for other reasons. |
For the particular purpose for which the correspondence is sent to the Company. Depending on the particular context of such correspondence the relevant lawful basis will likely be either the individual’s consent or ACIA Aero Leasing’s legitimate interests (for example, responding to queries from the public). |
|
To evaluate customers’ interests and to promote tailored offerings that reflect customer interests. |
The Company has a legitimate interest in providing personalised offerings, including for example, leasing of a particular type of helicopter. We balance our legitimate interests against the rights of the individual users through the use of measures described in this Policy. |
|
Service administration e.g. providing individual customers with notifications of a change in ACIA Aero Leasing’s services. |
Such processing is necessary to support the Company’s legitimate interest in managing the delivery of its services. |
|
Website services, including for troubleshooting, data analysis, and survey purposes. |
The Company has a legitimate interest in operating a website and for related purposes. |
|
Cookies. |
The Company has a legitimate interest in using cookies to enhance the website visitors’ experience. |
- The Company and Data Processors
- The Company willl engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.
- Record Keeping
- As part of our record keeping obligations under Art. 30 GDPR, the Company retains a record of the Processing activities under its responsibility. This comprises the following:
|
Art. 30 GDPR Requirement |
The Company’s Record |
|
Name and contact details of the Controller |
14 The Hyde Building Carrickmines Phone: +353 85 724 7151 |
|
The purposes of the processing |
See Section 3 of this Privacy Policy. |
|
Description of the categories of data subjects and of the categories of personal data. |
See Annex II of this Privacy Policy. |
|
The categories of recipients to whom the Personal Data have been or will be disclosed. |
See Section 9 of this Privacy Policy. |
|
Where applicable, transfers of personal data to a third country outside of the EEA. |
See Section 9 of this Privacy Policy. |
|
Where possible, the envisaged time limits for erasure of the different categories of data. |
See Section 10 of this Privacy Policy. |
|
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
Electronic records stored either on a secure online cloud system provided by a professional third party or temporarily on personal computers protected by passwords. Physical records stored either offsite in a secure off-site storage facility or temporarily in secure office facilities. |
- Special Categories of Data
- The Company processes Special Categories of Data (“SCD”) in certain circumstances, such as the ordinary course of employee administration. The Company shall Process such SCD in accordance with Data Protection Law.
- Individual Data Subject Rights
- Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
- The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
- The right of access to Personal Data;
- The right to rectify or erase Personal Data (right to be forgotten);
- The right to restrict Processing;
- The right of data portability;
- The right of objection; and
- The right to object to automated decision making, including profiling, and where the Company relies on its legitimate interests to Process your Personal Data (for example, for marketing purposes) ;
- These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to the Company to exercise any of the Data Subject Rights by contacting the Company’s General Counsel or Chief Executive Officer. Your request will be dealt with in accordance with Data Protection Law.
- Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
- Data Security and Data Breach
- We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see Annex III.
- The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by the Company will be dealt with in accordance with Data Protection Law and the Company’s Data Breach Procedure.
- Disclosing Personal Data
- From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).
- We may also disclose Personal Data to: (a) selected third parties including our lawyers; financial and tax advisors and other professional advisors and (b) service providers, such as payroll and marketing companies and (c) our shareholders or investors or select business partners who have a need to know such Personal Data.
- Data Retention
- We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Policy).
- Data Transfers outside the EEA
- The Company transfers some Personal Data to countries outside the European Economic Area. If such transfer occurs, the Company will ensure that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please contact the Company’s General Counsel or Chief Executive Officer.
- Cookies
- Cookies are small text files that may be placed on your browser when you visit our website (the “Site”). Cookies are used primarily for administrative purposes, to improve your experience with our Site. For instance, when you return to the Site after logging in, cookies provide information to the Site, including personal data, so that the Site will remember who you are. Our Site uses cookies primarily to capture anonymous analytics used to improve our Site experience and performance. This includes compiling statistical information concerning, among other things, the frequency of use of our Site, the pages visited, and the length of each visit, as well as information about your computer, operating system, browser, language and country. We do not use cookies to store any personal data that could be read or understood by others.
- Using the settings of your Internet browser, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. Consult your browser Help menu to learn the correct way to modify your cookies. If you choose to turn off cookies, you may not have access to certain features of our Site. You may at any time delete any cookies set by using the relevant option of your Internet browser or by deleting the cookies on your hard drive.
- We use the following cookies:
|
COOKIE |
TYPE |
DURATION |
DESCRIPTION |
|
PHPSESSID |
1 |
Session |
To identify your unique session on the website session |
|
viewed_cookie_policy |
1 |
Session |
Used to acknowledge having viewed our cookie policy notice. |
|
wordpress_ |
2 |
Session |
WordPress cookie for a logged in user. |
|
wordpress_logged_in_ |
2 |
Session |
WordPress cookie for a logged in user. |
|
wordpress_test_cookie |
2 |
Session |
WordPress test cookie. |
|
wp-settings- |
1 |
1 Year |
WordPress also sets a few wp-settings-[UID] cookies for logged in users. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. |
|
wp-settings-time- |
2 |
1 Year |
WordPress also sets a few wp-settings-{time}-[UID] cookies for logged in users. The number on the end is your individual user ID from the users database table. This is used to customise your view of admin interface, and possibly also the main site interface. |
- Further Information/Complaints Procedure
- For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of the Company please contact Company’s General Counsel or Chief Executive Officer. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact Company’s General Counsel or Chief Executive Officer in the first instance to give us the opportunity to address any concerns that you may have.
ANNEX I
Glossary
In this Privacy Policy, the terms below have the following meaning:
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to the Company in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
- a name, an identification number;
- details about an individual’s location; or
- any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
ANNEX II
Types of Personal Data
|
Categories of Data Subject |
Type of Personal Data |
|
Customers |
Name, address, passport, contact details including email and phone number, financial information and payment details. |
|
Staff |
Name, address, passport and contact details including email and phone number. Bank account details and normal data included in personnel file. |
|
Suppliers |
Name, address, contact details including email and phone number, financial information and payment details. |
|
Website visitors |
IP address and browser details. Any Personal Data provided by users using the email addresses (and phone numbers) provided on the ACIA Aero Leasing website. |
|
Business partners |
Name, address, passport, contact details including email and phone number, financial information and payment details. |