Lumiwings S.A. wishes to inform you, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council concerning the protection of individuals with regard to the processing of personal data (hereafter “European Regulation”), that it needs to process your personal data collected automatically or provided by you through navigation or use of the website and the Lumiwings App.
1. DATA CONTROLLER
The Data Controller is Lumiwings S.A.., in the person of its legal representative, domiciled at the registered office in Andrea Koumpi, 24 Str. -Markopuolo 19003 – Greece.
Email address: email@example.com
You have the right to make a complaint at any time to your country’s supervisory authority for data protection issues. In Greece this is the Hellenic Data Protection Authority, details of which can be found via the following link: www.dpa.gr. We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance using the contact details above.
2. CATEGORIES OF INFORMATION THAT WE COLLECT
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Health Data provided by you to serve you better and meet your particular needs (for example, the provision of disability access).
3 . HOW WE COLLECT YOUR INFORMATION
We collect personal data about you whenever you use our services (whether services provided directly by us or by other companies or agents acting on our behalf), when you travel with us, when you use our websites, or when you use our call centers or mobile applications.
4. PURPOSE OF DATA PROCESSING AND LEGAL BASIS
The personal data held by the Data Controller are exclusively those provided by you when browsing and/or when using our services. Therefore, the personal data will be processed to:
A) Allow you to use our flight ticket purchase service;
B) Allow you to use the air transport service;
C) Meet your travel needs and provide any services requested;
D) Send communications relating to the service status of your flight, if needed;
E) Satisfy all legal requirements related to air passenger transport;
F) Sell directly products or services similar to those already purchased by the interested party, using the email address provided by the same when purchasing a ticket or service, provided that the interested party, having been adequately informed, does not refuse subsequent communications;
G) Provide up-to-date news on Lumiwings's activities and promotions as well as regarding co-marketing promotions used to enrich the travel experience, by sending newsletters, advertising material and/or communications and information of a commercial and direct marketing nature regarding our services and products, relevant offers, discounts and any other promotional and loyalty initiative adopted by us, both through traditional and fully automated contact systems, such as, for example, by means of your address of residence and/or email address, or also through text messages;
H) Enable registration to the Fidelity program;
I) Personalize the content of commercial communication and offer only dedicated products and offers, in line with the tastes and preferences expressed, as well as a better flight experience.
In consideration of the choice to use the services provided by the website and by the App, the legal basis on which the processing of your personal data is based may be that:
The data provided is necessary to make reservations and purchase one or more airline tickets;
- The data provided is necessary to be able to perform the air transport contract;
- The processing of personal data is necessary to comply with legal obligations foreseen in the aeronautical field, applicable on an individual basis, depending on the destination;
- The processing of personal data may be necessary to safeguard the vital interests of one or more natural persons;
- The Data Controller has a legitimate interest in processing personal data to offer the best service and the best flight experience;
- Based on the specific consents that can be freely provided, carry out direct marketing and profiling initiatives.
Personal data may be processed both via IT tools or on paper.
J) Ensure the protection of public health and safety
- Legal basis:
- processing is necessary for reasons of public interest in the public health sector, such as protection from serious cross-border threats to health.
5. CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
6. PERSONAL DATA STORAGE PERIOD
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us. In some circumstances you can ask us to delete your data: see Request erasure below for further information.
In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
7. CATEGORIES OF DATA SUBJECTS
The data processed will not be disclosed to third parties. However, they may become aware of your data, in relation to the processing purposes previously set out:
- Health and public health control authorities of any country on your itinerary, including stopovers and countries that you fly over;
- Subjects who can access the data pursuant to the provisions of the law provided for by European Union law or by that of the Member State to which the Data Controller is subject, including the Central Directorate of Immigration and the Border Police;
- Our employees are designated as Processing Coordinator, System Administrator, or as a person acting under the authority of the Data Controller or the Data Processor, provided that they have been previously trained in this sense by the Data Controller;
- External parties that perform functions strictly connected or instrumental to the air transport activity such as other air transport companies, external or belonging to Lumiwings, and handling companies, as independent Data Controllers or Data Processors, who shall be considered fundamental for the operation of flights.
- Banks and payment companies, as well as service providers for anti-fraud control connected to the payment process and (where necessary) activation of the anti-fraud control procedure;
- Third parties such as law firms and public authorities to which we turn to ensure that the stipulated contract is respected or applied and to safeguard all our other legitimate interests;
- Third parties such as police and national authorities to protect our rights, property or safety of you, staff and our assets and resources;
- Public authorities and law enforcement agencies, for example customs and immigration authorities, following a validly made request;
- Persons who carry out, in complete autonomy, as separate Data Controllers, or as Data Processors appointed by Lumiwings for this purpose, auxiliary purposes to the activities and services referred to in paragraph 4., as commercial partners, companies that offer services advertising, marketing and communication, companies that offer IT infrastructures and IT assistance and consultancy services as well as design and implementation of software and Internet sites, companies that offer useful services to personalize and optimize our services, including those to provide and manage customer service, companies that offer useful services to analyze and develop data and develop and conduct market research.
Any communication of personal data will take place in full compliance with the legal provisions of the European Regulation and the technical and organizational measures prepared by the Data Controller in order to ensure an adequate level of security.
8. CHILDREN’S PRIVACY
We do not knowingly collect any information from anyone under 15 years of age. Our website, products and services are all directed to people who are at least 15 years old or older. If you are under 15, do not use or provide any information on this website or on or through any of its features / register on the website, make any purchases through the website or provide any information about yourself to us, including your name, address, telephone number or email address. If we learn that we have collected or received personal data from a child under 15 (apart from the data for reservation and ticketing purposes), we will delete that information, unless consent is given or authorised by the holder of parental responsibility over the child. If you believe we might have any information from or about a child under 15 (apart from the data for reservation and ticketing purposes), please contact us.
9. COUNTRIES HAVING ACCESS TO YOUR INFORMATION
Our servers, storing and keeping your information secure, are located in the European Economic Area. However, we have a number of Lumiwings staff members and service providers who are located in other countries. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it, by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
10. DATA SECURITY
We have put in place appropriate security measures (including encryption, anonymization or/and pseudonymization procedures where required) to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
To allow you to use the air transport service offered by Lumiwings, the website www.lumiwings.com, the Lumiwings App and the related services, the Data Controller needs to know and process some of your personal data.
The term "personal data" designates information that concerns a natural person who is either identified or identifiable, such as, for example, name, contact information and/or data relative to the booking.
For air ticket purchases, the data processed will be first name, last name, telephone number, email address, information about the journey purchased, including any special care required or preferences regarding meals and payment-related details. Moreover, depending on the destination, additional personal data categories may be collected, such as, for instance, date of birth, sex and passport number.
Instead, the type of data processed to merely browse the Website, and the dedicated informative notice on “cookies” are specified below.
The IT systems and software procedures that carry out Lumiwings operations acquire, during their normal performance, some personal data, whose transmission is implicit when Web communication protocols are used.
This information is not collected to be associated with the identified parties, but by their very nature they might allow user identification through processing and the association with third party data.
This data category includes IP addresses or computer user names used by the users when they visit the Website, (Uniform Resource Identifier (URI) addresses of the requested resources, time of request, method of submission of the request to the server, size of the file received in response, numerical code indicating the status of the answer given by the server (successful, error, etc.) and other parameters concerning the operative system and the user's IT environment.
The Data Controller makes use of these data only to obtain anonymous statistical information about the use of the Website, the use of the App, and to monitor its correct function. The data might also be used to ascertain responsibility in case of theoretical IT crimes against Lumiwings.
Data provided intentionally by the user
The option of sending, both explicitly and intentionally, emails to the addresses provided on this Website and in the App entails the subsequent acquisition of the sender's address, which is required to respond to the requests, and of any other personal data that is entered in the message.
The type of cookies used on this Website is stated below and how you can easily choose if and how your personal data will be processed by this type of technological solutions.
This Website makes use of the so-called “technical cookies”, small rows of text containing a certain quantity of information that is exchanged between the Website and its terminal (or between the browser and its terminal) to ensure correct function and use of the Website.
This Website uses the so-called “analytical cookies”, which are created and placed at the disposal of third parties, precisely Google Analytics and Adobe Analytics. This occurs by internal statistical analyses of access to improve the Website and make it easier to use, and also to monitor its correct function. The Data Controller has, anyhow, adopted the most suitable devices to minimize the identification functions of these cookies.
This Website uses the so-called “profiling cookies”. These cookies are not essential but they help us customize and improve your experience of the Website. For instance, they help us show you the departure airport that is closest to your location, or tell us about your purchase preferences and help us remember them. They also enable us to show you relevant and customized advertisements. Furthermore, they allow us to limit the number of times an advertisement is displayed, gauge the efficacy of the advertising campaign, remember your visit and share the data collected with third parties, such as our advertisers.
Hence, the removal of these cookies does not impair general use of the Website, but it might limit some functions.
Third party cookies
The installation of all cookies can be disabled by adjusting your browser's settings. However, please note that by changing these settings you might not be able to use the Website, if you happen to block cookies that are essential to provide our services. However, every browser has different settings to disable cookies. The links to instructions for the most widely used browsers are given here Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera.
12. CALL CENTER
Calls to Call Center numbers might entail processing of the user's personal data to provide the services requested, such as, for instance, bookings, purchase and sending of the air tickets requested by the passenger, changes or replacements of issued tickets, reimbursements, after sales service, special assistance and purchases of complementary flight-related services.
If the third party call centers process data for which Lumiwings is the Data Controller outside the EU, Lumiwings requires its suppliers to comply with the warrantees laid down by art. 46 of the European Regulation.
When making use of foreign call centers based outside the European Union, in compliance with the legislation in force, Lumiwings will inform its clients about the foreign country where the operator is physically located, offering its clients/users the option of requesting that the service be rendered by an operator located in the user's country.
13. THIRD PARTY LINKS
Our website may include links to third-party websites, microsites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Therefore, whenever you make use of these links or microsites or when you leave our website, please read the privacy notice of the third party.
14. MOBILE AND LOCATION BASED SERVICES
We provide mobile apps that can be downloaded to your smartphone or mobile device. These apps have a variety of functionalities that enhance the customer experience. In addition to providing services, our apps may collect personal data that will be used in accordance with this notice. We provide a link to this notice to customers prior to their downloading of any of our apps. If you allow our mobile apps to access your location information on your device, our mobile apps may use your mobile device’s Global Positioning System (GPS) technology and other technology (such as wireless transmitters known as beacons) to provide you with information and offers based on the location of your device. We may use this location information to enhance your travel experience by delivering push notifications and other content to your mobile device, providing navigation assistance as you move around our locations, and sending you information and offers about products, services, or activities we believe may be of interest to you, following your explicit consent. We may share this information with third parties, including business partners and service providers, to provide information, offers, and services that may be of interest to you. You may prevent or limit collection of location information by changing the settings in the app, or by changing your device’s settings.
15. YOUR RIGHTS
Regarding the processing of your personal data, pursuant to the European Regulation, the party concerned is entitled to:
- Withdraw consent to data processing, at any time, for all further data processing procedures that are not necessary to execute the service agreement; however, it must be said that withdrawal of consent does not constitute a bias to the lawfulness of data processed based on consent provided prior to withdrawal of the consent itself, as established by art. 7, section 3, of the European Regulation
- Ask the Data Controller access to personal data, as established by art. 15 of the European Regulation
- Obtain, from the Data Controller, the correction and integration of personal data that is deemed inaccurate, even providing a simple integrative statement, as established by art. 16 of the European Regulation;
- Obtain, from the Data Controller, the deletion of personal data if even just one of the reasons established by art. 17 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement,
- Obtain from the Data Controller the limitation of personal data processing, if even one of the cases theorized in art. 18 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement
- Receive, from the Data Controller, the personal data that concern you, in a structured format widely used and legible by an automatic device; you are entitled to transmit these data to another Data Controller, as established by art. 20 of the European Regulation
- Object at any moment, for reasons associated with your particular situation, to the processing of personal data carried out in compliance with art. 6, section 1, letters e) or f), including profiling based on these provisions, as established by art. 21 of the European Regulation
- Not to be subjected to decisions solely based on automated data processing, including profiling, that will have legal repercussions for you, if you have not consented explicitly in advance, as established by art. 22 of the European Regulation; by way of a non-exhaustive example, this category includes any form of automated personal data processing intended to either analyze or foresee aspects that concern consumption and purchase choices, the economic situation, interests, reliability and behavior;
- Submit a complaint to the control authorities if you deem that the processing of your data violates the European Regulation; the complaint can be submitted in the Member State where you habitually reside or work or in the place where a presumed violation occurred, as established by art. 77 of the European Regulation.
If you wish to exercise any of the rights set out above, please contact us.