2. Personal data of Passengers and Service Recipients within the meaning of the provisions of the Personal Data Protection Act of 29 August 1997 (unified text: Journal of Laws 2014, item 1182, as amended; hereinafter called the Act) are administered by Polskie Linie Lotnicze S.A. based in Warsaw (02-146), ul. 17 Stycznia 43 (hereinafter called the "Data Administrator").
3. The Passenger and the Service Recipient are entitled to access, correct and supplement their personal data and to control their processing to the extent specified in Article 32 par. 1 of the Act. For this purpose, you can contact the CallCenter at any time: 0 801 703 703 or ticket sales offices by phone. Personal data are provided voluntarily, although this is necessary for the purposes indicated in par. 4 below by the Data Administrator.
4. Personal data of Service Recipients and Passengers are processed by the Data Administrator only to the extent necessary for the following purposes:
a) provision of services available via www.lot.com, including booking and issuing of a flight e-ticket;
b) handling of the complaint procedure and the claim pursuance procedure if necessary;
c) marketing of the Administrator's products/services;
d) dispatch of the newsletter;
e) performance of the carriage agreement and other services relating to air carriage to be performed in favour of the Passenger;
f) compliance with requirements relating to the crossing of the border by the Passenger, including compliance with immigration, customs and other requirements relating to the crossing of the border in destination countries;
g) prevention and counteracting of terrorism and other international crime, including the comparison of Passengers' data with lists of passengers endangering air safety;
h) ensuring of safe travel to Passengers, also for the safety of the USA in the case of travel between the European Union and the United States.
5. Personal data of Service Recipients and Passengers shall be stored for a period not longer than necessary for the purpose for which they were collected, with the reservation that personal data concerning travels and bookings of Passengers travelling between the EU and the USA, specified as "passenger flight data" or "Passenger Name Record data", hereinafter called "PNR Data", shall be stored for the period indicated in item 12 f) of this policy.
6. The Data Administrator may transfer personal data of Service Recipients and Passengers to other persons, authorities, institutions and carriers that are authorised to receive such information in connection with applicable legal provisions and international agreements, or when such transfer of data is necessary for the fulfilment of legally justified goals being pursued by the Data Administrator or data recipients, including compliance with immigration, customs and other requirements relating to the crossing of the border in destination countries.
7. Personal data of Service Recipients and the Passenger are stored in the database using technical and organisational measures that ensure the protection of processed data in accordance with requirements stated in legal provisions relating to personal data protection, including the Ordinance of the Minister of the Interior and Administration of 29 April 2004 regarding the documentation of personal data processing and technical and organisational requirements that should be met by IT equipment and systems used for personal data processing (Journal of Laws, No. 100, item 1024).
8. The Data Administrator assures that it makes every effort to process personal data with highest regard for the privacy of persons whose data are processed and with highest care for the safety of processed personal data. In particular, the Data Administrator assures that it has undertaken any legally available measures aimed at the protection of data collections to be processed by it, including in particular:
a) use of technical and organisational measures ensuring the protection of processed personal data relevant to threats and categories of protected data;
b) protection of data against their disclosure to unauthorised persons, appropriation by an unauthorised person, unlawful processing and amendment, loss, damage or destruction;
c) keeping of documentation describing the manner of data processing and the measures referred to above;
d) data may be processed only by persons authorised by the Data Administrator;
e) ensuring the control of what data are entered into the collection, when and by whom and to whom they are transferred;
f) keeping of a record of persons authorised to process personal data.
9. The Data Administrator uses particularly the following measures that prevent unauthorised persons from obtaining access to information and personal data being processed via www.lot.com:
a) Cryptographic measures (VPN tunnel and encrypted SSH connection);
b) Amazon firewall systems;
c) Authentication by means of RSA and DSA keys.
10. Special threats related to the use of a service provided by electronic means: obtaining of unauthorised access to information concerning the Service Recipient or the Passenger.
11. On the basis of the written agreement concluded in accordance with Article 31 of the Personal Data Processing Act, the Data Administrator entrusts the processing of personal data of Service Recipients and Passengers to entities providing hosting and newsletter services to the Data Administrator for the purpose of activities related to the hosting, administration, maintenance and management of www.lot.com.
12. Special rules of processing of data of Passengers travelling between the EU and the USA:
a) the Data Administrator shall transfer PNR Data to the U.S. Department of Homeland Security (hereinafter called "DHS") in accordance with the U.S. laws and the international agreement between the EU and the USA. These data are transferred for the purposes set out in par. 4 c) – e).
b) the Data Administrator shall transfer Advance Passenger Information (API, with particular regard to information from the Passenger's passport collected during the check-in) to border control authorities. These data are transferred for the purposes set out in par. 4 c) – e).
c) In order to obtain comprehensive explanations concerning the method of handling of PNR Data relating to flights between the EU and the USA by DHS, please refer to DHS' commitments ("PNR Commitments") published in the US Federal Register, Vol. 64, No. 131, page 41543.
d) PNR Data received in connection with flights between the EU and the USA may be made available to other national and foreign governmental authorities responsible for the counteracting of terrorism or the enforcement of law for the purposes set out in par. 4 c) - e).
e) Certain PNR Data regarded as sensitive data within the meaning of Article 27 par. 1 of the Act may be entered into PNR if they are transferred to DHS from Community booking or departure control systems of air carriers. Such sensitive PNR Data include some information concerning the Passenger's racial or ethnic origin, political views, religious beliefs, health or sexual orientation. DHS has made a commitment not to use any sensitive PNR Data that it receives from booking or departure control systems of air carriers in the EU. DHS has launched an automatic filtering program preventing the use of sensitive PNR Data.
f) PNR Data from flights between the EU and the USA shall be stored by DHS for 3 years and 6 months, unless DHS provides manual access to these specific PNR Data during that period. In such cases, PNR Data shall be stored in DHS for an additional period of 8 years. Apart from that, information relating to specific records of use shall be stored in DHS until such record is archived.
g) The responsibility for ensuring that all DHS agencies handle personal information in accordance with the relevant law rests with the Department of Homeland Security Chief Privacy Officer. This officer is independent of all DHS directorates, and his decisions are binding for the entire department. In order to ensure strict compliance with legal provisions by DHS and the use of relevant security measures, he will exercise general supervision of the program.
h) Each passenger may request DHS to provide additional information about the sort of PNR Data made available to DHS and to issue a copy of data included in the DHS database. To the extent allowed by the Freedom of Information Act and other legal and regulatory provisions and political assumptions, irrespective of the Passenger's nationality or country of residence, DHS shall consider a request concerning documents, including also PNR documents possessed by DHS. DHS may refuse or postpone the disclosure of all PNR Data or their part under certain circumstances (e.g., if there are reasons for which this can be expected to interrupt legal proceedings under way or result in the disclosure of techniques and procedures used during investigations conducted by law enforcement authorities). If DHS refuses to provide access to PNR Data pursuant to exceptions specified in the Freedom of Information Act, it is possible to file an appeal against this decision through an administrative channel to the DHS Chief Privacy Officer, who is responsible on behalf of DHS both for the protection of privacy and the rules of data disclosure. Appeals may be made to a court against the final decision pursuant the U.S. legal provisions.
i) Passengers may contact the offices indicated below to request correction of their PNR Data contained in DHS databases. DHS shall consider those requests for correction that it shall consider to be justified and well-grounded.
j) Any inquiries concerning PNR Data made available to DHS or applications for disclosure of data possessed by DHS and referring to the applicant must be sent by post to: Freedom of Information Act (FOIA) Request, U.S. Customs and Border Protection, 1300 Pennsylvania Avenue, N.W., Washington, D.C. 20229. For further details concerning the submission of such applications, see Section 19 of the Code of Federal Regulations, section 103.5. If you wish to report an issue or complaint concerning PNR Data or to submit an application for their correction, send a letter to: Customs and Border Protection, 1300 Pennsylvania Avenue, N.W., Washington, D.C. 20229. Decisions made by DHS are verified by the Chief Privacy Officer in the Department of Homeland Security, Washington, DC 20528. Any inquiries, complaints or applications for the correction of PNR Data may also be submitted to the data protection authority in the EU member state of the Passenger for further consideration.
k) If a complaint cannot be considered by DHS, the person submitting the complaint may send a letter to the Department of Homeland Security Chief Privacy Officer: Chief Privacy Officer of the Department of Homeland Security, Washington, DC 20528. The Chief Privacy Officer will assess the situation and try to settle the dispute. A complaint may also be submitted via data protection authority (hereinafter called "DPA"), i.e., the Inspector General for Personal Data Protection (IGPDP). The Chief Privacy Officer made a commitment to handle complaints received from data protection authorities of EU member states on behalf of a EU resident, if he authorises DPA to act for him. Contact details of national DPA's are available at: http://www.giodo.gov.pl/.
I) Further information about the use of personal data by the airline can be obtained directly from the airline in the given country.
To contact the Data Administrator, send an e-mail to: firstname.lastname@example.org