1. HOW WE COLLECT, CONTROL, AND PROCESS YOUR PERSONAL DATA.
1.1 FAIR PROCESSING
In order to manage our business and carry out customary HR activities we collect a certain amount of Employee and Applicant Personal Data.
“Personal Data” means any Data relating to a natural living person who can be identified either directly from the Data itself or indirectly in conjunction with other information.
Personal Data also includes information you provide to us about other people such as for instance your dependants, next-of-kin, and/or family members.
By providing Personal Data about other people you confirm you have made them aware of the use of their Data set out in this Notice.
We are committed to protecting your privacy and will be clear and transparent about the Personal Data we collect and what we do with it.
This Notice sets out the basis on which we collect, control, process, and disclose Personal Data we collect about you, or that you provide to us. It applies whether you are a past, current or prospective employee, applicant, interview candidate, intern, agency worker, secondee, consultant, individual contractor or director. It also applies to other people whose Personal Data you provide to us (for example, in respect of emergency contact information).
You have various rights in relation to how we handle your data including the right to object where we are using your data on the basis that it is necessary for the purpose of our legitimate interests. (see:- Chapter 3
YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL.)
This Notice does not confer any contractual right on you or place any contractual obligation on us.
1.2 CHANGES TO THIS PRIVACY NOTICE.
This Notice may change from time to time. Any changes that affect you will be communicated to you by way of an e-mail or a notice on our employee website as appropriate.
1.3 WHO CONTROLS YOUR PERSONAL DATA AND HOW CAN YOU CONTACT THEM?
Stobart Air UC is the “Data Controller” of all Personal Data we collect and process. “Stobart Air” primarily refers to Stobart Air UC, and where appropriate, to other companies in the Group or entities over which we exercise control. We are registered in Ireland with registration number 28858.
Questions or concerns you have can be addressed to: – Data Protection Officer, Stobart Air, 1, Northwood Avenue, Santry, Dublin 9, D09 V2F7, Ireland. Tel. +353-1-8447753. (In the interest of customer service and to ensure the accuracy of our records, calls may be recorded and monitored). Fax: +353 (0) 1 844 7701. Email. firstname.lastname@example.org.
1.4 CATEGORIES OF PERSONAL DATA WE MAY COLLECT.
We may collect and process some or all of the following categories of Personal Data in relation to you: –
|Individual details||Name, address (including proof of address), other contact details (e.g. email and telephone numbers), nationality, identifying details of dependants, (e.g. date of birth, your/your children’s birth certificate, marriage certificate). bank account details, tax certificates.|
|Identification details||Identification numbers issued by government bodies or agencies, including your PPS/NI number, passport number, tax identification number, driver’s licence, work permit details.|
|Application details||Curriculum vitae and/or application form, previous employment background, references from previous employers, educational details, professional and/or academic transcripts; Interview records.|
|Employment and Performance information||Job description, employment history and details of current position; contract of employment, signed confidentiality agreements, dates of employment; salary and benefit details including bank details; sick leave and annual leave data; performance assessments, data relating to training and development; records relating to any grievance and/or disciplinary processes, or incident reports, hours worked, car insurance details, staff number, health insurance details, insurance subscription details.|
|General records||General correspondence, telephone records; records of email and internet usage, CCTV images (for security & safety purposes), data relating to criminal convictions if any.|
|Special Categories of Personal Data||Certain categories of Personal Data which have additional protection under data protection law. The categories are health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, bio-metric, or data concerning sex life or sexual orientation.|
|Requested Services||Requested services (such as a meal) which is not ’sensitive data’ but may imply or suggest your religion, health or other information.|
We may collect your Personal Data from various sources including:
- Your previous employers.
- Publicly available Data (e.g. social media and online content you have made publicly available).
- TV, radio and media content
- EU and UN Sanctions lists.
- Our/Your Insurers.
- Records which departments other than HR may compile during the course of and in connection with your employment
1.5 CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA.
If we cannot collect necessary Personal Data from you, it may make it difficult, impossible, or unlawful for us to enter into or continue an employment or other contract with you.
If we ask for Data and you do not wish to give it to us, or if you wish to withdraw consent to the use of your Data we will explain the consequences including whether it is a statutory or contractual requirement that we use such Data.
1.6 LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.
We will only process Personal Data for lawful reasons. These are: –
|1||You have consented* to us using your Data in such a way.|
|2||When necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering a contract.|
|3||When necessary to comply with legal obligations.|
|4||In your vital interest|
|5||When necessary for the performance of a task carried out in the public interest, such as the investigation of a criminal offence.|
|6||When necessary for the purpose of our legitimate interests in operating, managing and improving our business as an airline.|
|7||It is Health Data gathered for the purpose of insurance policies or pension schemes. It is used only to the extent that it is necessary and proportionate for the purposes of fulfilling such policies or schemes. (This is permitted by Section 50 Irish Data Protection Act).|
*Where we rely on your Consent as the legal basis on which we process your Personal Data, we will notify you that this is the basis, and ensure that such Consent is freely given, specific, informed, and recorded. Where we process data on the basis of your Consent, you are free to withdraw that Consent at any time without detriment to you.
Note. Children aged 16 or over can provide consent in respect of “Information Society Services” (defined in Article 1(1) b of Directive (EU) 2015/1535. Under this age consent of parents or legal guardians is required. Otherwise the age of consent is 18, and consent of parents or legal guardians is required.
1.7 THE PURPOSE OF PROCESSING YOUR PERSONAL DATA.
The Legal Bases on which we process your Personal Data (from the list set out above in 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA.) are in brackets beside each purpose.
- Engage in recruitment (6), (including processing your job application, and seeking references1 from referees whose name/s you have provided to us), employment & remuneration (2, 3, 1), and termination/cessation of employment (2, 3, 6).
- Providing an employment reference1 about you to another company. (2, 1).
- Engage in disciplinary/grievance procedures. (2, 3, 6).
- Carry out fitness and competency assessments. (3, 6).
- Provide face-to face and computer training & development programmes both on our premises and elsewhere. (6, 3).
- Safeguard access to and monitor our I.T. and Telephony Systems (including monitoring location Data from issued mobile phones where the device has been lost or stolen). (6, 3).
- Pay, record, and monitor salary, benefit, and reimbursement of business expense payments. (2, 3, 6).
- Engage in payroll deductions. (2, 3).
- Facilitate any employee incentive schemes that the Company may at its discretion introduce from time to time. (6).
- Engage in corporate social responsibility campaigns. (6).
- Ensure anti-money laundering, sanctions, and airport security compliance. (3, 5).
- Use the “in case of emergency” contacts you have provided to us. (4).
- Carry out business continuity planning. (6).
- Record and monitor health, security, and safety standards at work and report incidents. (3, 5).
- Facilitate and co-operate with regulatory investigations carried out by airline regulatory bodies such as Civil Aviation Authority, Irish Aviation Authority, Workplace Relations Commission etc.) (3, 5).
- Conduct advertising and publicity campaigns with selected employees (print, digital, and video). (1).
- Run wellness activities. (1).
- Organise company social events (6)
- (Where appropriate) provide tokens/gifts to employees recognising significant life events or performance. (6).
- Manage our fleet of company vehicles. (6, 3).
- Record hours worked. (2, 3, 6).
- Facilitate employee car parking at head office and at other locations where we conduct business. (6).
- Roster employees for flying, crewing, and training. (6).
- Provide accommodation for employees where operationally necessary. (6).
- Provide and administer business & concessionary travel for staff, and where applicable concessionary travel for family/friends. (2).
- Record, monitor and manage work performance. (6, 2).
- Manage absence due to ill health. (6, 2).
- Facilitate the employee health insurance scheme. (2, 7).
- Facilitate the employee pension scheme. (2, 7).
- Facilitate insurance coverage for loss of pilot licence. (2, 6, 7).
- Assess employees, visitors, & contractors for, and provide them with the Security Passes they require in order to carry out the duties of their employment, and/or facilitate the issuance of such passes where they are necessary and are provided by other entities. (2, 3)
- Safeguard access to and monitor the security of our buildings, and crew rooms. (6).
- Comply with legal & regulatory requirements (for example disclosing tax data to the office of the revenue commissioners). (3).
- Exercise our right to defend, respond or conduct legal proceedings. (6).
- Internal management and management reporting & analysis. (6).
- Carry out ergonomic, safety, and health assessments. (3, 6).
- Provide employee uniforms and work wear. (2,6).
1Where we receive such a reference it is accepted on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make. Where you request a reference and we agree to provide it, it will be provided on the express understanding that it is an “opinion given in confidence” pursuant to 60(3)b of the Data Protection Act 2018 and will be excluded from any “Data Access Request” you may make.
1.8 PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS.
We may process Personal Data relating to criminal convictions for one, or more of the following legal bases:1, 2, 3, 4.
1.9 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA.
We may process Special Categories* of Personal Data concerning you, for one or more of the Legal Bases
outlined in 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA. and/or:
- Where it is necessary for the purposes of carrying out our obligations in the field of employment and social protection law.
- Where the Processing is necessary for the establishment, exercise or defence of legal claims or
- whenever courts are acting in their judicial capacity.
- Processing relates to personal Data which are manifestly made public by you.
- In the interest of public health.
*Special Categories of Personal Data: – Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes genetic data, and bio-metric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person’s sex life or sexual orientation is also Special Category Data. (Provisions for the processing of such Personal Data are set out in Article 9 GDPR).
2 SHARING AND STORING YOUR PERSONAL DATA.
2.1 WHO WE SHARE YOUR PERSONAL DATA WITH.
Where necessary to achieve the purpose of processing your Personal Data (See: – 1.6. LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA. We may share it with the following external parties: –
- Pension trustees, pension administration companies & the beneficiaries of pension & other financial products you have.
- Your bank, credit union, or other financial institution/s.
- Your health insurers
- Our insurers.
- Family, relatives & guardians.
- Medical doctors and specialists.
- Employers – past, and prospective.
- Employment agencies and operators of job websites.
- The companies legal financial medical, & other professional advisers.
- An Garda Síochána, National Police in countries where we operate, and Airport Police.
- The Companies Registration Office.
- The Standards in Public Office Commission.
- The Workplace Relations Commission.
- Companies we may outsource our printing and posting to.
- Security Companies registered with the Private Security Authority.
- Companies operating confidential shredding services.
- Academic/professional organisations applicable to our business and/or you/your employment.
- IT subcontractors providing network and bespoke HR management systems (who from time to time may access Personal Data for the purpose of customary activities in providing & maintaining the service).
- Telephony maintenance & programming companies & personnel.
- Ground handling companies.
- Hotels/ Guesthouses/ Property Letting Agents – for the purpose of Staff accommodation.
- Other Airlines – for the purpose of Duty and Concessionary Travel.
- Suppliers & couriers.
- Our parent company Connect Airlines.
- National taxation authorities.
- CSR nominated charities.
- Other companies for salary bench-marking purposes.
- Car leasing companies for the administration and maintenance of the company car fleet.
- Companies who provide us with payroll administration systems & services, and IT professionals involved in the maintenance and or upkeep of such systems.
- Airline industry regulators,
- Media companies.
- Airport Authorities.
- Uniform Suppliers
- Companies providing workforce analytics platforms for the purpose of carrying out anonymised employee surveys.
2.2 TRANSFER OF PERSONAL DATA OUTSIDE THE EEA.
We operate in multiple jurisdictions, all of which are located in the European Economic Area (EEA). We do not currently transfer Customer Personal Data outside of the EEA. If it becomes necessary to transfer your Data outside the EEA, we will take all steps required by law, to ensure the safety, privacy and integrity of such Data.
On occasion our executive payroll administrators Ernst & Young may transfer Personal Data for processing to Non -EU countries who have not been the subject of a EU Data Protection “Adequacy” decision (this means they have not been certified as having the same level of protection of Personal Data as the EU). Any such transfers are however carried out under “Binding Corporate Rules” (BCR) so as to comply with the provisions of GDPR in protecting Personal Data. In addition, Ernst & Young have certified to the EU – U.S. and Swiss – U.S. Privacy Shield Frameworks governing transfers of personal data from the EU and Switzerland to the United States
2.3 SECURITY OF YOUR PERSONAL DATA.
We maintain appropriate technical and security measures to protect Personal Data against accidental loss, destruction or damage. All entities to whom we disclose your Data are required to have appropriate technical and operational security measures in place.
2.4 HOW LONG DO WE KEEP YOUR PERSONAL DATA?
It may be necessary to retain your Personal Data for an extended period of time. We keep your Personal Data for as long as required for the purpose that you gave it to us for.As a general rule for legal and best practice reasons we keep your Personal Data for 7 years after the date on which your contract with us ended and/or until 7 years after any deferred pension entitlements you may have ceased. Applicant Data is held for 2 years.
Full details can be obtained free of charge by contacting our Data Protection Officer.
3 YOUR RIGHTS REGARDING THE PERSONAL DATA THAT WE CONTROL.
3.1 YOUR RIGHTS TO ACCESS, TRANSPORT, CORRECT, AND DELETE YOUR PERSONAL DATA.
3.1.1 Accessing and Transporting your Personal Data:
You have the right to be provided with a copy of your Personal Data, and/or have it provided by us to another Data Controller. If you would like a copy of your Personal Data, please contact our Data Protection Officer / or HR Department.
Your request must be in writing and must contain the following: –
- Your name and address.
- Details of your request.
- Details which may help us locate the Data which is the subject of your request.
- You must also provide: –
- A photocopy of your passport or driving licence, so that we can verify your identity.
- Your signature and the date of the request.
- If you are applying on behalf of another person, we need verification of their identity and their signed authority.
We may need to request other information from you to help confirm your identity. This may be necessary to ensure that Data is not disclosed to a person who has no right to receive it.
Your request will be dealt with as quickly as possible. You will not have to wait for more than a month for us to respond. If at that stage, we are unable to provide the Data you require (due to complexity/ number of requests) we may extend the period to provide the data by a further two months. If we do this, we will explain the reason why.
Ordinarily you will not have to pay a fee to access your Data or to exercise your rights. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
3.1.2 Correcting your Personal Data:
If your Data is found to be incorrect you have the right to have it corrected free of charge by contacting our Data Protection Officer.
3.1.3 Deleting your Personal Data:
Subject to any overriding legal obligation requiring us to retain it, you have the right to have your Data deleted, however erasing your Data may make it difficult or impossible for us to enter into or continue contract of carriage with you or provide services to you. If you want your Data deleted, please contact our Data Protection Officer.
3.1.4 Restricting our use of your Personal Data:
You have the right to restrict our use of your Data in certain circumstances. If you wish to ask to exercise your rights in this regard, please contact our Data Protection Officer.
3.2 AUTOMATED DECISION MAKING.
An Automated Decision is a decision that has a legal or similar significant effect on you, that is made by processing your Personal Data solely by automatic means. No humans are involved in the decision-making process. You have a general right not to be subjected to an Automated Decision or Automated Profiling. We don’t use your Data to carry out Automated Decision Making or Profiling.
3.3 YOUR RIGHT TO OBJECT AND WITHDRAW YOUR CONSENT TO DATA PROCESSING.
Where our legal basis for processing your Personal Data is based on our Legitimate Interest, you have the right to object. You have the right to withdraw any Consent you gave to the processing of your Data. If we cannot Process your Data it may make it difficult, impossible or unlawful for us to enter into or continue a contract of carriage with you or provide services to you.
Objecting to processing and/or withdrawing your Consent will not affect the legitimacy of processing that took place prior to you exercising this right.
If you want to object or withdraw your Consent, please contact our Data Protection Officer.
3.4 YOUR RIGHT TO MAKE A COMPLAINT.
3.4.1 Complaining to our Data Protection Officer.
If you are unhappy about the way we handle your Personal Data, please contact our Data Protection Officer. We will do our best to address your concerns swiftly and resolve any issues you may have.
3.4.2 Complaining to the Supervisory Authority.
You have the right to complain to the Supervisory Authority. The Supervisory Authority is the Data Protection Commission. Their contact details are as follows: – The Data Protection Commission 21, Fitzwilliam Square South, Dublin 2. D02 RD28 Ireland. www.dataprotection.ie Tel.: +353 (0)761 104 800: 09:15 – 17:30hrs (17.15 Friday) Fax: +353 57 868 4757. E-Mail: email@example.com