TERMS FOR THE PROCESSING OF PERSONAL DATA
issued in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the „Regulation“)
Czech Airlines Handling, a. s., residing at Prague 6, Aviatická 1017/2, Postcode 16008, Company Identification No.: 256 74 285, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, Insert 17139 (hereinafter referred to as the „Processor”) is a trade company performing its business in the area of aircraft ground handling and passenger service as well as providing the services of a contact center. The Processor provides on the basis of the individual orders of the Customer (hereinafter referred to as the "Controller") and for the Controller services of aircraft ground handling and passenger service and/or in ticketing services, and/or in the services of a contact center, and/or in other related services (hereinafter referred to as the „Service“); in relation to the above Service personal data will be processed and transmitted. In accordance with the Regulation, the Processor process personal data on behalf of the Controller, under the terms and conditions laid down below herein:
1. DEFINITIONS
1.1. “Personal data” means information about an identified or identifiable individual (data subject) processed for the purpose of the provision of the Service in the extent laid down herein;
1.2. “Service” means the service of the aircraft handling and passenger service, and/or a ticketing service, and/or a contact center service, and/or another related service in the provision thereof personal data are processed.
1.3. “Data subject” means the individual to which personal data relate. The customers of the Controller are, for the purposes hereof, a category of the data subjects of which personal data are subject to processing.
1.4. "Subprocessor" means a natural or legal person, public authority, agency or another body (but excluding an employee of Processor) appointed by or on behalf of Processor to process Personal data on behalf of Controller;
1.5. “Controller” means an individual or a legal entity, a public power authority, an agency or another subject that determines, alone or along with others, the purposes and means of personal data processing;
1.6. “Office” means the Office for Personal Data Protection;
1.7. “Personal data processing” means any operation with personal data or sets of personal data which is performed with or without the assistance of automated procedures, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.8. “Processor” is an individual or legal entity, a public power authority, an agency or another entity processing personal data for an Controller,
2. SUBJECT MATTER OF PROCESSING PERSONAL DATA, CATEGORY OF DATA SUBJECT AND TYPE OF PERSONAL DATA
2.1. The subject matter of the processing is the personal data of the data subject, which the Controller submitted to the Processor in order to fulfill the service provided by the Processor to the Controllers or processed by the Processor at Controller own initiative.
2.2. The scope of personal data processed in relation to the individual data subjects shall be as follows:
2.2.1. Name and surname;
2.2.2. Travel document number;
2.2.3. Residence address;
2.2.4. Date and place of birth;
2.2.5. Birth identification number;
2.2.6. Phone number;
2.2.7. E-mail;
The Processor agrees to process personal data only in the above scope required for the provision of the service.
2.3. The Controller is authorized to process the above personal data based on Art. 6 par. 1 letter b) of the Regulation because the personal data processing is required to perform the agreement of which the data subject is a party.
2.4. The processed personal data shall not form a special category of data in compliance with Art. 9 of the Regulation.
3. PURPOSE AND PERIOD OF PERSONAL DATA PROCESSING
3.1. The Processor shall perform personal data processing hereunder exclusively for the purpose
3.2. The Processor agrees to process and maintain personal data only for an absolutely indispensable period, however, not longer than order of service has been settled.
3.3. The processor is not authorized to process personal data after the period terminates. If the Processor performs personal data processing after the period laid down in this way terminates, he shall not do it based on the Controller´s authorization, the Controller shall not be responsible for such personal data processing and the Processor is in the position of the personal data controller under the Regulation in relation to these personal data.
3.4. The Processor agrees, in case that the reason to process personal data ceases to exist, to treat the personal data of the data subject in compliance with the Controller´s decision, i. e. he returns the applicable personal data to the Controller following the instructions of the Controller, in particular, or deletes them, including copies, and in case that it is not possible, he makes sure that the personal data are blocked in such a way that the personal data are not accessible anymore and cannot be processed again. This provision is without prejudice to the maintaining of the personal data for the reason that the obligations under the Regulations are met.
4. MEANS AND MANNER TO PROCESS PERSONAL DATA
4.1. The personal data shall be processed only by the Processor´s authorized employees, his automated systems as well as manually, in written or electronic form.
4.2. The personal data processing is performed by means of technical appliances and software while the Processor agrees to make sure that the terms and conditions laid down by the Regulation are met herewith.
4.3. The personal data are transmitted electronically, the transmission in the form of documents is possible exceptionally if required for a specific case. The Processor saves the personal data provided in this manner on a data carrier temporarily and he keeps using them and keeping them for the purpose of the provision of the Service.
5. RIGHTS AND OBLIGATIONS OF THE CONTROLLER
5.1. The Controller shall process personal data in compliance with the Regulation.
5.2. The Controller is obliged to obtain the approval of the data subject if it is required to obtain such approval to process personal data.
5.3. The Controller is obliged to inform data subjects about the personal data processing at the moment when their personal data are obtained.
5.4. The Controller is obliged to inform the Processor if he finds out that the personal data are not correct and to instruct the Processor to correct incorrect personal data.
5.5. The Controller is obliged to designate employees and other persons having access to the personal data, including the communication of the scope in which these persons are supposed to access the personal data. In addition, the Controller is obliged to communicate to the Processor any change regarding these persons without delay.
5.6. The Controller is obliged to arrange for the requests of data subjects to exercise rights resulting from the Regulation.
6. RIGHTS AND OBLIGATIONS OF THE PROCESSOR
6.1. The Processor declares to dispose of suitable technical means and organizational measures in such extent that allows that the personal data processing in question meets the requirements of the Regulation and that the rights of data subjects are observed.
6.2. The Processor agrees hereunder to accept and to continuously maintain and check any and all measures required to secure personal data protection, in particular, against unauthorized and accidental access to personal data, their alteration, destruction or loss, unauthorized transmissions, their other unauthorized processing as well as the other abuse of personal data.
6.3. The Processor processes personal data only based on supported instructions of the Controller. The Processor shall follow the instructions of the Controller also in the area of the transmission of personal data to third countries or to an international organization unless such processing has already been imposed by the law of the European Union or a member state of the European Union which is applicable to the Controller; in such case, the Processor informs the Controller about this legitimate requirement prior to the processing unless these legal regulations prohibited this information for material reasons of public interest.
6.4. If the Controller´s instructions are contrary to the applicable provisions of the Regulation or other legal regulations, the Processor is obliged to notify the fact to the Controller, not to follow such instructions and to proceed in compliance with the applicable provisions of the Regulation.
6.5. The Processor agrees to cooperate with the Controller in meeting his obligation to arrange for the application of the data subject for the enforcement of rights following from the Regulation. The Processor assists also to the Controller in introducing and maintaining suitable technical and organizational measures to secure persona data, in assessing the influence on personal data protection as well as in prior consultations with the Office
6.6. The Processor shall not collect personal data processed hereunder with any other personal data obtained or processed for another purpose.
6.7. The Processor is obliged to observe the right for the protection of private and personal life of the data subject and for the protection from unauthorized interference into private and personal life of the data subject.
6.8. The Processor shall make sure that the persons by means of which he provides the service and that get in touch with provided personal data maintain these data confidential as well as the security measures of which disclosure endangers the security of these personal data.
6.9. The Processor obliges, in respect of the Controller, to notify any breach of personal data security without delay, however, not later than 48 hours as of the moment when the Processor learned about such breach. The Processor shall mention in the notification of the security breach in particular as follows:
6.9.1. the description of the character of the applicable case of breaching personal data security, including, if possible, the category and approximate number of data subjects affected and the categories and the approximate number of the personal data records affected;
6.9.2. the description of probable consequences of personal data security breaches; and
6.9.3. the description of the measures taken or proposed to be taken by the Processor aiming at resolving the personal data security breach in question, including measures to moderate unfavorable impacts, if any.
6.9.4. Unless it is possible to provide information under clauses (i) to (iii) simultaneously, it can be provided by the Processor gradually without any unnecessary delay.
7. SUBPROCESSOR
7.1. The Processor may continue to use the services of Subcontractors, who perform processing if they comply with the obligations set out in Regulation.
7.2. If the Processor negotiates a Subprocessor for personal data processing on behalf of the Controller, he is required to enter into a contract with Subprocessor or any other legal act within the European Union that establishes the same rights and obligations in relation to protect Personal Data. This is in particular to provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing complies with the requirements of the Regulation. If the Subprocessor fails to fulfill his data protection obligations, the Processor remains fully responsible to the Controller for the fulfillment of these Subprocessor obligations.
8. AUDIT, INDEMNIFICATION
8.1. The Processor agrees to provide the Controller with any and all information required to prove that the Processor´s obligations are met and agrees to allow the Controller to make audits for this purpose, including inspections made by the Controller or an auditor authorized to do so by the Controller, and to cooperate in these audits as required. The Processor is obliged to make any and all required documentation for the purposes of the audit available, in particular, the list of technical and organizational measures. In addition, the Processor is obliged to allow an inspection as situation requires also from the part of the Office and of other supervisory bodies.
8.2. The Processor agrees to cooperate with the Controller as required by the Controller in contacts and negotiations with the Office or other competent and administrative bodies, if any.
8.3. The Controller is responsible for any harm caused by personal data processing that breaches the Regulation.
8.4. The Processor shall be responsible for the harm caused by processing only in case that:
8.4.1. he failed to meet the obligations laid down by this Terms for the processing personal data;
8.4.2. he failed to meet the obligations laid down by the Regulation for personal data processor;
8.4.3. he acted above the framework of the Controller´s instructions or contrary to them.
8.5. The Processor shall be released from his liability for harm if he proves that he is not at all responsible for the event that resulted in the harm.
9. FINAL PROVISIONS
9.1. Terms for the processing personal data come into force and effect upon the moment the Service is provided to the Controller.
9.2. The Controller and the Processor declare and confirm that they have become aware of, and agree to Terms for the processing personal data and agree to be bound by these Terms, and to abide by these Terms without any reservation.
9.3. All legal relationships between the Controller and the Processor arising out of or in connection with the provision of the Services to the Controller shall be governed by the law of the Czech Republic. If the disputes arises between the Controller and the Processor, the relevant court is court of the Czech Republic. The local jurisdiction within the Czech Republic will be determined by the location of the Processor.
