We respect and value the privacy of everyone who visits this website, www.flightrights.ie or www.aviationreg.ie (“our site”) and where we seek information from you through any channel (e.g., via our complaint forms or in person). We will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the data protection provisions.
Our Contact Details:
The Commission’s contact details are as follows:
Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773
Telephone: 00353 (1) 6611700
Definition and Interpretation
|Personal Data||Means data that relates to or can identify a living person either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details.|
|Special Categories of Data||Means sensitive personal data which merits higher protection when processing.|
|Data Concerning Health||Means personal data related to the physical or mental health of a natural person|
|Processing||Means any operation or set of operations which is performed on personal data. Such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction|
|Data Controller||Means a Natural or legal person, public authority, agency, or other body who determines the purpose and means of processing of personal data|
|Data Processor||Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.|
|Data Subject||Means a natural person or individual who is the subject of personal data.|
|Derogation||Means Data Transfer mechanism as provided under Article 49 GDPR and Section 91 Data Protection Act 2018.|
|We/Our/The Commission||Means the Commission for Aviation Regulation, a public body established under the Aviation Regulation Act 2001 whose headquarters are located at 3rd Floor, 6 Earlsfort Terrace, Dublin 2|
|You/ Your||Means individuals whose personal data we process.|
|Cookie||Means a small piece of data that a website stores on the visitor’s computer or mobile device|
|Cookie law||Means the EU ePrivacy Directive 2009/136/EC as transposed into Irish Law|
Purpose of this Privacy Notice
1.1 The Commission for Aviation Regulation collects and uses personal data provided by individuals via this website, by post, or in person for a range of purposes. All personal information collected through a variety of sources by the Commission will be protected in line with our responsibilities as a data controller pursuant to the Data Protection provisions.
1.2 This privacy notice is provided to you in line with our obligations under the General Data Protection Regulation (2016/679/EU) (GDPR); and sets out information on what personal data we collect and how we use it in connection with the functions of the Commission for Aviation Regulation. It sets out:
- What information we collect about you
- Why and how we use your personal information
- Who we share it with
- If we transfer your data outside EEA
- Data Security we employ
- Retention period
- Exercising your right
Data Protection Legislation as it pertains to us
1.3 The General Data Protection Regulation (GDPR) which came into effect on 25th May 2018, supplemented by the Data Protection Act 2018, provides individuals with increased rights and control over their personal information; and places enhanced obligations and responsibilities on how organisations collect, use, and protect personal data.
1.4 The Commission for Aviation Regulation as a Data Controller is obligated to put in place adequate technical and organisational measures in ensuring all personal and sensitive data are processed in a manner consistent with GDPR as supplemented by the Data Protection Act, 2018.
All personal and special categories of personal data provided to us will be processed in accordance with the Data Protection laws as relevant to us.
Principles of Data Protection
1.5 The principles of Data Protection as provided under Article 5 GDPR, sets out the fundamental rules applicable to the processing of personal data. The Commission will adhere to these principles when processing your personal data. The Commission will:
- Process your personal data in a lawful, fair, and transparent manner
- Collect no more than the relevant information required specific to the purpose of carrying out our duties as a Regulatory body
- Keep your personal information accurate and up to date at all times
- Retain your information for the duration of your complaint, processing of claims, application for licensing and to comply with our statutory obligations as stipulated under the relevant legislative Provision
- Process your personal data in a manner which ensures utmost confidentiality by restricting unauthorised access and limiting access to those required to carry out activities arising from our legal obligation
- Ensure adherence to the rules in relation to who receives personal data from us, transferring personal data outside the European Economic Area (EEA), and about individuals’ rights in relation to their personal data
Personal Information We Collect and Process
1.6 The Commission collects and processes personal data in connection with your use of aviationreg.ie or flightrights.ie and our relationship with you. This personal data includes:
- Name and Contact Details, including address, phone number and email address.
- Personal information you provide for the following:
- Air Passengers complaints form and Air Passengers with Reduced Mobility complaint form.
o Exercising your information rights under GDPR or Freedom of Information request formo Queries regarding our regulatory functions
- Air Passengers complaints form and Air Passengers with Reduced Mobility complaint form.
- All other personal data relating to you that is provided to us in connection with your use of this website flightsrights.ie or aviationreg.ie
1.7 Special Categories of Data: The Commission utilises limited sensitive/ special categories of data when carrying out our legal obligation. This includes the provision of details of Data Concerning Health of Persons with Reduced Mobility as it pertains to Air Passengers Rights.
Data Processing Purpose and Legal Ground for Processing
1.8 This entails the legal basis on which we process all personal information received by you in connection with our functions.
Processing based on the performance of our regulatory task and legal obligation
- Contacting you by post, phone, and email
- General information requests or queries regarding our functions
- Consumer Complaints Resolution in relation to Air Passenger Rights and Persons with Reduced Mobility
- Complying with your information rights under the General Data Protection Regulation, 2018 and the Freedom of Information Act, 2014
- To fulfil our legal obligations to liaise with other regulators (e.g., the Irish Aviation Authority, the Department of Transport, Tourism and Sports etc.)
- Protected Disclosures to the Commissioner
- Complying with court orders arising in civil or criminal proceedings
- Managing and administering our legal and compliance affairs
- – Managing and responding to complaints about us
Processing Based on Contractual Obligations
- Public Procurement activities including E-tenders, suppliers, and goods and service providers
Processing Based on Consent
- Subscribing to the Commission’s publication updates
Special Category and Criminal data
As part of the Commission’s Regulatory function, we process Special category data in accordance with the requirements of Article 6 and 9 of the General Data Protection Regulation (‘GDPR’) and the Data Protection Act, 2018. Our processing of such data respects the rights and interests of the data subjects.
We process special categories of personal data under the following Data Protection Provision:
- Article 9(2)(g) and Section 49(b) Data Protection Act – where processing is necessary for performing our obligations conferred to us by law as a regulatory body in resolving passenger’s complaint relevant to Passengers with Reduced Mobility.
Personal Data Recipients
1.9 We may share your data with third parties, including our third-party service providers and other recipients. Some of these recipients are our data processors, that is, they can only take and use the personal information that they receive from us only on our instructions and under our monitored control.
1.10 We require all our data processors and service providers to respect the security of your personal information and act solely on our instructions to protect your personal data in accordance with data processing agreements and confidentiality agreements as provided under the law.
1.11 This provides a non-exhaustive list of recipients/ service providers we share your personal information with:
|Third Party Name||Description of Services|
|IT/ Software Service Provider||Managing our IT system and databases containing personal information
|Capita||Hosting, support, and management of our online licensing complaint system|
|Webtrade||Hosting and support of our websites|
|Telephone Company||Hosting, support and service providers of phone communication equipment and software|
|Professional Advisors||Providing professional services to the Commission regarding Passengers rights|
|Internal Auditors||For auditing purposes|
|Comptroller & Auditor General||Reviews our expenditure of public funds, the C&AG may require access to files containing personal information to conduct their review|
|Banks||For the payment of licensing, levies, and travel trade claims|
|National Enforcement Bodies||Co-ordinating Passengers Rights Applications|
|Airlines||Liaising on behalf of passengers making complaints against airlines with whom they have a contract with|
|Kefron File Stores||Provides file storage services|
|Cyclone Shredding||Confidential shredding services|
|Other Statutory bodies relevant to the performance of our legal obligations||Liaising with other statutory bodies to resolve all matters arising out of the performance of our regulatory duties|
|Other Services Providers whom the Commission subcontracts to provide ad-hoc services||For operational purposes when carrying out our functions as an organisation|
The Commission reserves the right to update this list as the need arises.
Data Processing outside the EEA
1.12 The Commission only processes information outside of the EEA in very limited circumstances including:
- Complaint resolution relating to Air Passenger Rights and Persons with Reduced Mobility; where the complaint involves an airline whose registered office is outside the EEA.
1.13 To ensure that the Commission can carry out its complaint resolution function, we rely on Article 49(1)(d) GDPR, which provides for Derogations for specific situations in facilitating transfers of personal data to a third country or an international organisation.
The Commission for Aviation Regulation has put in place adequate and appropriate security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Access to your personal data is strictly on a need-based access (with limited access to functional areas in the Commission where the personal information is required in carrying out their regulatory task). In certain circumstances, a third-party service provider who have a business need to know but will only process your personal information on our instruction and are subject to a contract which incorporates a duty of confidentiality and a data processing agreement.
Data Retention Period
1.14 The Commission is committed to protecting your personal data and will ensure all appropriate steps are taken throughout the lifecycle of data processing in maintaining the integrity and security of all personal information under our care.
1.15 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
1.16 Personal data relevant to complaint handling will be deleted six (6) months after closure of case in line with the Commission’s Records Management and Retention Schedule.
1.17 Our current retention periods are based on:
- Statutory obligations (e.g., we are required to keep records created for the purpose of fulfilling Our obligations in line with Comptroller and Auditor General Audit review)
- Contractual obligations, for example, we are required to keep records for a certain period as provided for in contracts with service providers such as IT services. Upon completion of the contract, we request all data to be deleted in accordance with our data protection agreement.
- Our view that retention is necessary for the original purpose or a compatible purpose and such data will be reviewed in line with our Record of Processing Activities and Records Management policy
- On a case-by-case basis, records may be retained for longer where they are required for actual or potential legal actions or the management of mitigation of operational or strategic risks to the Commission. Where records are subject to this kind of review, the ongoing retention will be assessed continually.
1.18 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
1.20 A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device to remember information about you, such as your language preference or login information.
1.21 This website utilises two types of cookies:
- First-Party Cookies: Those set by us upon your use of Our website
- Third-Party Cookies: Third-party Cookies are those placed by websites, services, and/or parties other than us. These Cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by refusing consent to them.
1.22 All Cookies used by and on our site are used in accordance with current ePrivacy Directive 2009/136/EC.
1.23 Our cookies are not used to identify users personally. They are used to improve the effectiveness of the website and to provide you with a better end user experience on our websites.
1.24 Before Cookies are placed on your computer or device, you will be shown a pop-up message requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies.
1.25 To further ensure your privacy and restrict third-party cookies on your devices, it is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
Categories of Cookies Utilized on this Website:
Controlling your cookies
Any cookie that is not Strictly Necessary is not active by default and does not send information to the resource it is called from. Accepting all cookies, makes all cookies active. You can modify your cookie preferences for the website at any time by clicking on the ‘Cookie Settings’ button below.
Data Subject Rights
You have the following rights:
1.26 The Right to Access Information; this includes the right to know if we are processing your personal information, to receive a copy of the personal data being processed, and information regarding how your data is being processed. To exercise this right, please fill out the Data Subject Access Request form and send that to the Data Protection Officer (details below). In exercising your right above, please be aware you may need to provide us with adequate Proof of Identity where the identity of the data subject is uncertain.
1.27 The Right to be Informed includes information regarding how your information is collected, used, or otherwise processed.
1.28 The Right to Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
1.29 The Right of Rectification; if your personal data is inaccurate you have the right to have the data rectified without undue delay, and if it is incomplete you have the right to have the data completed by means of providing supplementary information. This right is restricted in certain circumstances such as for reasons of public interest and the right of freedom of expression and information.
1.30 The Right to Erasure; you have the right to have your personal data erased in certain circumstances.
1.31 The Right to Data Portability; in some circumstances you may be entitled to obtain your personal data from us in a format that makes it easier to reuse your information.
1.32 Rights regarding automated decision making, including profiling; the Commission does not engage in automatic decision making or profiling.
1.33 The Right to Restrict Processing; you have a limited right of restriction of processing of your personal data by a data controller.
1.34 The Right to Object to Processing; you have the right to object to certain types of processing of your personal data where this processing is carried out in connection with tasks in the public interest, under official authority or in the legitimate interests of others.
For full details on your rights please see the following here.
The Commission’s Data Protection Officer Contact Details
The Commission has appointed a Data Protection Officer to oversee our data protection compliance. Our DPO can be contacted at:
Post: 3rd Floor, 6 Earlsfort Terrace, Dublin 2, D02 W773
Phone: 00353 (1) 6346851
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, which in Ireland is the Office of the Data Protection Commission (DPC). The Data Protection Commission can be contacted in the following ways:
Online Contact Form: https://forms.dataprotection.ie/contact
Post – Dublin: 21 Fitzwilliams Square South, Dublin 2, D02 RD28
Post – Laois: Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
Telephone: +353 578 684 800 or +353 761 104 800
We may change this Privacy Notice from time to time (for example, if the law changes). Any changes will be immediately posted on our site. We recommend that you check this page regularly to keep up to date.