- Privacy policy

Personal Data Processing Policy at LOTAMS

We respect and uphold the right to privacy of individuals whose data we process, including visitors to LOTAMS websites.

The information contained in this Policy is of a general nature. Detailed information regarding the processing of personal data is provided each time such data is collected. This applies in particular to information about the purpose and legal basis of processing, the storage period, and the recipients to whom the data may be disclosed.

We apply the technical and organizational measures required by data protection regulations to ensure that all operations involving personal data are carried out in compliance with applicable law, recorded, and performed only by authorized persons. In order to ensure transparency of our data processing activities, we present the principles in force at LOTAMS.

Definitions

Policy – means this Personal Data Processing Policy at LOTAMS, unless the context clearly indicates otherwise;

Portal – means the website www.lotams.com;

Controller, LOTAMS, Company – means LOT Aircraft Maintenance Services sp. z o.o., with its registered office in Warsaw, at ul. Komitetu Obrony Robotników 45C, 02-146 Warsaw, entered in the Register of Entrepreneurs of the National Court Register under number KRS 0000352848, maintained by the District Court for the Capital City of Warsaw, 14th Commercial Division of the National Court Register, with a share capital of PLN 345,470,104.20, Tax Identification Number (NIP) 522-294-67-95, Statistical Number (REGON) 142321116;

Fanpage – means the official LOTAMS public profiles on social media platforms: Facebook, Instagram, LinkedIn, Twitter, YouTube;

GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1);

Personal Data – means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Personal Data Controller

The owner of the Portal and at the same time the Controller of personal data obtained through the Portal or Fanpages, as well as the personal data of our clients, business partners and their employees, job applicants, competition participants, and individuals contacting us, is LOTAMS.

For matters related to personal data protection, including the exercise of rights granted to the data subject, please contact our Data Protection Officer by sending an email to: daneosobowe@lotams.com, or by writing to the LOTAMS registered office with the note “Personal Data”.

Personal Data Security

Personal data collected and processed by LOTAMS in connection with its business operations is processed in compliance with applicable laws, in particular the GDPR and the data processing principles set out therein.

The Controller takes due care to protect the interests of data subjects and, in particular, ensures that the data collected:

is processed lawfully, fairly, and in a transparent manner with respect to the data subject;
is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
is accurate and, where necessary, kept up to date;
is stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data is processed;
is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures, with access granted only to persons authorized by the Controller.

Purposes, legal basis, and retention period of personal data processing

LOTAMS may process your personal data, in particular for the following purposes:

Point 1.

Correspondence by e-mail and/or traditional mail – where correspondence addressed to the Controller is unrelated to services provided to the sender or any agreement concluded with them, the sender’s personal data is processed solely for the purpose of communicating with the sender and resolving the matter to which the correspondence relates.

Telephone communication – in matters unrelated to an agreement or services provided, initiated at the request of the data subject.

Categories of data: we process data provided by the sender of the correspondence or the caller contacting us by phone, such as: email address, name and surname, telephone number, correspondence address, company name, and any other data provided in the correspondence.

Legal basis: personal data provided in correspondence/telephone contact will be processed for the purpose of responding to an inquiry (handling correspondence addressed to the Controller or resolving the matter reported, in connection with its business operations) – pursuant to Article 6(1)(f) GDPR, i.e. the legitimate interest of the Controller.

Retention period: data is processed for the period necessary to conduct correspondence, and thereafter for the period necessary to establish, pursue, or defend against claims.

Point 2.

Recruitment – as part of recruitment processes, the Controller requires candidates to provide only the personal data specified in labour law provisions. If submitted applications contain additional data, their processing will be based on the candidate’s consent. If consent is not given or the candidate provides irrelevant information, such applications will not be used or considered in the recruitment process.

Categories of data: we process data provided by a candidate submitting an application:

required under the Labour Code: first name(s) and surname, date of birth, contact details, education, professional qualifications, previous employment history;
provided on the basis of consent: additional contact details, photograph, additional qualifications.

Legal basis for processing personal data:

fulfillment of recruitment obligations arising from the Labour Code – Article 6(1)(c) GDPR;
necessity to take steps prior to entering into a contract, at the request of the data subject – Article 6(1)(b) GDPR;
consent given by the candidate to participate in future recruitment processes – Article 6(1)(a) GDPR;
the legitimate interest of the Controller – Article 6(1)(f) GDPR – namely verification of the candidate’s qualifications, determining cooperation terms, as well as possible defense or pursuit of claims.

Retention period:

personal data will be processed for the period necessary to conduct the recruitment;
if consent for participation in future recruitment processes is given – for 12 months from the date the application is submitted;
until consent is withdrawn – insofar as processing is based on consent.

Point 3.

Marketing activities (including sending newsletters).

Categories of data: an email address is required to send the newsletter.

Legal basis: data processing is possible upon obtaining the user’s consent – Article 6(1)(a) GDPR.

Retention period: personal data will be processed until consent is withdrawn by the Portal user.

Point 4.

Conducting competitions, in particular selecting winners and awarding prizes.

Categories of data: we process personal data voluntarily provided by competition participants, such as: name and surname, email address, correspondence address. In the case of winners, we additionally process data necessary for awarding and accounting for the prize.

Legal basis:

acceptance of the competition rules by the participant;

legal obligations imposed on the Controller in the field of accounting – Article 6(1)(c) GDPR;

Article 6(1)(f) GDPR, i.e. the legitimate interest of the Controller.

Retention period: personal data of winners will be processed for 5 years from the end of the calendar year in which the competition took place; data of other participants will be processed for the period necessary to establish, pursue, or defend against claims.

Point 5.

Managing the website and operating Fanpages – personal data left by individuals visiting the Controller’s social media profiles (such as online identifiers, comments, likes) is processed for the following purposes:

enabling the activity of visitors to the Portal/Fanpages,

responding to private messages sent by users of the Portal/Fanpages,

effectively managing Fanpages by presenting users with information about the Controller’s initiatives and activities, and promoting events,

maintaining statistics and analytics to improve the functioning of the Portal/Fanpages,

possible pursuit or defense of claims.

The above information does not apply to data processing carried out by the administrators (owners) of social media platforms.

Categories of data: we process such data as: social media username, data provided in the content of comments/messages.

Legal basis: personal data is processed on the basis of the Controller’s legitimate interest – Article 6(1)(f) GDPR, namely responding to messages and comments of Portal/Fanpage users, providing information about the Controller’s activities, performing statistical analysis, and – where necessary – pursuing and defending against claims.

Retention period: personal data will be processed until an effective objection to processing is raised. Social media users following the Controller’s Fanpages always have the right to delete their comments under the Controller’s posts, unfollow the Fanpage, or delete their account on the given social media platform.

Point 6.

Conclusion and performance of contracts.

Categories of data: we process data necessary to conclude a contract, i.e.: company name, business address, tax identification number (NIP), statistical number (REGON), bank account number.

Processing is necessary for:

performance of a contract to which the data subject is a party – Article 6(1)(b) GDPR,

compliance with legal obligations imposed on the Controller – Article 6(1)(c) GDPR,

establishment, defense, or pursuit of claims – i.e. the Controller’s legitimate interest – Article 6(1)(f) GDPR.

Retention period: personal data will be processed for the duration of the contract and until the Controller fulfills its obligations arising from its performance.

Point 7.

Processing of personal data of personnel of contractors or clients cooperating with the Controller.

Categories of data: we process the data of contact persons provided by our clients/contractors/business partners, i.e.: name and surname, job title, business email address, business telephone number.

Legal basis: personal data is processed on the basis of the Controller’s legitimate interest – Article 6(1)(f) GDPR – namely, the proper performance of a contract concluded with a client or contractor. Personal data is provided to us by the employer/principal of the individual.

Retention period: personal data will be processed for the period necessary to pursue the Controller’s legitimate interest or until an effective objection to processing is raised.

Point 8.

Establishing and maintaining business contacts (collecting personal data during business meetings or through the exchange of business cards).

Categories of data: we process data provided by our business partner/potential business partner, i.e.: name and surname, job title, company name, telephone number, email address.

Legal basis: personal data is processed on the basis of the Controller’s legitimate interest in building a network of contacts in connection with its business activities – Article 6(1)(f) GDPR.

Retention period: personal data will be processed for the period necessary to pursue the Controller’s legitimate interest or until an effective objection to processing is raised.

Point 9.

Handling complaints.

Categories of data: we process data necessary to examine complaints, i.e.: name and surname/company name of the complainant, contact details (business address/correspondence address/email address, telephone number).

Legal basis: processing is necessary for:

performance of a contract to which the data subject is a party – Article 6(1)(b) GDPR,

compliance with legal obligations imposed on the Controller – Article 6(1)(c) GDPR.

Retention period: personal data will be processed for the period necessary to examine the complaint.

Point 10.

Access control to the Controller’s premises and video surveillance of LOTAMS premises.

Categories of data: we process data recorded by surveillance cameras, in the form of the image of individuals present on LOTAMS premises, and data necessary to enter the Company’s premises, i.e.: name and surname, company name, ID card number, vehicle registration number (if consent to enter the Company’s premises has been granted).

Legal basis:

compliance with legal obligations under the National Civil Aviation Security Program – Article 6(1)(c) GDPR,

the Controller’s legitimate interest – Article 6(1)(f) GDPR – consisting of ensuring the safety of persons and protection of property, maintaining the confidentiality of information the disclosure of which could harm the Controller, and production control.

Retention period: recordings are stored for 3 months from the date of recording, unless the recording constitutes evidence in proceedings; in such case, it is stored until the final conclusion of the proceedings or until an effective objection is raised. Personal data will be processed for the period necessary to establish, pursue, or defend against claims.

Point 11.

Data analysis, including data collected automatically when using the Portal, such as cookies (e.g., Google Analytics cookies, Facebook pixel).

Categories of data processed: are indicated below in the Cookies Policy.

Legal basis:

data is processed on the basis of the User’s consent – Article 6(1)(a) GDPR,

data is processed on the basis of the Controller’s legitimate interest – Article 6(1)(f) GDPR.

Retention period: personal data will be processed:

until consent is withdrawn,

until an effective objection to processing is raised.

Point 12.

Establishing or pursuing possible claims, or defending against claims.

Categories of data: will in each case be specified separately and limited to the minimum necessary for the given purpose (establishment/pursuit/defense of claims).

Legal basis: personal data is processed on the basis of the Controller’s legitimate interest – Article 6(1)(f) GDPR – namely establishing, pursuing, or defending claims.

Retention period: the processing period may be extended where processing is necessary to establish or pursue claims or defend against claims, and thereafter – only where and to the extent required by law.

After the processing period expires, the data is irreversibly destroyed or anonymized.

Categories of personal data processed

The categories of personal data we process depend on the purpose of processing; however, in every case, we adhere to the principle of data minimization as defined in the GDPR. The personal data we process includes:

information that can directly identify a natural person or indirectly allow such identification, such as: name and surname, ID card number, image, email address, telephone numbers, job title, other contact details, Internet Protocol (IP) address, device identifiers, online identifier, cookie content,

as well as information that may not, by itself, constitute identifiers of the user but which we store together with such identifiers, for example, the manner in which users of the Portal/Fanpages use our services, or the country in which the user is located while using our services.

Consequences of not providing personal data

Providing personal data is voluntary, but necessary, among other things, for:

using/continuing to use the Portal or Fanpages,

concluding a contract,

receiving a response to a submitted inquiry,

participating in recruitment,

entering the LOTAMS premises;

the consequence of not providing such data is the inability to use/continue the services provided.

Providing non-mandatory or excessive data, which the Controller does not need to process, is at the discretion of the data subject. In such cases, processing is carried out on the basis of Article 6(1)(a) GDPR (consent).

Categories of data recipients

The Controller will disclose personal data only if required by law or when, in connection with its business operations, it cooperates with external entities:

in the scope of services provided, including: IT and hosting services, document and media destruction, records management and storage, legal and tax advisory services, debt collection services, as well as HR services (i.e. entities processing personal data under an agreement with the Controller),

with entities whose involvement in the performance of services is necessary due to the terms of a contract.

Personal data may be transferred to third countries (i.e. countries outside the European Economic Area) where the Controller provides services, if the transfer is necessary for the performance of a contract between the data subject and the Controller (pursuant to Article 49(1)(b) GDPR).

Rights of data subjects

An individual whose personal data is processed by LOTAMS has the right to:

access their personal data (including, for example, receiving information about the purposes and legal bases of processing, categories of data, possible recipients, planned data deletion date, and rights available);

request rectification and restriction of processing (e.g., if personal data is inaccurate) or erasure of personal data (e.g., if it has been processed unlawfully);

object to the processing of their personal data carried out for the purposes of the Controller’s or a third party’s legitimate interests;

withdraw any consent previously given to the Controller at any time, whereby the withdrawal of consent does not affect the lawfulness of processing carried out by the Controller prior to its withdrawal, provided the processing was based on consent;

data portability, i.e., to receive the personal data provided to the Controller and processed by automated means on the basis of consent or a contract, e.g., transfer to another controller;

lodge a complaint with the President of the Personal Data Protection Office (PUODO), headquartered in Warsaw, ul. Stawki 2.

Requests concerning the exercise of rights may be submitted by sending an application to: daneosobowe@lotams.com.

If the Controller is unable to identify the individual based on the submitted request, the applicant will be asked to provide additional information. Providing such information is mandatory, and failure to do so will result in the request being refused.

Profiling

We inform you that the data of Portal or Fanpage users may be subject to profiling for the purpose of conducting our offer-related and marketing activities, better tailored to users’ expectations. However, we do not make decisions based solely on automated data processing, including profiling.

Right to Amend the Policy

Should it become necessary or advisable – in particular due to changes in law, changes in the purposes or legal bases of personal data processing, new guidelines issued by supervisory authorities for data protection, internal corporate regulations, or technological developments – LOTAMS reserves the right to amend this Policy by publishing its updated content on the Portal.

The current version of the Policy has been in force since 17 December 2019.

Cookies

Cookies are files that allow the Portal operator to control its functionality, prevent abuse, and facilitate the use of the www.lotams.com website.

In accordance with applicable law, when accessing the lotams.com website – if permitted by the User’s browser(s) or explicitly accepted by the User during the first visit – the Portal may automatically store information about the computer or device used for browsing and, for this purpose, may place “cookies.” Cookies enable the Portal administrator to control functionality, prevent abuse, and facilitate use of the Portal. Cookies may be used to collect information to ensure more convenient use for users and to support the development of the Portal.

Accepting and enabling cookies is optional. Cookie settings can be managed at any time in your browser, and consent to their use may be withdrawn at any time.

LOTAMS may use cookies, among others, for remembering user preferences (web browser, device type, font, colors), securing websites, or running marketing campaigns. The Controller may collect users’ IP addresses for diagnosing technical problems, creating statistical analyses, obtaining information useful for administering and improving the Portal, and for security purposes.

The Portal may contain links and references to other websites; however, LOTAMS is not responsible for the privacy practices of those websites.

Types of cookies used on the Portal:

Persistent cookies – stored on the User’s device even after leaving the visited page. They allow information about preferences to be stored and remembered;

Session cookies – necessary to maintain proper communication between the server and browser, thus enabling correct display of the page content and the use of its functionalities. Their purpose is to identify a given session (i.e., the dialogue between browser and server) and Users communicating with the server at the same time;

Other cookies (from third parties cooperating with LOTAMS) – enable external companies to analyze data such as: number of visits, user behavior on websites, types of browsers and electronic devices, pixel-type file information, or other behavioral data (e.g., location). The purpose of collecting and processing such cookies is to gather information on the profile of visitors to LOTAMS websites, their behaviors, and preferences and interest in specific products. They enable the display of advertisements and marketing offers as well as the analysis of user interest in displayed content. Companies providing analytical services for LOTAMS include, among others, Facebook and Google.

How to refuse (or withdraw consent) to the installation of cookies?

Most browsers accept cookies by default to ensure users’ convenience in using the website and proper display of its content. At any time, the User may modify cookie management via browser settings; however, at present it is not possible to select which types of cookies are accepted. Withdrawing consent disables the use of all cookies and may affect certain Portal functions, resulting in partial or complete blocking of some functionalities.

To change browser settings regarding cookies, we recommend using the following instructions:

The above browsers are provided as examples. Due to the wide variety of browsers in use, the method of disabling cookies may differ. Information regarding cookies is usually available in the “Tools” or “Options” menu. More detailed information is generally available on the website of the browser manufacturer.