For a better understanding of this Privacy Notice we have prepared a definitions section that
includes the following concepts: Automated Decisions, Data Controller, Data Processor, Data
Rights, Lawful Bases, Personal Data, Platforms, Sensitive Personal Data and Third Countries.
Automated Decisions: decision-based solely on automated processing,
including profiling, which produces legal effects concerning the individual or similarly
significantly affects them (as defined under Article 22.1 EU General Data Protection
Regulation - GDPR).
Note: As you will find explained below (in section 2), we don’t
make Automated Decisions
Data Controller: anyone responsible for
determining the purposes and means of processing your data.
Note: We are the Data
Controllers of your data in the terms described in this Privacy Notice. If you choose to
book a trip through our Platforms, we will be sending your data to other Data Controllers –
the carrier or the provider of other services (e.g. booking partners or the global
distribution systems), who will again use your data for their own purposes and based on
their own means, as described in their own Privacy Notices (which is published on their
websites). You can see below the overview of Data Controllers categories with whom we might
share the data. In any case, the disclosure of your data to any service provider will be
done in accordance with the applicable laws. Each Data Controller is responsible for your
data and, in case of an incident within its scope, must handle it and respond appropriately,
as per the applicable law.
Data Processor: a third party that
only helps to achieve the purposes determined by the Data Controller.
Note: We as a
Data Controller use many third-party services to which we outsource some parts of our
activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data
Processor is only allowed to process your data according to our documented instructions, and
in compliance with the applicable law, so we are still in charge of your data, and they will
not be able to process your data for any incompatible purpose.
Data
Rights: everyone has the right to the protection of their personal data . When
we use the term “Data Rights”, we refer in short to the applicable data protection
rights.
Note: Data protection regulations allow you to exercise your rights to be
informed, access, rectification, erasure, restrict processing, object, to withdraw your
consent, data portability and rights related to automated decision making and profiling,
when applicable.
Lawful Bases: processing of your data shall be
lawful only if at least one of these bases applies (Article 6 GDPR).
Note: For the six
lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal
Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interests
or Public Tasks. You can find more information below (in section 2).
Personal Data (in this Privacy Notice also referred to essentially as “your
data”): any information relating to a directly or indirectly identified or
identifiable to you, as a natural person.
Platforms: all the
services (websites, apps, call centre, etc.) that facilitate interactions between you and
us.
Sensitive Personal Data: data related to racial origin,
ethnic group, religion, health, sexual orientation and biometric data constitute special
categories of data (as defined under Article 9 GDPR).
Note: As you will find explained
below (in section 3.7), we don’t need to process Sensitive Personal Data normally.
Third Countries: countries in which the GDPR regime is not applicable.
Currently, by Third Countries, we mean all countries that lie outside of the European
Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).