Data Privacy Policy

1 COLLECTING, CONTROLLING, AND PROCESSING YOUR PERSONAL
DATA.

1.1 FAIR PROCESSING.

In order to manage our business, Stobart Air (we/us/our) collect a certain amount of Personal Data. Personal Data means any information relating to you which allows us to identify you, such as your name, contact details, booking reference number, payment details and information about your access to our website.

Personal Data also includes information that you provide to us about other people such as for instance your dependents and/or travelling companions.

By providing Personal Data about any other person to us you are confirming you have made them aware of the use of their Personal Data in the manner and for the purposes set out in this privacy notice.

We are committed to protecting customer privacy and take our responsibility regarding the security of customer Personal Data seriously. We will be clear and transparent about the Personal Data we are collecting and what we will do with that information.

This data privacy notice sets out the basis on which we collect, control, process, and disclose any Personal Data we collect about you, or that you provide to us. It applies to you, whether you are a past, current or prospective customer. It also applies to other people whose information you provide to us in connection with our relationship with you (for example, your travelling companions, dependents, next-of-kin, or emergency contacts).

You have various rights in relation to how we handle your data including the right to object where we are using your data on the basis that it is necessary for the purpose of our legitimate interests. (See 3. YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL).

This data privacy notice does not form part of any contract and does not confer any contractual right on you, or place any contractual obligation on us.

1.2 CHANGES TO THIS PRIVACY NOTICE.

This privacy notice may change from time to time. Any changes that affect you will be communicated to you by way of an e-mail, in writing, or by way of a notice on our website as appropriate.

1.3 WHO CONTROLS YOUR PERSONAL DATA AND HOW CAN YOU CONTACT THEM?

1.3.1 Controller.
Stobart Air UC is the “data controller” of all Personal Data that we collect and process.“Stobart Air” (we/us/our) primarily refers to Stobart Air UC, the main operating company of the Stobart Air group, and, where appropriate, to other companies in the Stobart Air group or other entities over which Stobart Air exercises management control. Stobart Air is registered in Ireland with registration number 28858

1.3.2 Contact Details.

Any questions or concerns you have can be addressed to:-

The Data Protection Manager, Stobart Air, 1, Northwood Avenue, Santry, Dublin 9, D09 V2F7, Ireland.

Tel. +353-1-8447753 (In the interest of customer service and to ensure the accuracy of our records, calls
may be recorded and monitored).

Fax: +353 (0) 1 844 7701

Email. dpm@stobartair.com

1.4 CATEGORIES OF PERSONAL DATA WE MAY COLLECT.

We may collect some or all of the following categories of Personal Data from you when you book a flight with us (or indirectly through our partners Aer Lingus, FlyBe, British Airways, or KLM, when you use
our website, or when you contact us:-

Categories
Name, home address, e-mail address, telephone number, passport or other recognised personal ID card numbers and details, credit/debit card or other payment details.
Advance Passenger Information, (known as "API") and includes the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time as defined in S.I. No. 177/2018 - European Union (Passenger Name Record Data) Regulations 2018.
"Passenger Name Record” (known as “PNR”) which is a record of each passenger’s travel requirements and contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person - as defined in S.I. No. 177/2018 - European Union (Passenger Name Record Data) Regulations 2018.
Medical conditions for passengers who have special medical requirements and/or dietary requirements.(Example:-You may have requested specific medical assistance from us and/or an airport operator, such as the provision of wheelchair assistance or oxygen, and/or you may have sought clearance to fly with a medical condition or because you are more than 28 weeks pregnant).
Travel history/itinerary, including information related to your flights and services booked in connection with your flights.
Information you provide about your and your companions’ travel preferences.
Information about your purchases of our trusted partners’ products and services.
The communications you exchange with us or direct to us via letters, emails, chat service, calls, and social media.
Personal details about your physical or mental health.
Alleged commission, or conviction of criminal offences.
Requested services (Example:- a specific meal which is not a ’special category of data’ but may imply or suggest your religion, health or other information.

We may also collect your Personal Data from other sources including:
• Persons or entities or your employer who have booked flights on your behalf
• Publicly available information (e.g. social media websites and online content that you have made publicly available.
• TV , radio and other media content; and EU and UN Sanctions lists.

Our partners

Aer Lingus privacy notice can be found at: https://www.aerlingus.com/support/legal/privacy-statement/. The Data Protection Officer for Aer Lingus can be contacted at privacy@aerlingus.com or in writing to Data Protection Officer, Aer Lingus, Dublin Airport, County Dublin, Ireland.

FlyBe privacy notice can be found at: https://www.flybe.com/privacy-policy. The Data Protection Officer for FlyBe can be contacted at Data.Protection@Flybe.com or in writing to Data Protection Officer. New Jack
Walker Hangar Exeter International Airport Clyst Honiton Exeter, EX5 2BA.

British Airways privacy notice can be found at: https://www.britishairways.com/en-ie/information/legal/privacy-policy?source=BOT_privacy-policy The Data Protection Officer for British Airways can be
contacted at DPO@ba.com, or in writing to Data Protection Officer, British Airways Plc., Waterside, (HCB3). PO Box 365., Harmondsworth, UB7 0GB. England.

KLM privacy notice can be found at: https://www.klm.com/travel/ie_en/customer_support/privacy_policy/privacy_policy.htm The Data Protection Officer for KLM can be contacted at KLMPrivacyOffice@klm.com
or in writing to KLM Royal Dutch Airlines Privacy Office – AMSPI PO Box 7700 1117 ZL Luchthaven Schiphol The Netherlands.

1.5 CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA.

If we cannot collect necessary information from you, it may make it difficult, impossible, or unlawful for us to enter into or continue a contract of carriage with you or provide you with some or all of our services.

If we ask for information and you do not wish to give it to us, or if you wish to withdraw consent to the use of your information we will explain the consequences based on the specific information concerned including whether it is a statutory or contractual requirement that we use such data.

If you have any queries in respect of the consequences of not providing information or withdrawing your consent, you may contact our Data Protection Manager (See 1.3.2 Contact Details).

1.6 LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.

We will only use your Personal Data for lawful reasons (legal bases). These are:-

1You have consented* to us using your information in such a way.
2The use is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering a contract.
3The use is necessary to comply with our legal obligations.
4Vital Interest of the Data Subject.
5The use is necessary for the performance of a task carried out in the public interest, such as assisting a regulatory authorities investigation of a criminal offence.
6The use is necessary for the purpose of our legitimate interests in in operating, managing and improving our business as an airline and travel provider, and carrying out customary human resources management activities in connection with same.
7The Personal Data being processed is health data for the purposes of insurance policies or pension schemes and such health data is used only to the extent that it is necessary and proportionate for the purposes of fulfilling such insurance policies or pension schemes. (pursuant to Section 50 Irish Data Protection Act).

*Children aged 16 or over can provide their own consent in respect of “Information Society Services”(means a service as defined in Article 1(1) b of Directive (EU) 2015/1535 of the European Parliament and of the Council),and under this age, consent of the children’s’ parents or legal guardians is required. Otherwise the age of consent is 18 and consent of the children’s’ parents or legal guardians is required.

1.7 THE PURPOSE OF PROCESSING YOUR PERSONAL DATA.

The Legal Basis/es on which we process your Personal Data (from the list set out above in Section 1.6 Legal Bases for Processing your Personal Data) is/are in brackets beside each.

1. Providing products and services you request:- We use the information you give us to perform the services you have asked for in relation to your flight, including requested flight changes. (2).
2. To manage the boarding process and to facilitate flight connections at the airport.(2)
3. Contacting you in the event of a flight time change or cancellation or disruption:- We send you communications about the services you have asked for and any changes to such services. These communications are not made for marketing purposes and cannot be opted-out of (2).
4. Carrying out alterations to your travel arrangements necessitated by operational, weather or emergency reasons. (2).
5. Contacting your dependents/ next of kin/ and/or persons you may nominate to be contacted so that we may respond appropriately to any emergency involving you or passengers with whom you are travelling (4).
6. Credit or other payment card verification/screening:- (6, 3). We use your payment information for accounting (6), billing (2) and audit (6) purposes and to detect and / or prevent any fraudulent activities (6).
7. Customer surveys that you have agreed to participate in (1).
8. Competitions that you have agreed to participate in (1).
9. Administration of any loyalty program/s that you have elected to participate in.(1, 2).
10. Dealing with complaints, disputes, and legal claims (6, 3).
11. To carry out analysis and market research. (6).
12. Immigration / Customs Control:- We may be obliged to provide your Personal Data to border control agencies in your itinerary or to which your flight may fly over (3).
13. Security and crime prevention/detection:- We may pass your Personal Data to government authorities or enforcement bodies for compliance with legal requirements. Data is used for enforcement purposes, including use in threat analysis to identify potential terrorists, and other threats to national and public security; and to focus security resources on high risk concerns, thereby facilitating and safeguarding bone-fide travellers.(3). – an example would be provision of API & PNRcategories of Personal Data to the Passenger Information Unit of Ireland or another EU State to comply with S.I. No. 177/2018 – European Union (Passenger Name Record Data) Regulations 2018.
14. Disease Control:- We may be required to pass your information to customs/border control (3).
15. To manage our relationship with you as our customer (2, 6) and to improve our services and enhance your experience with us.(6)
16. Marketing & offering tailored services:- Solely with your consent we may use your data to provide information we believe is of interest to you, prior to, during, and after your travel with us and to personalise the services we offer to you, such as special offers to your favourite destinations or Family Plus deals.(1).

1.8 PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS.

We may process Personal Data relating to criminal convictions for one, or more of the following legal bases: 1, 2, 3, 4, where It is necessary for the purposes of legal advice, or in connection with legal proceedings or in connection with the exercise, defence or establishment of legal claims.

1.9 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA.

We may process Special Categories* of Personal Data concerning you, for one or more of the legal bases outlined in Section 1.6 Legal Bases for Processing your Personal Data and/or:
• Where the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity and/or
• Processing relates to personal data which are manifestly made public by you and/or
• Processing is in the interest of public health.

*Special Categories of Personal Data:- Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, bio-metric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. (Provisions for the processing of such Personal Data are set out in Article 9 of the GDPR)

2 SHARING AND STORING YOUR PERSONAL DATA.

2.1 WHO WE SHARE YOUR PERSONAL DATA WITH.

Where necessary in order to achieve the purpose of processing your Personal Data (See:- Section 1.7 The Purpose of Processing your Personal Data. ) we may share your Information with the following external
parties: –
1. Government authorities, law enforcement bodies regulators and airports in your itinerary or to which your flight may fly over, for compliance with legal requirements.
2. Trusted GDS (Global Distribution System) agents through which you booked your Stobart Air flight.
3. Airlines and other service providers needed to deliver the services you have requested where, for example, part of your travel itinerary involves a flight operated by a different airline and/or includes other services such as car hire or a hotel booking. (Those other airlines and service providers will have been identified to you when you make a booking).
4. Airlines and other service providers needed to deliver services necessitated by delays, cancellations and disruptions to your travel arrangements.
5. Trusted service providers we are using to run our business such as ground handling agents assisting our passengers at airports in all countries we operate in, call centres providing assistance to our customers, cloud service providers, loyalty program service providers/administrators, and email marketing service providers assisting our marketing team with running customer surveys and providing targeted marketing campaigns.
6. Commercial banking partners who facilitate our requirement to occasionally process refund payments directly to customers.
7. Anti-fraud, Economic Sanctions & Counter Terrorism Finance screening service providers we may retain to process and screen financial transactions.
8. Legal and other professional advisers, law courts and law enforcement bodies in all countries we operate in in order to enforce our legal rights in relation to our contract with you.
9. Social media: You may be able to access third party social media services through our website or before coming to our website. When you are registered with your social media account, we will obtain the personal information you choose to share with us through these social media services pursuant to their privacy settings in order to improve and personalise your use of our website. We may also use social media plugins on our website. As a result, your information will be shared with your social media provider and possibly presented on your social media profile to be shared with others in your network. Please refer to the privacy policy of these third-party social media providers to find out more about these practices.
10. (Solely in relation to flights originating outside the EU and to or from French Territory), “In accordance with Article L 232-7 of French Internal Security Code, please be informed that air carriers shall transmit reservation/checking and boarding data collected from their passengers (PNR/API) to the French national public services and competent authorities for the purposes and under conditions as defined in the Decret N° 2014-1095 dated 26/09/2014, and the modifying decree 2018-714 dated 03/08/2018”

2.2 TRANSFER OF PERSONAL DATA OUTSIDE THE EEA.

We operate businesses in multiple jurisdictions, all of which are located in the European Economic Area (EEA)1.

We do not currently transfer Customer Personal Data outside of the European Economic Area (EEA). If it becomes necessary to transfer your Personal Data outside the EEA, we will take all reasonable steps, as required by law, to ensure the safety, privacy and integrity of such Personal Data and, where appropriate, enter into contracts with the relevant third parties to protect the privacy and integrity of such Personal Data, and we will amend this notice to reflect.

2.3 SECURITY OF YOUR PERSONAL DATA.

We maintain appropriate technical and security procedures surrounding the processing of of your personal data to protect it against accidental loss, destruction or damage. All entities to whom we disclose your Personal Data are required to have appropriate technical and operational security measures in place to protect it.

2.4 HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will not retain your data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data, the purposes for which we process it and whether we can achieve those purposes through other means. We must also consider periods for which we might need to retain Personal Data in order to meet our legal obligations (e.g. in relation to claims for cancelled flights under EU Regulation 261/2004) or to deal with complaints, queries and to protect our legal rights in the event of a claim being made. When we no longer need your Personal Data, we will securely anonymise or delete it.

2.5 COOKIES AND SITE TRACKING:

Our website uses Cookies. A “Cookie” is a small piece of data that may be stored on your computer or mobile device. Cookies serve a number of purposes like letting you navigate between pages efficiently, remembering your preferences, interests or log in details, and generally improving your experience. We and some of our partners also use cookies on our website to measure the effectiveness of advertising on our websites and how visitors use our website. The use of cookies on the website allows you to enjoy more seamless visits and more accurately measures your behaviour on the website. Cookies help us give you a better website, by letting us monitor what’s working and what isn’t through site traffic analysis. As well as setting some cookies ourselves, known as “First Party Cookies”, we also work with some partners to help give you access more features on the website. These partners set “Third Party Cookies” which enable their features to be provided on or through the website (such as advertising or videos).

Full details of the Cookies used on out website and how to opt-out of receiving cookies can be seen in our Website Privacy & Cookie Notice.

3. YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL

3.1 YOUR RIGHTS TO ACCESS, TRANSPORT, CORRECT, AND DELETE YOUR INFORMATION.

3.1.1 Accessing and Transporting your Information.

You have the right to be provided with a a copy of your Personal Data , and/or have it provided by us to another data controller. If you would like a copy of your Personal Data, please contact our Data Protection Manager. (See 1.3.2 Contact Details).

The request must be in writing and must contain the following:-
• Your name and postal address.
• Details of your request.
• Any details which may help us locate the information which is the subject of your request, for example:Booking reference or flight numbers and dates.

You must also provide:-
• A photocopy of your passport or driving licence, so that we can verify your identity.
• Your signature and the date of the request.
• If you are applying on behalf of another person we need verification of their identity and their signed authority.

Your request will be dealt with as quickly as possible and in any event you will not have to wait for more than a month for us to respond. If at that stage we are unable to provide the data you require (due to the complexity or number of requests) we may extend the period to provide the data by a further two months but shall explain the reason why.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

3.1.2 Correcting your Personal Data.

If your Personal Data is found to be incorrect you have the right to have it corrected free of charge by contacting our Data Protection Manager. (See 1.3.2 Contact Details).

3.1.3 Deleting your Personal Data.

Subject to any overriding legal obligation requiring us to retain it, you have the right to have your Personal Data deleted, however erasing your information may make it difficult or impossible for us to enter into or continue contract of carriage with you or provide services to you. If you want your information deleted please contact our Data Protection Manager. (See 1.3.2 Contact Details).

3.1.4 Restricting our use of your Personal Data.

You have the right to restrict our use of your Personal Data in certain circumstances. If you wish to ask to exercise your rights in this regard please contact our Data Protection Manager. (See 1.3.2 Contact Details).

3.2 AUTOMATED DECISION MAKING.

An Automated Decision is a decision that has a legal or similarly significant effect on you, where that decision is made by processing your Personal Data solely by automatic means, where no humans are involved in the decision-making process.

You have a general right not to be subjected to such an Automated Decision, including any automated profiling. Currently we do not use your information to carry out Automated Decision Making or Profiling.

3.3 YOUR RIGHT TO OBJECT AND WITHDRAW YOUR CONSENT TO DATA PROCESSING.

Where our legal basis (1.6 Section 1.6 Legal Bases for Processing your Personal Data.) for processing your Personal Data is based on our legitimate interests, you have the right to object. You also have the right to withdraw your consent to any processing at any time, however if we cannot process your data it may make it difficult, impossible or unlawful for us to enter into or continue a contract of carriage with you, or provide services to you.

Objecting to processing and/or withdrawing your consent will not affect the legitimacy of processing that took place prior to you exercising this right.

If you want to object or withdraw your Consent please contact our Data Protection Manager. (See 1.3.2 Contact Details).

3.4 YOUR RIGHT TO MAKE A COMPLAINT.

3.4.1 Complaining to our Data Protection Manager.

If you are unhappy about the way we handle your Personal Data please contact our Data Protection Manager and we will do our best to address your concerns swiftly and resolve any issues you have. (See 1.3.2 Contact Details).

3.4.2 Complaining to the Supervisory Authority.

You have the right to complain to the supervisory authority. The supervisory authority is the Data Protection Commission, and their contact details are as follows:-

The Data Protection Commission,

21, Fitzwilliam Square South,

Dublin 2,

D02 RD28 Ireland.

www.dataprotection.ie

Tel.: +353 (0)761 104 800 : 09:15 – 17:30hrs (17.15 Friday)

Fax: +353 57 868 4757.

E-Mail: info@dataprotection.ie