1. HOW WE COLLECT, CONTROL, AND PROCESS YOUR PERSONAL DATA
1.1. FAIR PROCESSING.
In order to manage our business and carry out customary Human Resources activities, we collect a certain amount of Employee and (where applicable) Contractor, Trainee & Job Applicant Personal Data.
“Personal Data” means any Data relating to a natural living person who can be identified either directly from the Data itself or indirectly in conjunction with other information. Personal Data also includes information you provide to us about other people such as for instance your dependants, next-of-kin, and/or family members.
By providing Personal Data about other people you confirm you have made them aware of the use of their Data set out in this Notice.
We are committed to protecting your privacy and will be clear and transparent about the Personal Data we collect and what we do with it.
This Notice sets out the basis on which we collect, control, process, and disclose Personal Data we collect about you, or that you provide to us. It applies whether you are a past, current or prospective employee, applicant, interview candidate, intern, agency worker, secondee, consultant, individual contractor or director or a trainee. It also applies to other people whose Personal Data you provide to us (for example, in respect of emergency contact information).
You have rights in relation to how we handle your Personal Data. (see: – 3. YOUR RIGHTS REGARDING THE
PERSONAL DATA THAT WE CONTROL.)
This Notice does not confer any contractual right on you or place any contractual obligation on us.
1.2 CHANGES TO THIS PRIVACY NOTICE.
This Notice may change from time to time. The most up-to-date version is published on our website. Any changes that affect you will be communicated to you by way of an e-mail or a notice on our employee website as appropriate.
1.3 WHO CONTROLS YOUR PERSONAL DATA AND HOW CAN YOU CONTACT THEM?
Stobart Air UC is the “Data Controller” of all Personal Data we collect and process. “Stobart Air” primarily refers to Stobart Air UC, and where appropriate, to other companies in the Group or entities over which we exercise control. We are registered in Ireland with registration number 28858.
Questions or concerns you have can be addressed to: –
Data Protection Officer, Stobart Air, 1, Northwood Avenue, Santry, Dublin 9, D09 V2F7, Ireland. Email. firstname.lastname@example.org.
1.4 CATEGORIES OF PERSONAL DATA WE MAY COLLECT.
We may collect and process some or all of the following categories of Personal Data in relation to you: –
|Individual details||Name, address (including proof of address), other contact details (e.g. email and telephone numbers), nationality, identifying details of dependants, (e.g. date of birth, your/your children’s birth certificate, marriage certificate). bank account details, tax certificates.|
|Identification details||Identification numbers issued by government bodies or agencies, including your PPS/NI number, passport number, tax identification number, driver’s licence, work permit details.|
|Application details||Curriculum vitae and/or application form, previous employment background, references from previous employers, educational details, professional and/or academic transcripts; Interview records.|
|Employment and Performance information||Job description, employment history and details of current position; contract of employment, signed confidentiality agreements, dates of employment; salary and benefit details including bank details; sick leave and annual leave data; performance assessments, data relating to training and development; records relating to any grievance and/or disciplinary processes, or incident reports, hours worked, car insurance details, staff number, health insurance details, insurance subscription details.|
|General records||General correspondence, telephone records*; records of email and internet usage, CCTV images (for security & safety purposes), data relating to criminal convictions if any.|
|Special Categories of Personal Data||Certain categories of Personal Data which have additional protection under data protection law. The categories are health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, bio-metric, or data concerning sex life or sexual orientation.|
|Requested Services||Requested services (such as a meal) which is not ’sensitive data’ but may imply or suggest your religion, health or other information.|
We may also collect Data from other sources including:-
- Your previous employers.
- Publicly available Data (e.g. social media and online content you have made publicly available).
- TV, radio and media content
- EU and UN Sanctions lists.
- Our/Your Insurers.
- Records which departments other than HR may compile during the course of and in connection with your employment.
*If you call us on the telephone, and we intend recording the call we shall inform you that we are doing so and the purpose of the recording as follows: “Please note this call is being recorded for training, quality and security purposes”.
1.5 CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA.
If we cannot collect necessary Personal Data from you, it may make it difficult, impossible, or unlawful for us to enter into or continue an employment or other contract with you.
If we ask for Data and you do not wish to give it to us, or if you wish to withdraw consent to the use of your Data, we will explain the consequences including whether it is a statutory or contractual requirement that we use such Data.
1.6 LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.
We will only process Personal Data for lawful reasons. These are: –
|1||You have consented* to us using your Data in such a way.|
|2||When necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering a contract.|
|3||When necessary to comply with legal obligations.|
|4||In your vital interest|
|5||When necessary for the performance of a task carried out in the public interest, such as the investigation of a criminal offence.|
|6||When necessary for the purpose of our legitimate interests in operating, managing and improving our business as an airline.|
*Where we rely on your Consent as the legal basis on which we process your Personal Data, we will notify you that this is the basis, and ensure that such Consent is freely given, specific, informed, and recorded. Where we process data on the basis of your Consent, you are free to withdraw that Consent at any time without detriment to you.
Note.Children aged 16 or over can provide consent in respect of “Information Society Services” (defined in Article 1(1) b of Directive (EU) 2015/1535. Under this age consent of parents or legal guardians is required. Otherwise the age of consent is 18, and consent of parents or legal guardians is required.
1.7 THE PURPOSE OF PROCESSING YOUR PERSONAL DATA.
The Legal Bases on which we process your Personal Data (from the list set out above in 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.) are in brackets beside each purpose.
- Engage in recruitment (6), (including processing your job application, and seeking references1 from referees whose name/s you have provided to us), employment & remuneration (2, 3, 1), and termination/cessation of employment (2, 3, 6).
- Providing an employment reference1 about you to another company. (2, 1).
- Engage in disciplinary/grievance procedures. (2, 3, 6).
- Carry out fitness and competency assessments. (3, 6).
- Provide face-to face and computer training & development programmes both on our premises and elsewhere. (6, 3).
- Safeguard access to and monitor our I.T. and Telephony Systems (including monitoring location Data from issued mobile phones where the device has been lost or stolen). (6, 3).
- Pay, record, and monitor salary, benefit, and reimbursement of business expense payments. (2, 3, 6).
- Engage in payroll deductions. (2, 3).
- Facilitate any employee incentive schemes that the Company may at its discretion introduce from time to time. (6).
- Engage in corporate social responsibility campaigns. (6).
- Ensure anti-money laundering, sanctions, and airport security compliance. (3, 5).
- Use the “in case of emergency” contacts you have provided to us. (4).
- Carry out business continuity planning. (6).
- Record and monitor health, security, quality and safety standards at work and report incidents. (3, 5).
- Facilitate and co-operate with regulatory investigations carried out by airline regulatory bodies such as Civil Aviation Authority, Irish Aviation Authority, Workplace Relations Commission etc.) (3, 5, 6).
- Conduct advertising and publicity campaigns with selected employees (print, digital, and video). (1).
- Run wellness activities. (1).
- Organise company social events (6).
- (Where appropriate) provide tokens/gifts to employees recognising significant life events or performance. (6).
- Manage our fleet of company vehicles. (6, 3).
- Record hours worked. (2, 3, 6).
- Facilitate employee car parking at head office and at other locations where we conduct business. (6).
- Roster employees for flying, crewing, and training. (6).
- Provide accommodation for employees where operationally necessary. (6).
- Provide and administer business & concessionary travel for staff, and where applicable concessionary travel for family/friends. (2, 6).
- Record, monitor and manage work performance. (6, 2).
- Manage absence due to ill health. (6, 2).
- Facilitate the employee health insurance scheme. (2).
- Facilitate the employee pension scheme & death in service benefit. (2).
- Facilitate insurance coverage for loss of pilot licence. (2, 6).
- Assess employees, visitors, & contractors for, and provide them with the Security Passes they require in order to carry out the duties of their employment, and/or facilitate the issuance of such passes where they are necessary and are provided by other entities. (2, 3).
- Safeguard access to and monitor the security of our buildings, and crew rooms. (6).
- Comply with legal & regulatory requirements (for example disclosing tax data to the Office of the Revenue Commissioners). (3).
- Exercise our right to defend, respond or conduct legal proceedings. (6).
- Internal management and management reporting & analysis. (6, 3).
- Carry out ergonomic, safety, and health assessments. (3, 6).
- Provide employee uniforms and work wear. (2,6).
- To carry out satisfaction/ engagement surveys and/or ballots. (6).
- Comply with the COVID-19 Return to Work Safely Protocol for Employers and Workers document published by the Government of Ireland. (3, 5).
- Carry out suitability assessment against HSA guidance on Employees in relation to working from home on a temporary basis due to COVID-19. (6).
1Where we receive such a reference it is accepted on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make. Where you request a reference and we agree to provide it, it will be provided on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make.
1.8 PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS.
We may process Personal Data relating to criminal convictions for one, or more of the following legal bases:1, 2, 3, 4.
1.9 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA.
We may process Special Categories1 of Personal Data concerning you, for one or more of the Legal Bases outlined in 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA. and/or:
- Where it is necessary for the purposes of carrying out our obligations in the field of employment and social protection law.
- Where the Processing is necessary for the establishment, exercise or defence of legal claims or
- whenever courts are acting in their judicial capacity.
- Processing relates to personal Data which are manifestly made public by you.
- In the interest of public health.
- For Insurance & Pension purposes Where permitted by 50 (2) of the Data Protection Act 20182
1Special Categories of Personal Data: – Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes genetic data, and bio-metric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person’s sex life or sexual orientation is also Special Category Data. (Provisions for the processing of such Personal Data are set out in Article 9 GDPR).
2(Processing of special categories of personal data for insurance and pension purposes.) “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of data concerning health shall be lawful where the processing is necessary and proportionate for the purposes of the following: (a) a policy of insurance or life assurance, (b) a policy of health insurance or health-related insurance, (c) an occupational pension, a retirement annuity contract or any other pension arrangement…..”
2 SHARING AND STORING YOUR PERSONAL DATA
2.1 WHO WE SHARE YOUR PERSONAL DATA WITH.
Where necessary to achieve the purpose of processing your Personal Data (See: – 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA. We may share it with the following external parties: –
- Pension trustees, pension administration companies & the beneficiaries of pension & other financial products you have.
- Your bank, credit union, or other financial institution/s.
- Your health insurers.
- Our insurers.
- Family, relatives & guardians.
- Medical doctors and specialists.
- Employers – past, and prospective.
- Employment agencies and operators of job websites.
- The companies legal financial medical, & other professional advisers.
- An Garda Síochána, National Police in countries where we operate, and Airport Police.
- The Companies Registration Office.
- The Standards in Public Office Commission.
- The Workplace Relations Commission.
- Companies we may outsource our printing and posting to.
- Security Companies registered with the Private Security Authority.
- Companies operating confidential shredding services.
- Academic/professional organisations applicable to our business and/or you/your employment.
- IT subcontractors providing network and bespoke HR, Quality, Accounting, Auditing, and other Management Systems and Web Applications (who from time to time may access Personal Data for the purpose of customary activities soley concerned with providing & maintaining the service).
- Telephony maintenance & programming companies & personnel.
- Ground handling companies.
- Hotels/ Guesthouses/ Property Letting Agents – for the purpose of Staff accommodation.
- Other Airlines – for the purpose of Duty and Concessionary Travel.
- Suppliers & couriers.
- Our Parent Company.
- National taxation authorities.
- CSR nominated charities.
- Other companies for salary bench-marking purposes.
- Car leasing companies for the administration and maintenance of the company car fleet.
- Companies who provide us with payroll administration systems & services, and IT professionals involved in the maintenance and or upkeep of such systems.
- Airline industry regulators.
- Media companies.
- Airport Authorities.
- Uniform Suppliers
- Companies providing workforce analytics platforms for the purpose of carrying out anonymised employee surveys.
2.2 TRANSFER OF PERSONAL DATA OUTSIDE THE EEA.
We operate in multiple jurisdictions located in the European Economic Area (EEA) and/or where the European Commission has ruled that the level of Personal Data is adequate by way of an “adequacy decision”.
Where we transfer your Data to a country which is not the subject of an “adequacy decision” we only do so on the basis of a lawful derogation under Article 49 GDPR, or if none applies, we take all safeguards required by law, to ensure the safety, privacy and integrity of such Data.
Should you require details of the safeguards we have in place for the transfer of Personal Data to other countries please contact our Data Protection Officer.
2.3 SECURITY OF YOUR PERSONAL DATA.
We maintain appropriate technical and security measures to protect Personal Data against accidental loss, destruction or damage. All entities to whom we disclose your Data are required to have appropriate technical and operational security measures in place.
2.4 HOW LONG DO WE KEEP YOUR PERSONAL DATA?
It may be necessary to retain your Personal Data for an extended period of time. We keep your Personal Data for as long as required for the purpose that you gave it to us for.
As a general rule for legal and best practice reasons we keep your Personal Data for 7 years after the date on which your contract with us ended and/or until 7 years after any deferred pension entitlements you may have ceased. Applicant Data is held for 2 years.
Full details can be obtained free of charge by contacting our Data Protection Officer.
Details of the Cookies we use on our website and how to exercise your Cookie Options are in our Website Privacy & Cookie Notice and our Cookie Consent Centre.
3 YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL
3.1 YOUR RIGHTS TO ACCESS, TRANSPORT, CORRECT, AND DELETE YOUR PERSONAL DATA.
3.1.1 Accessing and Transporting your Personal Data.
You have the right to be provided with a copy of your Personal Data, and/or have it provided by us to another Data Controller. If you would like a copy of your Personal Data, please contact our Data Protection Officer / or HR Department.
Your request must be in writing and must contain the following: –
- Your name and address.
- Details of your request.
- Details which may help us locate the Data which is the subject of your request.
- You must also provide: –
- A photocopy of your passport or driving licence, so that we can verify your identity.
- Your signature and the date of the request.
- If you are applying on behalf of another person, we need verification of their identity and their signed authority.
We may need to request other information from you to help confirm your identity. This may be necessary to ensure that Data is not disclosed to a person who has no right to receive it.
Your request will be dealt with as quickly as possible. You will not have to wait for more than a month for us to respond. If at that stage, we are unable to provide the Data you require (due to complexity/ number of requests) we may extend the period to provide the data by a further two months. If we do this, we will explain the reason why.
Ordinarily you will not have to pay a fee to access your Data or to exercise your rights. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
3.1.2 Correcting your Personal Data.
If your Data is found to be incorrect you have the right to have it corrected free of charge by contacting our Data Protection Officer.
3.1.3 Deleting your Personal Data.
Subject to any overriding legal obligation requiring us to retain it, you have the right to have your Data deleted, however erasing your Data may make it difficult or impossible for us to enter into or continue contract of carriage with you or provide services to you. If you want your Data deleted, please contact our Data Protection Officer.
3.1.4 Restricting our use of your Personal Data.
You have the right to restrict our use of your Data in certain circumstances. If you wish to ask to exercise your rights in this regard, please contact our Data Protection Officer.
3.2 AUTOMATED DECISION MAKING.
An Automated Decision is one that has a legal or significant effect on you, made by processing your Personal Data solely by automatic means.
You may be required to carry out computer-based training that includes an exam marked by automatic means, and where failure may result in you being unable to lawfully carry out the duties of your employment. Where such is the case you will be given appropriate notice of such training and the communication will include details of how to have the automatically generated exam result reviewed by the Training Department should you wish to exercise your right to do so.
3.3 YOUR RIGHT TO OBJECT AND WITHDRAW YOUR CONSENT TO DATA PROCESSING.
Where our legal basis for processing your Personal Data is based on our Legitimate Interest, you have the right to object. You have the right to withdraw any Consent you gave to the processing of your Data. If we cannot Process your Data it may make it difficult, impossible or unlawful for us to enter into or continue a contract of carriage with you or provide services to you.
Objecting to processing and/or withdrawing your Consent will not affect the legitimacy of processing that took place prior to you exercising this right.
If you want to object or withdraw your Consent, please contact our Data Protection Officer.
3.4 YOUR RIGHT TO MAKE A COMPLAINT.
3.4.1 Complaining to our Data Protection Officer.
If you are unhappy about the way we handle your Personal Data, please contact our Data Protection Officer. We will do our best to address your concerns swiftly and resolve any issues you may have.
3.4.2 Complaining to the Supervisory Authority.
You have the right to complain to the Supervisory Authority. The Supervisory Authority is the Data Protection Commission. Their contact details are as follows: – The Data Protection Commission 21, Fitzwilliam Square South, Dublin 2. D02 RD28 Ireland. www.dataprotection.ie E-Mail: email@example.com
Click to download a PDF of this employee, trainee and job applicant privacy notice