Personal Data Protection
Information on the Processing of Personal Data
1. Introduction
Czech Airlines Handling, a.s. (hereinafter referred to as “CSAH”) pays due attention to the protection of your personal data, which it processes for specific purposes. The processing of personal data is conducted in compliance with legal regulations in the field of personal data protection; in particular, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR Regulation”), and in accordance with Act No. 110/2019 Coll., on the Processing of Personal Data.
On this website, CSAH hereby provides you with information on the processing of your personal data, which you have provided primarily in connection with the use of services and products or when communicating with our company. You can find information here regarding the conditions under which personal data are processed in individual cases, as well as information on the scope of the processed personal data, their protection, and your rights related to the processing of personal data. Specific information regarding the method of processing your personal data can also be found in individual cases in which you provide personal data to CSAH (e.g. when ordering a service).
2. CSAH – Personal Data Controller
CSAH, as the personal data controller, processes your personal data transparently, fairly, in accordance with the GDPR Regulation as well as other legal regulations, and to the extent necessary for the relevant purpose. We securely store your personal data for the strictly necessary period, in accordance with the time limits imposed by legal regulations. Personal data relating to children are processed only if the child is represented by a legal guardian.
Contact details of CSAH:
Czech Airlines Handling, a.s.
K letišti 1040/10
161 00 Prague 6 – Ruzyně
Company ID No.: 256 74 285
VAT ID No.: CZ699003361
Czech Airlines Handling, a.s. is registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, File No. 17139.
3. Personal Data
CSAH processes personal data solely for specific legitimate purposes and always to the necessary extent in relation to the purpose for which such data are processed. Processing of personal data is necessary for the provision of the services or products in which you are interested. However, CSAH is also obliged to process your personal data due to legal obligations applicable to us or for the purpose of protecting legitimate interests arising from our mutual relationships.
CSAH primarily processes personal data of our customers (i.e. persons using our services and products), persons who communicate with us for specific purposes (queries, opinions, complaints), and also, for example, personal data relating to visitors to some of our premises. For the stated purposes, our company processes the following categories of personal data:
- Identification data, e.g. first name and surname, date of birth, identity document number, personal identification number, etc.
- Contact data, e.g. residential address, telephone number, e-mail address, etc.
- Other data, e.g. image recordings from security cameras located on CSAH premises, etc.
4. Areas of Personal Data Processing
CSAH processes provided personal data for specific purposes, which are primarily related to the provision of services or products, fulfilment of legal obligations, fulfilment of rights and obligations arising from a contract, or the protection of CSAH’s legitimate interests.
Below you will find an overview of cases in which CSAH processes personal data:
- Visit/use of CSAH websites
For the purpose of convenient use of CSAH websites (content personalisation) and for traffic analysis, we use cookies. The legal basis for the processing of such personal data in accordance with the GDPR is consent for the use/activation of cookies.
- Camera systems (CCTV)
For the purpose of protecting life, health, and property against unlawful conduct, CSAH uses camera systems with recording capabilities. The legal basis for processing such personal data in accordance with the GDPR Regulation is fulfilment of a legal obligation, protection of vital interests of persons, and protection of the legitimate interests of CSAH.
- Sending newsletters to persons using CSAH services and products (direct marketing)
Based on the legal basis of the controller’s legitimate interest, CSAH is entitled to process your personal data which you provided to CSAH in connection with the use of services and products provided by CSAH.
- Entry into CSAH buildings
The legitimate interest of CSAH is the processing of personal data of persons entering buildings owned by CSAH. The purpose of processing your personal data is the protection of persons and property of CSAH and, last but not least, the protection of civil aviation.
- Queries, complaints, suggestions
The legitimate interest of CSAH is the processing of personal data of enquirers. Without the provision of personal data, CSAH would not be able to handle such queries, complaints, or suggestions. The legal basis for processing personal data in this case is the legitimate interest of CSAH.
- Participation in events organised by CSAH
CSAH processes personal data in connection with the organisation of professional conferences, seminars, and other social events. In some cases, registration is required in order to allow participation in the respective event; basic identification data are required as part of the registration. The legal basis for processing such personal data in accordance with the GDPR is performance of a contract (if participation in the event is subject to a fee) and fulfilment of legal obligations. In the case of free events, CSAH processes personal data for the purpose of protecting its legitimate interests.
- Identification for the purpose of concluding a contract
For the purpose of concluding a contract and its performance, it is necessary to process your personal data (identification of the contracting party). CSAH always processes personal data to the necessary extent in relation to the purpose for which they are processed. The legal basis for processing such personal data in accordance with the GDPR Regulation is performance of a contract and fulfilment of legal obligations applicable to CSAH.
CSAH states that it does not process and will not process personal data in a manner that is inconsistent with the purpose for which such personal data were provided by you.
5. Consent to the Processing of Personal Data
Consent to the processing of personal data as a legal basis for processing is used in cases where CSAH cannot process personal data on another legal basis (e.g. sending commercial communications to a person who does not use CSAH services or products).
You may withdraw the granted consent to the processing of personal data at any time.
6. Sharing of Personal Data
In some cases, personal data may also be processed by other companies within the Prague Airport Group, namely Prague Airport, a.s., Czech Airlines Technics, a.s., as well as by third parties who process personal data for CSAH on a contractual basis (personal data processors). Personal data processors, as well as CSAH, ensure adequate protection of your personal data.
Personal data may also be transferred to public authorities that are entitled under specific legal regulations to request such personal data from CSAH as the personal data controller.
7. Personal Data Security
CSAH has implemented technical and organisational measures to ensure an adequate level of security of your personal data. CSAH uses a range of technologies and procedures to protect your personal data. CSAH has introduced processes of regular testing and assessment of risks associated with personal data processing in order to ensure the security of processing.
Transfers of personal data outside the EU take place exclusively in accordance with the GDPR Regulation. In cases where CSAH transfers or is obliged to transfer personal data to third parties, CSAH selects only those contractual partners that ensure at least the same level of security as CSAH.
Where CSAH is obliged to transfer personal data to public authorities, it uses only the most secure means of communication and transfer of personal data.
8. Retention of Personal Data
CSAH ensures that the personal data you provide are stored only for the strictly necessary period and are duly deleted after the expiry of such period.
CSAH retains your personal data only for the period:
- necessary to fulfil the purpose of processing (provision of a service or product);
- required by legal regulations applicable to CSAH;
- during the existence of legitimate interests of CSAH in processing personal data (protection of rights in the event of legal disputes or administrative proceedings, recovery of claims, etc.).
The duration of personal data processing depends on the specific case of processing and may therefore vary.
9. Rights of the Data Subject
If CSAH processes your personal data, you, as a data subject, have the rights arising from the GDPR Regulation:
- Right to withdraw consent to the processing of personal data
If CSAH processes your personal data on the basis of the legal basis of consent (consent was granted by you), you have the right to withdraw such consent. CSAH undertakes to stop processing personal data processed on the basis of the granted consent. CSAH uses consent as a legal basis only exceptionally, e.g. for sending newsletters to persons who do not use CSAH services or products.
- Right of access to personal data
You have the right to obtain information from CSAH as to whether your personal data are being processed.
- Right to rectification
You have the right to have CSAH rectify inaccurate personal data concerning you.
- Right to erasure
In cases specified by the GDPR Regulation, you have the right to have CSAH erase personal data concerning you.
- Right to restriction of processing
In cases provided for by the GDPR Regulation, you have the right to have CSAH restrict the processing of your personal data.
- Right to data portability
You have the right to request that CSAH transfer all personal data concerning you to another controller.
- Right to object
You have the right to object to the processing of personal data by CSAH in cases specified by the GDPR Regulation.
- Right not to be subject to automated decision-making
You have the right not to be subject to any decision based solely on automated processing.
- Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint regarding the processing of personal data by CSAH. The supervisory authority is the Office for Personal Data Protection, located at Pplk. Sochora 727/27, 170 00 Prague 7.
Please note that the scope of your rights related to the processing of personal data depends on the legal basis for processing.
10. Contact
If you have any questions regarding the processing of personal data or any complaints, you may contact us in writing at: Czech Airlines Handling, a.s., K letišti 1040/10, Ruzyně, 161 00 Prague 6.
We will respond to your queries or complaints as soon as possible, no later than within 30 days from their receipt.
If, as a data subject, you exercise any of your rights under the GDPR Regulation, we kindly ask you, in order to ensure the fastest possible handling of your request, to specify which right you are exercising.
As CSAH is obliged under the GDPR Regulation to verify the identity of the data subject exercising their rights, CSAH may, where it is not possible to verify your identity and where there are reasonable doubts about your identity, request presentation of an identity document or another document for identity verification at CSAH’s registered office. This procedure ensures that CSAH does not allow another person (e.g. a person impersonating you) to exercise the rights of a data subject to your detriment.
11. Data Protection Officer
The Data Protection Officer of CSAH is Ing. Roman Palkovič. You may contact him by e-mail at: dpo@prg.aero
12. Basic Terms
Given that a number of specific terms appear in the text concerning the processing of personal data, we hereby explain the basic concepts of personal data protection.
Personal data
Any information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as name and surname, date of birth, identification number, age, personal status, etc.
Special categories of personal data (sensitive data)
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or sex life or sexual orientation. Such data may cause harm to a person in society, employment, school, or lead to discrimination.
Processing of personal data
Any operation or set of operations performed systematically by the controller or processor on personal data, whether by automated or other means, including collection, recording, organisation, structuring, storage, making available, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, publication, retention, exchange, sorting or combination, blocking, and erasure.
Data subject
A natural person to whom personal data relate and who can be identified on the basis of such data.
Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Consent to the processing of personal data
One of the legal bases on which the controller may process personal data of the data subject, provided that consent is freely given, specific, informed, and unambiguous.
Purpose of personal data processing
The legal basis (reason) on which the controller is authorised to process personal data.
Legal basis for personal data processing
The controller may process personal data only if one of the legal bases exists for such processing. Different purposes require different legal bases.
Genetic data
Personal data relating to the genetic characteristics of a natural person providing unique information about their physiology or health.
Biometric data
Personal data resulting from specific technical processing relating to physical or physiological characteristics enabling unique identification of a person, such as facial images or dactyloscopic data.
Cookies
A short text file sent by a visited website to a browser, allowing the website to record information about your visit, e.g. preferred language and settings.
Automated processing of personal data
Processing of personal data carried out solely by means of computing technology without human intervention.
GDPR
General Data Protection Regulation – abbreviation used for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
13. Legal Regulations
In processing your personal data, CSAH complies with applicable legal regulations, in particular the GDPR Regulation, laws governing the protection of privacy and confidentiality, as well as other specific legal regulations.
The main legal regulations in the area of personal data protection or directly related thereto are:
- Regulation (EU) 2016/679 (GDPR);
- Act No. 110/2019 Coll., on the Processing of Personal Data;
- Act No. 89/2012 Coll., Civil Code;
- Act No. 480/2004 Coll., on Certain Information Society Services;
- Act No. 634/1992 Coll., on Consumer Protection;
- Commission Implementing Decision of 10 July 2023 on the adequacy of the EU–US Data Privacy Framework;
- Commission Implementing Decision of 28 June 2021 on the adequacy of the level of personal data protection in the United Kingdom.
