Information memorandum of personal data protection

The objective of this Information Memorandum of Personal Data Protection is to provide information related to processing of personal data pursuant to provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC.

In this Information Memorandum of Personal Data Protection you will find information about the purposes we and our group process your personal data for, whom they may be provided to, what your rights are, as well as information where you can contact us in case you have a question related with processing of your personal data.

The controller is NG AVIATION SE, Organization ID.: 01509667, registered office at Jungmanova 36/31, Nové Město 110 00 Praha, registered in Městský soud v Prahe, folder No.: 59520/B, (hereinafter referred to as the “Company”).

Our Company group includes following companies:
NG Aviation s. r. o. registered office at Ivánska cesta 30/B, Bratislava – mestská časť Ružinov 821 04, Slovak Republic, IČO: 50 517 902, registered in Business Register of the District Court Bratislava I, section: Sro, insert No. 114492/B and NG Aviation Services s.r.o. registered office at Južná trieda 4B, Košice – mestská časť Juh 040 01, IČO: 51 296 888, registered in Business Register of the District Court Košice I, section: Sro, insert No. 43035/V.

The Company group applies strict rules in order to determine which employees or departments are authorized to access your personal data and which data may be processed. We do not transfer your personal date outside the Company group, as a matter of principle, with the exception of those cases where we have your consent to do so or where we are required or authorized to do so by law or in our legitimate interests (for example, in the case of suppliers or a request from the bodies active in criminal proceedings and so on).

Ensuring protection of your personal data is very important for us and therefore we pay proper attention to compliance with the valid legal regulations at personal data processing, especially the principles and requirements resulting from GDPR. We have set the respective technical and organizational measures that contribute to ensuring protection of the processed personal data of our clients.

In case of any questions related to processing of your personal data please contact date protection officer who ensures relevant answer or cooperation. You may contact data protection officer by e-mail on dpo@ngaviation.eu or in writing at: na Jungmanova 36/31, Nové Město 110 00 Praha, attention: data protection officer.

You can take the steps described below to protect your rights if you disagree with the method used to process your personal data. The Office for Personal Data Protection supervises the protection of privacy and personal information: Address: Pplk. Sochora 27, 170 00 Prague 7 Tel.: 234 665 111 Web: www.uoou.cz

Following definitions shall be used in this document:

Client – Person with whom Company entered into transaction, where a transaction means formation, change or termination of contractual relationships between the Client and Company.

Commercial Code – Act No. 90/2012 Coll.

Controller – The company who determines the purposes and means of personal data processing.

Data subject – Natural person whose personal data are processed. It is a person who can be identified directly or indirectly, especially with reference to the identifier such as name, identification number, online identifier or one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Information system – Organized set of personal data processed by Company for the following purpose:
to identify the Clients, Company´s contract partners, customers, facilitators, suppliers; to inform about services provided by Company; to provide services; to protect interests of Company; to fulfill obligations arising from legal provisions; to fulfill tax and accounting obligation of the Company; to lodge the claims of the Company; to fulfill statistical and other obligations to be fulfilled by the Company under internal policy and regulations.

Other legal acts – Applicable legislation of the Czech republic e.g. Act No. 89/2012 Coll., the Civil Code, Act no. 235/2004 Coll. on value added tax, Act no. 164/2013 Coll. on international co-operation in tax administration, Act no. 563/1991 Coll. on accounting, Act no. 262/2006 Coll., the Labour Code, Commercial Code.

Personal data – Data about natural person who was identified or who can be identified directly or indirectly, especially with reference to the identifier such as name, identification number, online identifier or one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor – Any person who processes personal data on behalf of the controller on basis of authorization in compliance with Article 28 GDPR.

Examples of personal data processing by the Company group:

A) Causes of processing personal data by Company

Company processes the personal data on legal grounds and processes only those personal data which are required for achieving the particular processing purposes. Personal data are processed always for the pre-determined and legitimate purpose while it would not be possible to achieve such purpose without processing of the respective data according to Commercial Code and the Other legal acts.

Company processes personal data on the purpose:
a) Identification of clients,
b) Provide services,
c) Maintenance of contract relationships including changes and termination of contract relationships,
d) Acceptance and processing of suggestions and complaints of Clients,
e) Relationship management,
f) Protection and seeking the rights of Company,
g) To fulfill obligations arising from legal provisions,
h) Maintenance of separate records of Clients who do not meet their obligations ensuing from the contract relationships with the Company duly and on time, Clients who have committed action considered as unusual business transaction and Clients the international sanctions relate to,
i) To fulfill tax and accounting obligation of the Company,
j) To lodge the claims of the Company,
k) Activities related with meeting the archive duties,
l) Marketing.

Company may proceed to processing of your personal data in cases not mentioned above under the following legal grounds:
a) if it is necessary for performance of the contract concluded between Client and Company including precontract relationships pursuant to Article 6 par. 1 b) GDPR,
b) data subject have granted consent to processing of personal data for the particular purpose/purposes pursuant to Article 6 par. 1 a) GDPR,
c) data subject have granted consent to processing of personal data for the particular purpose/purposes pursuant to Article 9 par. 2 a) GDPR,
d) if it is necessary for purposes of legitimate interests followed by Company or a third party pursuant to Article 6 par. 1 f) GDPR,
e) if processing is necessary for proving, claiming or justification of legal claims pursuant to Article 9 par. 2 f) GDPR.

Company proceeds personal data also on purpose to prevent against criminal activity or other illegal action.

The Company also processes personal data while monitoring its premises for the purpose specified in the previous sentence mainly to protect their employees, property and their safety.

For the purpose of informing company´s partners about the products and services provided by the Company, personal data is processed primarily on the basis of the Company’s legitimate interests and, exceptionally, based on prior voluntary consent.

Company has legitimate interest in taking care for its Clients and developing business relations with its Clients, and hence informing them about its products and services.

In relation thereto Company can contact Client yet without his prior consent while it will inform Client of such processing of his personal data and instructs Client about his rights, especially about the right to object to processing of his personal data.

B) Processing of personal data

Company process these personal data –

a) Identification data (for instance name, surname, date of birth, birth identification number, data from the identification document, nationality, identification document photography, client number, product number, bank account number),
b) Contact data (for instance permanent/temporary residence address, e-mail address, telephone number),
c) Data about the utilized products and services (e.g. data about the utilized products and services, data related with processing of your suggestions),
d) Data about representatives or employees of the Client with whom Company communicates,
e) Economic data (for instance data about ownership of movable and immovable objects),
f) Data required for monitoring of secure utilization of products and services,
g) Data related with utilization of websites and applications of Company (for instance cookies),
h) Other relevant data (for instance data about business activities, bankruptcy proceedings, personal bankruptcy, data related with meeting your contract duties and obligations, data about your payment discipline, data from credit registers, data about inclusion in the list of clients the international sanctions relate to),
i) Data arising from activity on social networking sites.

C) Entities, to which Company provides personal data

Company shall not provide your personal data to other entities, except for the cases in which data subject have granted it´s consent or written instruction or if other legal ground for provision of personal data to other entities exists, for instance in case of performance of the legal obligation of Company.

Your data is typically administered by the company where you are a client. If you are a client with several of our companies, each company will primarily administer the information which concerns its product. If we collect personal data on the basis of your visits to us or our mutual communication, the controller of this data will always be the company to which this action pertains.
The controller collects your data, handles it, and bears responsibility for its correct and legal processing. The controller is the person toward whom you can exercise your personal data protection rights. The controller is the company which provided you with this document at the time when it collected your personal data. If we request your consent to process your personal data, the controller of your personal data is the company which you give this consent to. The question as to who is the controller of your personal data, it is primarily based on how we acquired the information about you:

Company in compliance with legal obligations provides personal data to other entities in these cases:

a) if the Company acts as an employer,
b) protection against legalization of incomes from criminal activities and financing of terrorism,
c) in connection with reporting to the law enforcement authorities about suspicion that a crime is being prepared, being committed or was committed,
d) in connection with the reporting duty to the respective authority of the Czech Republic for the purpose of automatic exchange of information about financial accounts for purposes of tax administration pursuant to a separate regulation (FATCA, CRS).

Company may process your personal data in certain cases also by means of its processors. Authorization for processing personal data of data subject by a processor does not require it´s consent or other legal ground such as in case of provision of data to other controllers. In such case the processor processes personal data of data subject on behalf of Company as the controller.

Processing of personal data by means of a processor has no negative impact on performance and application of data subject´s rights while the Client can apply the respective rights with Company or also directly with the particular processor.

Company uses the processors providing appropriate technical, organizational and other measures so that processing meets the GDPR requirements and protection of rights of the data subject is provided in full extent.

Company uses the following processors, whose provide:

a) marketing activities,
b) economical, accounting and tax services,
c) print services and services of mass correspondence,
d) administrative services connected with delivery,
e) legal services,
f) recovery and maintenance of receivables,
g) financial and related services,
h) maintenance of registry records pursuant to separate regulations.

We keep your personal data within our group. The data is only transferred outside the group on the basis of your consent or if required by law. Your data may be processed by cooperating distributors and suppliers, if it is essential to do so for the purposes stated above and especially if the external subject in the given area has the essential professionalism and level of expertise. We are obliged to transfer your data to various national and international bodies, but always under the conditions set out by law.

Every company will share your basic data, product and service data and the data from our communication and interaction with the other companies in the group. We do this in order to protect our rights and legitimate interests: we need to share the information to preserve the integrity and up to-date nature of our data and the speed and quality of our services within the framework of client identification and authentication, the management of our relations with the clients and your use of the products and services. We share the data for our administrative purposes. This enables us to serve you and to meet your requirements across the entire Group. For example, if you change your surname or contact details, each company in the Group will not bother you separately with regard to the change in this information, provided this is technically possible.

If we commission another entity with the performance of certain activities which constitute a part of our services, this may lead to the processing of the appropriate personal data. In some cases, these suppliers become the personal data processor. The processor is only authorized to handle the data exclusively for the purposes of the performance of the activity for which it has been commissioned to undertake by the appropriate controller. Your consent is not required for the performance of the processing activities in such a case because this type of processing is directly permitted by law. If we use cloud storage, it is always located within the EU and secured with a high level of data security. The suppliers are primarily the companies operating within the Group. Some activities are secured using entities from outside the group. The suppliers who come from outside the Group include especially: IT service providers, accouting, payroll agenda, including cloud storage archiving service providers, entities used to recover our receivables, lawyers, marketing agencies and persons cooperating with us when organising events for our clients, bulk product providers, such as group providers of printing and postal services, including couriers.

Some public authorities and other organizations are entitled to request information about you. This mainly involves the courts, the Police Force of the Czech Republic, guarantee funds or health insurance companies, for example. We only provide the information to these institutions if such a request is permitted by law. Your data is also transferred if our receivables are assigned.

D) Retention period of personal data

Company shall retain personal data in a form enabling the identification for the period necessary to achieve the purpose of personal data processing.

If the personal data are being processed with the consent of data subject, Company will store personal data after the consent is revoked or its validity expires only for the period required to demonstrate, apply or defend legal claims of Company. This also applies in case of processing under the contract.

We only keep your data for the absolutely necessary period of time. We archive it for 10 years due to our statutory obligation to archive, due to the obligation of prudence and due professional care, in particular in respect of the statute of limitation periods for another 10 years. We respect the rules of data minimization when handling your data. This means that we have set strict internal archiving rules in order to ensure that we do not hold any data for longer than we are authorized to do so. We are obliged to implement the measures prescribed by the Money Laundering Act in the case of most business relationships. According to this law, we are required to archive the appropriate data, i.e. especially your identification and transaction data, for a period of 10 years from the moment of transaction realization or the termination of commercial relations with you. This period is also stipulated in other legislation. The VAT Act obliges us to keep tax documents and records with detailed data related to the provision of selected services for a period of 10 years from the end of the taxation period, in which the performance occurred. We are therefore generally obliged to archive the majority of the basic data and the product and service data on the basis of these Acts.

E) Personal rights and Company obligations in relation to personal data processing

The Company is obliged to provide the personal data to the data subject whose the personal data is processed.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

The Company immediately erase and rectify the personal data which are incorrect in relation to the purpose for which they are processed.

The Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing,
c) the data subject objects to the processing the personal data and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing the personal data,
d) the personal data have been unlawfully processed,
e) the personal data have to be erased for compliance with a legal obligation in GDPR, special law or international contract to which Czech Republic is subject.

Where the Company has made the personal data public under GDPR and is obliged to erase the personal data, the Company, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims,
d) the data subject has objected to processing the personal data pending the verification whether the legitimate grounds of the Company override those of the data subject.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where the data subject has given consent to the processing of his or her personal data for one or more specific purposes, or where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

We adopt technical and organizational measures with the aim to protect your personal data against intentional or neglectful deletion, loss or change and unauthorized accession of your personal data

The Company employees, as well as Company contract partners who process personal data on behalf of Company are bound by the obligation of secrecy which lasts yet after the contract relationship terminates.

If your personal data are being processed based on the consent pursuant to Article 6 par. 1 GDPR or pursuant to Article 9 par. 2 GDPR, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on lawfulness of processing resulting from consent before its withdrawal.

Cookies Policy

What are cookies?

Cookies are small text files that are placed on your computer or device by the websites that you visit. They are widely used in order to make websites work and to provide information to the owner of the website.

Why do we use cookies?

When someone visits www.ngaviation.com we collect standard internet log information so that we can track visitor behaviour patterns. We do this to find out things like how many people have visited a particular page or how long visitors spend in different parts of the site. This helps us to improve our website and to plan our future work.

We also use cookies to make certain parts of the website work, for instance in order to submit a research project or to use some features, when we need to know who you are. You can delete existing cookies and block new ones from our website – there is more information on this below – but this will mean that parts of the site will not work for you.

How can I delete and block cookies?

Most modern web browsers give you some control over cookies. You can set your web browser to accept or reject all cookies or to accept or reject specific cookies. You may also be able to set your browser to alert you every time a cookie is offered.

You can find out how to control and delete cookies on AboutCookies.org.