Annex 1
Privacy and personal data protection notice
1.Intoduction and the Controller
The
present privacy and personal data protection notice (“Privacy Notice”) forms integral part of the Terms and Conditions of
the Wizz Air “Share your travel photos with WIZZ” Instagram Competition (”Competition”). Related to such
competition the controller of the personal data to be processed is the
Organiser. The Organiser may be contacted related to any personal data
protection issue via the person responsible for data protection matters under
the following contacts:
Data Protection Officer:
Address: 1103 Budapest, Laurus Offices,
Kőér utca 2/A., B épület, Hungary
E-mail address: wizzair_dpo@wizzair.com
The
purpose of this Privacy Notice is to set out the relevant legislation and to
describe the steps the Organiser is
taking to ensure that it complies with it.
2.The General Data Protection Regulation
The
regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive
95/46/EC (“GDPR”) is one of the most
significant pieces of legislation affecting the way the Organiser carries out
its information processing activities. It is designed to protect the personal data of citizens of the European
Union. It is the Organiser’s policy to ensure that the compliance
with the GDPR and other relevant legislation is clear and demonstrable at all
times.
2.1. Definitions
There
are a total of 26 definitions listed within the GDPR and it is not appropriate
to reproduce them all here. However the most fundamental definitions with
respect to this Privacy Notice are as follows:
Personal
data is defined as:
any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;
‘processing’ means:
any operation or set of operations which is performed on personal data
or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;
‘controller’ means:
the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such processing
are determined by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means:
a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.
2.2 Principles relating to processing of
personal data
There
are a number of fundamental principles upon which the GDPR is based.
These
are as follows:
- Personal
data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation
to the data subject on the basis of an appropriate legal basis (‘lawfulness,
fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall, in accordance with
Article 89(1), not be considered to be incompatible with the initial purposes
(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that personal data that are inaccurate, having
regard to the purposes for which they are processed, are erased or rectified
without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are
processed; personal data may be stored for longer periods insofar as the
personal data will be processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes in
accordance with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful processing
and against accidental loss, destruction or damage, using appropriate technical
or organisational measures (‘integrity
and confidentiality’).
Special
categories of data such as personal data revealing racial or ethnic origin,
religious beliefs, trade union memberships, genetic and biometric data, health
data shall not by processed by the Organiser unless one of the special
exemptions set out in Article 9 of the GDPR applies.
3.The
personal data processed by the Organiser, the purpose of processing, the legal
basis of processing and period of processing
The Organiser is organizing a free
photo-competition with no purchase required, titled “Share your travel photos with
WIZZ” (“Competition”) which is to run from 1st of April 2019 00:01 (GMT+1) to 31st
of August 2019, 23:59(GMT+1). Related to the Competition the Organiser will
process the following personal data of the Entrants for the purposes of
participating in the Competition as described in the Terms and Conditions of
the Competition, including verification of eligibility in accordance and
pursuant to the Terms and Conditions of the Competition and for marketing
purposes; for using and publishing their first name, Instagram name and photo
on the Wizz Air Instagram Profile, for making their name, Instagram name and
photo attached to the Entry public and for using their names, Instagram name,
and photo for publicity (including, but not limited to promotional usage on
Wizz Air’s website wizzair.com, on the Wizz Air Facebook page, on the Wizz Air
Instagram Profile, and in banners displayed on other websites by engagement
with Wizz Air).
3.1. Participation
in the Competition (Entrants)
(a) Name | Necessary
to identify the Entrant |
(b)e-mail
address | Necessary
to contact the Entrant |
(c) Address | Necessary
to contact the Entrant |
(d) mobile
or landline number | Necessary
to contact the Entrant |
(e) Instagram
name | Necessary to enter the Competition under Section 3.2. of Terms and Conditions |
(f) photo | Necessary
to enter the Competition under Section 3.2. of Terms and Conditions |
The
legal basis of the personal data processing is the consent of the Entrants
(data subjects) under article 6 (1) a) of the GDPR.
The
Entrants have the right to withdraw consent at any time where the Organiser is
relying on consent to process the personal data. However, this will not affect
the lawfulness of any processing carried out before the withdrawal of the
consent of the Entrants. If the Entrant withdraws his/her consent, the
Organiser may not be able to provide certain services to the Entrant. The
Organiser will advise the Entrant if this is the case at the time the Entrant
withdraws his/her consent.
The
Organiser processes the personal data provided until the withdrawal of the
consent of the Entrants, in case of no withdrawal for 6 years following the finish
date of the Competition due to the general deadline of initiating civil law
claims. The Organiser permanently deletes all personal data when the retention
period expires
4. Recipient or categories of recipients of the personal data; international
transfer
The
Organiser may have to share the personal data of the Entrants with the parties
set out below for the purposes set out in Section 3 of this Privacy Notice:
(a) the
Jury as defined in Section 4 of the Terms and Conditions;
(b) The Administrator
as data processor defined in Section 1.2. of the Terms and Conditions;
(c) supervisory
authorities and other regulatory authorities or bodies.
The
Organiser requires all third parties to respect the security of the personal
data and to treat it in accordance with the law. The Organiser does not allow
the third-party service providers to the personal data for their own purposes
and only permit them to process the personal data for specified purposes and in
accordance with the instructions of the Organiser.
Unless
expressly stated otherwise herein, the Organiser does not transfer the personal
data outside the European Economic Area (EEA) to a third country or
international organisation.
5. Rights of Entrants, the Selected
Entrants and the Accompanying Persons
The Entrant (data subject) also has rights under the GDPR. These consist
of:
- The right to be informed:
The
data subject has the right to obtain from the Organiser confirmation as to
whether or not personal data concerning him/her are being processed, and, where
that is the case, access to the personal data and the information listed in
Article 15 of the GDPR.
- The right of access:
Request
access to the personal data (commonly known as a “data subject access
request”). This enables the data subject to receive a copy of the personal data
the Organiser holds about him/her and to check that the Organiser are lawfully
processing it.
- The right to rectification:
Request
correction of the personal data that the Organiser holds about the data subject.
This enables the data subject to have any incomplete or inaccurate data held
about him/her corrected, though the Organiser may need to verify the accuracy
of the new data the data subject provides.
- The right to erasure:
This
enables the data subject to ask the Organiser to delete or remove personal data
where there is no good reason for continuing to process it. The data subject
also has the right to ask to delete or remove the personal data where the data
subject has successfully exercised his/her right to object to processing (see
below), where the Organiser may have processed his/her information unlawfully
or where the Organiser is required to erase his/her personal data to comply
with local law. Note, however, that the Organiser may not always be able to
comply with such request of erasure for specific legal reasons which will be
notified to the data subject, if applicable, at the time of the request.
- The right to restrict processing:
This
enables the data subject to ask the Organiser to suspend the processing of
his/her personal data in the following scenarios: (a) if the data subject wants
the Organiser to establish the data’s accuracy; (b) where the use of the data
is unlawful but the data subject does not want the Organiser to erase it; (c)
where the data subject needs the Organiser to hold the data even if the
Organiser no longer requires it as the data subject needs it to establish,
exercise or defend legal claims; or (d) the data subject has objected to the
use of his/her data but the Organiser needs to verify whether it has overriding
legitimate grounds to use it.
- The right to data portability:
Request
the transfer of the personal data to the data subject or to a third party. The
Organiser will provide to the data subject, or a third party he/she has chosen,
the personal data in a structured, commonly used, machine-readable format. Note
that this right only applies to automated information which the data subject
initially provided consent for the Organiser to use or where the Organiser used
the information to perform a contract with the data subject.
- The right to object:
Object
to processing of the personal data where the Organiser is relying on a
legitimate interest (or those of a third party) and there is something about
the particular situation of the data subject which makes him/her want to object
to processing on this ground as he/she feels it impacts on his/her fundamental
rights and freedoms. The data subject also has the right to object where the
Organiser is processing the personal data for direct marketing purposes. In
some cases, the Organiser may demonstrate that it has compelling legitimate
grounds to process the information which override the rights and freedoms of
the data subject.
- The right to complain:
Every
data subject has the right to lodge a complaint with a supervisory authority,
in particular in the EU Member State of his or her habitual residence, place of
work or place of the alleged infringement if the data subject considers that
the processing of personal data relating to him or her infringes the GDPR.
Before the data subject takes any action the Organiser recommends to contact
the person responsible for data protection matters within the organisation of
the Organiser at any contact details described in Section 1 of this Privacy
Notice.
Each
of these rights must be supported by appropriate procedures within the Organiser
that allow the required action to be taken within the timescales stated
in the GDPR. These timescales are shown hereby:
Data Subject Request
| Timescale
|
The
right to be informed | When
data is collected (if supplied by data subject) or within one month (if not
supplied by data subject) according to the Organiser’s external privacy policy
or otherwise |
The
right of access | One
month |
The
right to rectification | One
month |
The
right to erasure | Without
undue delay |
The
right to restrict processing | Without
undue delay |
The
right to data portability | One month |
The
right to object | On
receipt of objection |
6.Addressing Compliance with the GDPR
The
following actions are undertaken to ensure that the Organiser complies
at all times with the accountability principle of the GDPR:
- The
legal basis for processing personal data is clear and unambiguous in all cases
- A Data
Protection Officer is appointed with specific responsibility for data
protection in the organization
- All
staff involved in handling personal data understand their responsibilities
for following good data protection practice
- Training
in data protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to data subjects wishing
to exercise their rights regarding personal data and such enquiries are
handled effectively
- Regular reviews of procedures involving
personal data are carried out
- Privacy by design is adopted for all new or changed systems and
processes
- The following documentation of processing activities is recorded:
o Organization name and relevant details
o Purposes of the personal data processing
o Categories of individuals and personal data processed
o Categories of personal data recipients
o Agreements and mechanisms for transfers of personal data to non-EU
countries including details of controls in place
o Personal data retention schedules
o Relevant technical and organisational controls in place
These actions will be reviewed on
a regular basis (either as part of the management review process of the
information security management system or otherwise).