- Context of the General Data Protection Regulation (‘GDPR’)
The General Data Protection Regulation, 679/2016, replaces the 1995 EU Data Protection Directive and replaces the legislation of each Member State that has been drawn up in accordance with Data Protection Directive 95/46/EC. Its purpose is to protect the ‘rights and freedoms’ of natural persons (i.e. living persons) and to ensure that personal data are not processed without their knowledge and, wherever possible, that they are processed with their consent.
- Definitions used by the organization (extracted from GDPR)
- The material field (Article 2) – GDPR shall apply to the processing of personal data, carried out in whole or in part by automated means, as well as to the processing by means other than automated means of personal data which are part of a data recording system or which are intended to be part of a data recording system.
- Territorial scope (Article 3) – GDPR shall apply to the processing of personal data in the context of the activities of an operator’s premises or processor within the Territory of the Union, whether or not the processing takes place within the territory of the Union. This Regulation shall apply to the processing of the personal data of data subjects who are in the Union by an operator or processor who is not established in the Union, where the processing activities are related to:
- the provision of goods or services to such data subjects in the Union, whether or not a payment is requested by the data subject; or
- monitoring their behaviour if it occurs within the Union. This Regulation shall apply to the processing of personal data by an operator who is not established in the Union but in a place where national law applies under public international law.
- Definitions of Article 4
‘Head office’ – the operator’s head office in the EU will be the place where the operator takes the main decisions on the purpose and means of its data processing activities. The head office of an authorised person in the EU will be its administrative centre.
“Personal data” means any information concerning an identified or identifiable natural person (the “data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, mental, economic, social or social identity.
“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and processing of genetic data, biometric data for the purpose of unique identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person.
“Operator” means the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the operator or the specific criteria for its designation may be laid down in Union or national law;
“Data subject” means any living person who is the subject of personal data held by an organisation.
“Processing” means any operation or set of operations carried out on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
‘Profile creation’ means any form of automatic processing of personal data consisting in the use of personal data to assess certain personal aspects relating to a natural person, in particular to analyse or foresee aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, the place where the natural person or his or her movements are located.
“Infringement of the security of personal data” means a breach of security which leads, by accident or illegally, to the destruction, loss, modification, or unauthorised disclosure of personal data transmitted, stored or otherwise processed, or to unauthorised access to it.
‘Consent’ of the data subject means any expression of the data subject’s free, specific, informed and unambiguous will by which the data subject accepts, by a statement or by an unequivocal action, that the personal data concerning him or her be processed.
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Data recording system” means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or distributed according to functional or geographical criteria.
- CONFIDENTIALITY DECLARATION
The management of the HTTPS://AMADEUSUK.COM/based incom. Kemp House 160 City Road, London /United Kingdom undertakes to comply with all relevant EU and Member State laws with regard to personal data and the protection of the “rights and freedoms” of persons whose information it collects and processes, in accordance with the General Data Protection Regulation (GDPR).
Compliance with the GDPR is described by this policy and other relevant policies, such as the Information Security Policy, together with related processes and procedures.
The GDPR will be applied by all persons within the HTTPS://AMADEUSUK.COM/who processpersonal data, including all persons within the HTTPS://AMADEUSUK.COM/ who process the personal data of customers, employees, suppliers and partners, as well as any other personal data that the organization processes from any source.
The Data Protection Officer shall be responsible for the annual review of the processing register on any changes to HTTPS://AMADEUSUK.COM/ activities (as a result of changes in the data inventory register) and any additional requirements identified by data protection impact assessments. This register must be available at the request of the supervisory authority.
This policy applies to all employees/staff and stakeholders within the HTTPS://AMADEUSUK.COM/, such as outsourced suppliers. Any breach of the GDPR will be dealt with in accordance with the disciplinary policy of the HTTPS://AMADEUSUK.COM/ and may also be a contravention, in which case the matter will be reported as soon as possible to the competent authorities.
Partners and any third parties working with or for HTTPS://AMADEUSUK.COM/ who have or may have access to personal data are expected to have read, understood and comply with this policy. No third party may access personal data held by the HTTPS://AMADEUSUK.COM/ without having previously entered into a data confidentiality agreement, which imposes no less onerous obligations on the third party than those which the HTTPS://AMADEUSUK.COM/ comply with and which confers HTTPS://AMADEUSUK.COM/ the right to verify compliance with the agreement.
- SCOPE OF PRELUCRARIATION
The personal data we collect from you will be used for the following purposes:
- for the conduct of the contractual relationship between you and HTTPS://AMADEUSUK.COM/respectively for the taking, validation, dispatch and invoicing of the order placed on the Site, your information on the status of the order, the organization of the return of ordered products, etc.
- The basis: The processing of your data for this purpose is based on the contract concluded between you and HTTPS://AMADEUSUK.COM/defined in the Terms and Conditions. The provision of your personal data is necessary for the performance of this contract. Refusal to provide data may result in the impossibility of contractual relations between you and HTTPS://AMADEUSUK.COM/
- for the fulfilment of legal obligations that incumba HTTPS://AMADEUSUK.COM/ in the context of the services provided through the Site, including tax obligations, as well as in archiving matters.
- Theme: The processing of your data for this purpose is necessary on the basis of legal obligations. Providing your data for this purpose is necessary. Refusal to provide data may result in the impossibilityof HTTPS://AMADEUSUK.COM/comply with its legal obligations and therefore unable to offer your services through the Site.
- for marketing activities, i.e. for the transmission, via remote means of communication (e-mail, sms, telephone, videochat, chat) of commercial communications regarding the products and services offered by HTTPS://AMADEUSUK.COM/through the Site.
- The basis: The processing of your data for this purpose is based on your consent, if you choose to provide it.
- Providing your data for this purpose is voluntary. Refusal to provide consent for the processing of your data for this purpose will not have any negative consequences for you. If you wish your data not to be used for marketing purposes, please email us at: firstname.lastname@example.org
- for the purpose of carrying out various analyses, reporting on the functioning of the Site, making consumer preference profiles, mainly in order to improve the experience offered on the Site.
- The basis: The processing of your data for this purpose is based on the legitimate interest of HTTPS://AMADEUSUK.COM/ to continuously improve the customer experience on the Site. Providing your data for this purpose is voluntary. The refusal to provide data for this purpose will have no negative consequences for you.
By your consent you give us permission to use them for the purposes mentioned above.
You may withdraw your consent at any time, either in writing, by requesting the consent form or online by a request to do so at the email@example.com.
- WHAT IS PERSONAL DATA?
For the purposes of the General Data Processing Regulation (EU GDPR), Personal Data is defined as “any information concerning an identified or identifiable natural person (“target person”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity.’
Consent is required for HTTPS://AMADEUSUK.COM/ to process personal data, but it must be given explicitly.
- Why HTTPS://AMADEUSUK.COM/ need to collect and store information provided and what time the PASTRAM?
HTTPS://AMADEUSUK.COM/ is obliged to process and store personal data in order to provide you with legal and high quality services. During the provision of services, with your consent, we will transfer your data to third parties. for the purpose of fulfilling legal obligations (ANAF, ANC, LAOFM).
- WHO HAS ACCESS TO THE DATA PROVIDED?
Access to the data is only the employees HTTPS://AMADEUSUK.COM/ .. We do not give anyone access to personal data without your consent.
- WHERE ARE YOUR DATA PROVIDED?
- SECURITY OF YOUR DATA
All employees are responsible for ensuring that all personal data that HTTPS://AMADEUSUK.COM/ holds and is responsible for is kept safe and is not disclosed in any way to a third party unless that third party has been specifically authorized by HTTPS://AMADEUSUK.COM/ to receive this information and has entered into a confidentiality agreement.
All personal data is accessible only to those who need to use it. All personal data is processed securely and is kept:
- password-protected in accordance with the organization’s requirements in the Access Control Policy and/or
- stored on (removable) media that are encrypted
All employees have entered into a user agreement before being allowed access to organizational information of any kind. As soon as physical records are no longer required for everyday customers, they must be destroyed safely in accordance with a certain procedure
Personal data may be deleted or deleted in accordance with the registration procedure and in accordance with the legislation in force. Physical records that have matured are shredded and discarded as confidential “waste”.
- RIGHTS OF PERSONS
Data subjects shall have the following rights with regard to the processing of data and the records of such data:
- Request access to the information held and those to whom it has been disclosed.
- To oppose processing that could cause damage or damage.
- To oppose processing for the purpose of direct marketing.
- Be informed about automated individual decision-making, including profiling.
- The data subject shall have the right not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent.
- Claim compensation if they suffer damages through any violation of the GDPR.
- Take action to rectify, block, delete, including the right to be forgotten or destroy inaccurate data.
- Ask the supervisory authority to assess whether a provision of the GDPR has been breached.
- The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and automatically readable format and shall have the right to transmit such data to another controller, without any obstacles from the controller to whom the personal data have been provided.
- The data subject has the right to object to the creation of profiles without the existence of a
- HTTPS://AMADEUSUK.COM/ means ‘consent’ as being of the data subject any expression of free, specific, informed and unambiguous will of the data subject by which he accepts, by a declaration or by an unequivocal action, that the personal data concerning him or her be processed. The data subject may withdraw his consent at any time.
- HTTPS://AMADEUSUK.COM/ means that by ‘consent’ the data subject has been fully informed of the processing of personal data and has requested consent while in an appropriate state of mind to do so and without putting pressure on him. Consent obtained under pressure or on the basis of misleading information will not constitute a valid basis for processing.
- There must be active communication between the parties to demonstrate active consent. Consent cannot be inferred from a lack of response to a communication. The operator must be able to demonstrate consent for the processing operation.
- For sensitive data, an explicit written agreement of the data subjects must be obtained, unless there is a legal alternative processing basis.
- In most cases, consent to the processing of personal and sensitive data is typically obtained by HTTPS://AMADEUSUK.COM/ using standard consent declarations.
- If the HTTPS://AMADEUSUK.COM/ provides online services to children, the consent of the parent or legal representative of the child must be obtained. This requirement applies to children under 16 years of age.
- HTTPS://AMADEUSUK.COM/ must ensure that personal data is not disclosed to unauthorized third parties, which include family members, friends, government bodies and, in certain circumstances, the Police. All employees should be careful when asked to disclose personal data held by another person to a third party [and will be required to participate in specific training to enable them to effectively manage such risks]. It is important to take into account whether or not disclosure of information is relevant to the conduct of the activity HTTPS://AMADEUSUK.COM/.
- All requests for data provision for one of these reasons must be supported by appropriate documentation, and all such disclosures must be specifically authorised by the Data Protection Officer.
- HTTPS://AMADEUSUK.COM/ will not keep the personal data in a form that allows the identification of data subjects for a longer period than necessary in relation to the purpose(s) for which the data were originally collected.
- HTTPS://AMADEUSUK.COM/ may store data for longer periods where personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of the data subject.
- The retention period for each category of personal data will be set out in the Record Retention Procedure together with the criteria used to determine that period, including the legal obligations of the HTTPS://AMADEUSUK.COM/ which the data must be retained.
- Data retention procedures and data deletion procedures for HTTPS://AMADEUSUK.COM/ will apply in all cases.
- Personal data must be safely disposed of in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the ‘rights and freedoms’ of data subjects. Any deletion of the data shall be done in accordance with the deletion procedure.
- All data transfers from the European Economic Area (SEE) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) are illegal, unless there is an ‘adequate level of protection of the fundamental rights of data subjects’.
The transfer of personal data outside the EEA shall be prohibited unless one or more specified safeguards or exceptions apply:
- An adequacy decision
The transfer of personal data to a third country or an international organisation may be effected where the Commission has decided that the third country, a territory or one or more specified sectors of that third country or the international organisation concerned provides an adequate level of protection. Transfers made under these conditions do not require special authorisations. Countries that are members of the European Economic Area (SEE) but not of the EU are accepted as meeting the conditions of an adequacy decision.
A list of countries currently meeting the Commission’s adequacy requirements is published in the Official Journal of the European Union. http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
- Privacy Shield
Assessment of fitness by the data controller
In assessing suitability, the data transferring controller from the UK should take into account the following factors:
- the nature of the information transferred;
- the country or territory of origin and the final destination of the information;
- how the information will be used and for how long;
- the laws and practices of the transferee’s country, including relevant personal data protection practices and international obligations; and
- security measures to be taken with regard to external location data (valid only for UK)
- Mandatory corporate rules
HTTPS://AMADEUSUK.COM/ may adopt binding corporate rules approved for the transfer of data outside the EU. This requires the submission to the competent supervisory authority for approval of the rules on which it seeks to rely HTTPS://AMADEUSUK.COM/
- Standard contract clauses
HTTPS://AMADEUSUK.COM/ may adopt standard contractual clauses approved for the transfer of data outside the EEA. If HTTPS://AMADEUSUK.COM/ adopt the standard contract clauses approved by the competent supervisory authority, then there is automatic recognition of adequacy.
In the absence of a decision of adequacy, membership of Privacy Shield, binding corporate rules and/or standard contract clauses, the transfer of personal data to a third country or an international organization shall take place only under the following conditions:
- the data subject has explicitly given his consent to the proposed transfer, after being informed of the possible risks of such transfers to the data subject, due to the lack of an adequacy decision and adequate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of the pre-contractual measures taken at the request of the data subject;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
- the transfer is necessary to protect the vital interests of the data subject or other persons, if the data subject is not physically or legally capable of consent.
HTTPS://AMADEUSUK.COM/ assures data subjects that they can exercise these rights:
- Data subjects can make free requests for access to personal data, HTTPS://AMADEUSUK.COM/ providing them with this information within 30 days from the date of registration of the request, to the email address firstname.lastname@example.org.
- Data subjects have the right to lodge a complaint with HTTPS://AMADEUSUK.COM/ in connection with the processing of their personal data, requests from data subjects and the way in which complaints have been resolved will be made in accordance with the complaints procedure.