Privacy policy at PLL LOT

I. GENERAL INFORMATION

This Privacy Policy applies to the personal data of the passengers of Polskie Linie Lotnicze LOT S.A. (hereinafter referred to as “Passengers”) as well as persons to whom Polskie Linie Lotnicze LOT S.A. provides services electronically through www.lot.com website (hereinafter referred to as “Client”). The Terms of Service concerning electronically supplied services are available here.

Polskie Linie Lotnicze LOT S.A., having its registered office in Warsaw (hereinafter referred to as “PLL LOT” or “we”), is the controller of Passengers' and Clients' personal data as defined by the provisions of the Regulation of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).

We can be contacted by contact form or in writing to the address of our registered office: ul. Komitetu Obrony Robotników 43, 02-146 Warszawa

We have appointed a data protection officer – it is a person who can be contacted by Passengers and Clients with respect to all matters concerning processing personal data, personal data protection and the use of data protection rights.

Personal Data Officer can be contacted by e-mail: iod@lot.pl or in writing to the address of our registered office: ul. Komitetu Obrony Robotników 43, 02-146 Warszawa

II. PERSONAL DATA PROTECTION RIGHTS

Subject to the principles set out in Articles 15-18 and 20-21 of the GDPR, Passengers and Clients have the following rights:

a) the right of access to personal data,

b) the right to rectification of inaccurate personal data,

c) the right of erasure of personal data,

d) the right to restriction of processing personal data,

e) the right to transmit your personal data– i.e. the right to receive personal data from PLL LOT in a structured commonly used and machine-readable format; the right to data portability applies to personal data that is processed under an agreement or based on consent,

f) the right to object personal data processing – if the data is processed based on legitimate interest of PLL LOT.

Moreover, if personal data is processed under a consent, the Passengers and Clients are entitled to withdraw the consent to the processing of personal data at any time. Consent withdrawal does not affect the processing right that was exercised based on the consent before it was withdrawn.

In order to exercise the above-mentioned rights, one should call the 24-hour Customer Care Centre: 0 801 703 703 or ticket offices, or send a message to the Data Protection Officer: iod@lot.pl or contact by contact form.

Passengers and Clients are also entitled to lodge a complaint with a personal data protection authority, i.e. the President of the Personal Data Protection Office.

III. PERSONAL DATA PROCESSING BY PLL LOT

PLL LOT processes personal data of Clients and Passengers as part of the processes described below. The “more” tabs contain detailed information concerning data processing as part of a given process, including, among other things, information on the purposes and legal grounds of data protection as well as storage periods.

a) Administration of lot.com website – providing services available via lot.com website, such as:

– booking and providing the possibility of managing a booking (e.g. by choosing additional services),

– issuing an electronic air ticket,

– subscribing for a loyalty programme. [more about Loyalty programme]

b) Performance of the air carriage contract – the exercise of the rights and obligations under a air carriage contract and providing other air carriage related benefits to the Passenger. [more about Performance of the air carriage contract]

c) Managing claim processes – registering and settling complaints and defending against claims or exercising claims, if any. [more about Managing claim processes]

d) Conducting marketing activities – marketing of PLL LOT products/services and, in some cases, also products/services of our business partners; such activities cover also newsletter distribution [more about Conducting marketing activities]

Depending on the purpose of personal data processing, their provision may be a precondition for the execution of an agreement (e.g. if an air carriage contract is executed) or may be voluntary but required in order to use our services (provided through the website) or required for complaint settlement.

The provision of data for marketing purposes is voluntary – if you do not give your consent to the processing of personal data provided during the use of our website and its functionalities, personal data will not be processed for such a purpose.

IV. PROCESSING PASSENGERS' PERSONAL DATA – ADDITIONAL INFORMATION

Due to the necessity of ensuring a safe and lawful journey to our Passengers, we also inform that PLL LOT will process Passengers' personal data in connection with the performance of obligations imposed by PLL LOT under applicable regulations. Passengers' data will be processed, in particular, to:

a) meet the requirements related to the Passenger's crossing of a border, including immigration, customs and other requirements related to the crossing of the border in destination countries;

b) prevent and condemn terrorism and other international offences, including the comparison of Passengers' data to the lists of passengers posing risk to aviation security;

c) ensure a safe flight to Passengers as well as US safety in the case of flights between the European Union and the United States.

Detailed rules for the processing of Passengers' personal data travelling between the European Union and the United States have been described in Chapter IX of this Policy.

V. STORAGE OF PERSONAL DATA

The period of storage of Clients' and Passengers' personal data depends on the purpose for which they are processed. Detailed rules concerning data storage periods have been described in materials available upon clicking “more” in Chapter III above. However, we inform that personal data on the flights and bookings of Passengers between the European Union and the United States, defined as “data concerning the passenger's flight” or “PNR data” (PNG = Passenger Name Record) hereinafter referred to as “PNR data”, will be stored for a period provided in chapter VIII of this Policy).

VI. TRANSFERRING PERSONAL DATA

PLL LOT may transfer Clients' and Passengers' personal data to other persons, authorities, institutions and carriers authorised under applicable regulations and international contracts to receive such information, or if the provision of data is necessary to fulfil legitimate purposes pursued by PLL LOT or data recipients, including, among other things, to meet immigration, customs and other requirements related to the crossing of a border in destination countries.

PLL LOT may also transfer Clients' and Passengers' personal data to their suppliers to whom PLL LOT will commission services related to personal data processing, e.g. providers of hosting services, providers of tools used for sending a newsletter or entities providing services in the area of administration, www.lot.com website maintenance and management. Such entities will process data exclusively under a data protection agreement with PLL LOT and exclusively in accordance with PLL LOT's instructions.

VII. PERSONAL DATA PROTECTION

We ensure that we put every effort to ensure that Passengers' and Clients' personal data is processed with the utmost respect for their privacy and the utmost care for the safety of the processed personal data. We assure, in particular, that we have undertaken all measures required under applicable regulations to protect personal data provided to us, especially:

a)  we use appropriate technical and organisational measures to ensure the protection of the processed personal data to the extent corresponding to the risk of the violation of rights and freedoms of persons whose data is processed;

b) measures mentioned in letter a) are implemented both while specifying manners of processing (in the so-called designing phase) and during the processing itself, taking into account: the level of technical knowledge, the cost of implementation as well as the character, scope, context and purpose of personal data processing;

c) we process data respecting the rule of protection by default;

d) we protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data;

e) we maintain documentation required by law, including appropriate data protection policies;

f) we entrust data protection exclusively to persons with relevant authorisation;

g) we keep the records of persons authorised to process personal data;

h) we control which data, when and by whom has been provided and to whom it is transferred.

We use, in particular, the following measures that prevent unauthorised persons from getting access to personal information and data processed through www.lot.com website:

a) cryptographic measures in the form of a VPN tunnel and coded SSH connection;

b) Amazon firewall systems;

c) authorisation with the use of RSA and DSA keys.

Specific risks related to the use of an electronically provided service: getting unauthorised access to information concerning a Client or a Passenger.

VIII. COOKIES

The lot.com website uses cookie-files. Cookies are IT data stored on the Client's device (e.g. computer memory) in order to, among other things, adjust the website to the Clients' needs and for statistical purposes. Cookies are not used to identify Clients' identities and do not affect the operation of the Client's device. More information on cookies can be found here.

IX. SPECIAL RULES CONCERNING THE PROCESSING OF THE DATA OF PASSENGERS TRAVELLING BETWEEN THE EUROPEAN UNION AND THE UNITED STATES

Due to the fact that the Passengers of PLL LOT travel between the European Union and the United States, below we present special principles concerning the processing of their personal data

a) PLL LOT will transfer PNR Data to the United States Department of Homeland Security (hereinafter referred to as “DHS”) under applicable US regulations and the international contract between the European Union and the United States. This data shall be transferred for the purposes specified in Chapter IV of this Policy.

b) PLL LOT shall transfer Advance Passenger Information (API), i.e. mainly information from the Passenger's passport that are collected during the check in. to border control authorities. This data shall be transferred for the purposes specified in Chapter IV of this Policy.

c) In order to obtain exhaustive explanations on the manner of handling PNR Data concerning flights between the European Union and the United States by DHS, one can become familiar with the obligations of the United States Department of Homeland Security (“PNR Commitments”) published in the US Federal Register vol. 64, No. 131, page 41543.

d) PNR Data received in connection with flights between the EU and the USA can be made available to other domestic and foreign governmental bodies responsible for combating terrorism or law enforcement for the purposes specified in Chapter IV of this Policy.

e) some PNR Data classified as special categories of personal data as defined in 9 GDPR can be entered in the PNR if they are transferred to DHS from community booking systems or air carriers departure control. Such PNR Data that belong to special data categories cover, in particular, certain information on the Passenger's racial or ethnic origin, their political views, religious beliefs, health condition or sexual orientation. DHS has undertaken not to use any PNR Data that belong to special data categories, which they receive from booking systems or the air carriers departures control in the EU. DHS has launched an automatic filtering program preventing the use of PNR Data that belong to the category of special PNR Data.

f) PNR Data from flights between the EU and the USA will be stored by DHS for 3 years and six months unless DHS gets manual access to these particular PNR Data. In such cases, PNR Data will be stored in DHS for an additional period of eight years. Moreover, information related to particular enforcement records will be kept in DHS by the time such a record is archived.

g) The obligation to make sure that all DHS departments handle personal information in accordance with the relevant act rests with the Department of Homeland Security Chief Privacy Officer. This Officer is independent of all DHS directorates, and their decisions are binding for the entire department. In order to ensure that DHS strictly follows the applicable regulations and uses proper safety measures, they will exercise strict supervision over the programme.

h) Every passenger may demand that DHS provides additional information on the type of PNR Data made available to DHS and ask for copies included in DHS database. To the extent to which it is permitted by the Freedom of Information Act and other statutory and implementing regulations and political objectives, irrespective of the Passenger's nationality and place of residence, DHS shall examine the request concerning the documents, including also PNR documents possessed by DHS. DHS can refuse to disclose or postpone the disclosure of all PNR Data or part of them in certain circumstances (e.g. if there are reasons to expect that it will disturb pending proceedings or cause a disclosure of techniques and procedures used during investigations conducted by law enforcement bodies). If DSH refuses the access to PNR Data based on departures specified in the Freedom of Information Act, an appeal against this decision can be brought by virtue of administrative procedure to the DHS Chief Privacy Officer, who is responsible for both data protection and data disclosure rules on behalf of DHS. The final decision is actionable under the provision of US law.

i) Passengers may demand that their PNR Data included in DHS databases is rectified, contacting the above-mentioned offices. DHS shall take into account rectification requests that they find reasonable and properly justified.

j) Enquiries concerning PNR Data made available to DHS or requests for making data possessed by DHS and related to the requesting party available shall be sent in writing to: Freedom of Information Act (FOIA) Request, U.S. Customs and Border Protection, 1300 Pennsylvania Avenue, N.W., Washington, D.C. 20229. Further information concerning the procedures of submitting such requests can be found in section 19 of the Code of Federal Regulations, section 103.5. Any problems or complaints concerning PNR Data or rectification requests can be reported or submitted in writing using the following address: Customs and Border Protection, 1300 Pennsylvania Avenue, N.W., Washington, D.C. 20229. DHS' decisions are subject to verification by the Chief Privacy Officer at the Department of Homeland Security, Washington, DC 20528. Any enquiries, complaints or requests for the rectification of PNR Data can be also sent to a data protection authority in the EU member state of a given Passenger for possible further examination.

k) If DHS cannot settle a complaint, the person submitting a complaint can contact the Department of Homeland Security Chief Privacy Officer in writing: Chief Privacy Officer of the Department of Homeland Security, Washington, DC 20528. The Chief Privacy Officer shall examine the situation and try to settle the dispute. One can also submit a complaint through the national data protection authority (hereinafter referred to as “DPA”). i.e. the President of the Personal Data Protection Office (UODO President). The Chief Privacy Officer has undertaken to handle complaints received from data protection authorities of individual EU member states on behalf of an EU citizen if the citizen authorises them to act on their behalf.

l) More information on the manner of using personal data by airlines can be obtained directly from airlines in a given country.

Notwithstanding the foregoing, data is transferred to countries from outside the European Economic Area in accordance with the rules set out in Chapter V of GDPR.