1. WHO WE ARE
The data controller is Blue Air Aviation S.A., a limited liability company, with its headquarters in Sos. Bucuresti-Ploiesti, nr. 42-44, complex Baneasa Business & Technology Park, cladirea A, aripa A1, et 3-4, sector 1, Bucharest, Romania, registered with the Bucharest Trade Registry under no. RO31525574, sole identification number J40/5103/17.04.2013, email [email protected] (“Blue Air” or the “Company”).
For more information regarding the Company, please visit www.flyblueair.com
2. WHAT KIND OF PERSONAL DATA DO WE PROCESS, FOR WHAT PURPOSES AND ON WHAT GROUNDS?
In the process of operating this website, the Company will collect certain information (“personal data”) relating to identified natural persons or which can identify natural persons, which are provided by the users of this website directly (e.g. name, surname, postal address, e-mail address, telephone number, date of birth, etc.) or indirectly (e.g. IP address).
We will process personal data for the following purposes, based on the legal grounds indicated for each of them:
When you are visiting our website, we are using cookies to automatically collect technical information that could identify the user, such as the IP address, the type of internet browser used for navigating our website, your operating system, domain name or domain host through which the user is browsing the website.
2.2. Answering your questions, requests or complaints
We will process your personal data, such as name and surname, email address, telephone number and any other information or details you may provide us with in the correspondence, in order to communicate with you regarding the progress of the purchased services (possible timetable changes/cancelling of flights, modifications of other acquired services, managing complaints and processing claims under exceptional circumstances), depending on the communication channel you are contacting us, as described below.
|Providing answers to your inquiries, complaints, or requests by electronic mail (e-mail) or phone||Processing is based on a legitimate interest, allowing us to provide answers to your questions, complaints, or requests. Legal obligation based on consumer protection legislation; Contractual obligation based on the sales contract||7 years, which include the longest period of statute of limitation in the applicable law systems (6 years), to which we add a year as transition period|
2.3. Promotional campaigns
We will process personal data collected from you by filling-in participation forms on our website or similar forms to organize promotional campaigns and/or contests, or to award prizes to the winners of promotional campaigns, as well as to analyse the effectiveness of our promotional campaigns.
In case we collect data such as the identity card series and number or the personal identification code, these will be collected and used for the above purpose solely to comply with the fiscal obligations in connection with the prizes awarded to the winners of the campaign and/or contests. Your participation to such promotional campaigns and/or contests is voluntary. Therefore, it is your choice to decide whether to offer us personal data, by filling-in participation forms on our website or similar forms as provided by the rules of the promotional campaigns or contests.
|Organize promotional campaigns and/or contests||Contractual obligation (company/competition rules)||7 years, which include the longest period of statute of limitation in the applicable law systems (6 years), to which we add a year as transition period|
|Processing data of the winners of promotional campaigns for the purpose of awarding the prize and also for complying with the fiscal legal requirements.||Contractual obligation;Legal obligation||10 years, under the provisions of the fiscal law|
|Marketing communications related to the services / products of the contractual partners||Name and surname, e-mail address, phone number||2 years or until withdrawal of consent|
We will not publish the name, surname, photograph or other personal data of the winners of the promotional campaign and/or contest on our website, unless the data subject has provided us with his/her consent in this respect.
2.4. Direct marketing communications
We may process personal data to inform you about our products and services, promotional offers and for newsletter subscription. As a general rule, such personal data will be processed for direct marketing purposes only based on your consent and by using the communication channels (e.g. email, sms etc) you agreed with upon providing your consent. However, insofar you have provided us with your email address on the occasion of purchasing a product or service from us, we may use the email address, in compliance with the legal provisions in force allowing us to present you commercial communications regarding similar products or services, based on our legitimate interest in this respect; in such a case, upon obtaining the email address from you and subsequently, for each marketing message we may send you, we will provide you with the option to oppose to such utilization of the email address (unsubscribe).
|Purpose||Categories of processed data||Legal ground||Duration|
|Commercial communications regarding similar products or services||Email address provided on the occasion of purchasing a product or service from the Company||Legitimate interest||2 years|
|Other direct marketing communications||As provided by the data subject upon expressing his/her consent, e.g. name and surname, e-mail address, telephone number.||Consent||2 years or until the consent is withdrawn|
|Marketing communications regarding the services / products of the contractual partners||Name and surname, e-mail address, telephone number.||Consent||2 years or until the consent is withdrawn|
2.5. Surveys, customers satisfaction studies and feedback from customers
We will process your personal data when you decide to participate to our surveys or market studies, customer satisfaction inquiries or when you provide feedback on our products and services. Such personal data will be processed for the above purpose only based on your consent, also having in view our legitimate interest to help us understand the customers’ needs and expectations about our products and services. Your participation to such surveys or market studies is voluntary.
Therefore, it is your choice to decide whether to offer us personal data (such as name and surname, information regarding your preferences and shopping habits or other personal data that you may offer to provide), by filling-in participation forms on our website or similar forms as provided by the respective surveys or studies.
|Surveys or market studies, customer satisfaction inquiries or when you provide feedback on our products and services/td>||Consent, Legitimate interest, for customer satisfaction inquiries and improving customer experience, to improve services and the portfolio of services.||2 years or until the consent is withdrawn|
2.6. Automated decision making and automated profiling
The personal data referred to herein are subject to automated decision making, including profiling. The logic involved by the processing is to improve the experience of buying services of the Company and to developing the services portfolio of the Company.
The purpose of this type of processing is:
|We will keep and evaluate information regarding the most recent visits on our website and how you navigate through different sections of our website for analytical purposes, to understand the way people use our website in order to make it more intuitive||Legitimate interest||2 years|
|We will keep a record of the articles and pages on our website that you have accessed, and we will use that information to place on this website advertising that is relevant to your interests, which we have identified based on the articles you have read||Legitimate interest||2 years|
2.7. Selling of plane tickets and/or associated services
For the purchase of our products and services, both ours and our contractual partners, we inform you that we will process the following personal data: name, surname, nationality, type of passenger (gender, adult/child), home address, e-mail address, phone number, IP address, passport number or other numbers and details of the recognized identity document, type of credit card, credit card number, credit card holder, credit card security number or other payment details, medical conditions (for passengers which solicit services/special assistance transportation), as follows:
|Selling of plane tickets and/or associated services||Contractual obligation||7 years, which include the longest period of statute of limitation in the applicable law systems (6 years), to which we add a year as transition period|
|Registration and fulfilment of plane ticket changes||Contractual obligation|
|Acquisition of third-party products and services through our website||Contractual obligation||3 years|
2.8. Invoicing and management of payments
In the context of purchasing of products and services, we process personal data in order to achieve the following purposes: issuing invoices (including e-invoices), making payments, including but not limited to repayments and damages, as well as managing cash transactions and we collect personal data such as: name, surname, national identification number, serial and identity document number, issuing and expiry date of the identity document, date and place of birth, address, telephone number, e-mail address, bank details, citizenship, gender.
|Issuing invoices (including e-invoices), making payments, including but not limited to reimbursements and compensations, and managing cash transactions||Contractual obligation; Legal obligation||10 years|
2.9. Data processing of the representatives of the contractual partners involved in the execution of the contracts with the Company and/or the representatives of the public authorities
If you are the contact person of the partners, potential partners, or public authorities with whom the Company interacts in the course of the contracts, the Company processes your personal data as follows:
- To initiate or develop the contractual relationship between the Company and partners or potential partners;
- To initiate or develop the relations between the Company and the representatives of the public authorities with whom it interacts during current activities.
The processing of your data for this purpose is based on the legitimate interest of the Company to initiate and conduct contractual relations and/or with public authorities in conducting the Company's activity in the context of offering the Company's products and services. The refusal to provide data for this purpose may have therefore the Company's inability to carry out its activity.
|Purpose||Categories of processed data||Legal grounds||Duration|
|Initiating or developing the contractual relationship between the Company and partners or potential partners;||Name, surname, address, e-mail address, phone number, role, signature||Legitimate interest||During contractual relations, but no more than 4 years after termination of contractual relationships|
|Initiating or developing the relations between the Company and the public authorities’ representatives with whom it interacts in the course of the current activity||Name, surname, address, e-mail address, phone number, role, signature||Legitimate interest;Legal obligation||For the duration of the provisions of the archives law|
2.10. Creating the Blue Air Account
We will process your personal data, such as name and surname, e-mail address, date of birth, nationality, client type (title, gender), home address, telephone number and any other information or details you may provide us during the registration formalities for the creation of the Blue Air Account on our website. The decision to create a personal Blue Air Account is voluntary. Therefore, it is your choice to decide whether to offer us personal data, by filling-in the registration formalities on our website.
|Creation of the Blue Air Account||Processing is based on the subject’s consent for creating the account.||2 years or until the consent is withdrawn|
2.11. Social responsibility
For the development of social responsibility programs we process personal data for the purpose of granting airplane tickets for special cases such as medical conditions, repatriation of deceased persons.
The processing of your data for this purpose is grounded on the contractual obligation based on the contracts concluded by the Company with the persons requesting the Company's support in such situations. The refusal to provide data for this purpose may have therefore the Company's inability to carry out its activity.
Your data is kept to fulfil this purpose for 4 years, after which the data provided will be deleted.
3. WHO DO WE DISCLOSE YOUR PERSONAL DATA TO?
For reaching the purposes described above, the Company uses the services of various contractual partners. Some of them are authorized persons, such as travel agents and reseller companies, service providers from which you have made purchases through us (e.g. road transport services, rent-a-car services), ground operating companies and airport authorities, banking institutions and payment processors, global distribution systems, IT service providers, software and maintenance, operating in the European Union as well as outside the European Union, and your personal data may be provided to them to be used within the limits of their obligations to the Company. The personal data we disclose to the persons empowered by us are limited to the minimum personal information that is required to provide these services and we ask them not to use the personal data for any other purpose. We make every effort to ensure that all the entities we work with store your personal data safely and securely.
Some of these are, in turn, data operators, such as other airline companies, related service providers (e.g. insurance, transfer, rent-a-car, hotel establishments), travel agencies and operate commercially both in the European Union and outside the European Union. Some of them are third parties who are not intended to process the data but may have access to it upon fulfilling their tasks or interacting with the Company, such as technical maintenance companies, financial or legal auditors.
The personal data indicated above may also be made available or submitted to third parties in the following situations:
(i) public authorities, auditors or institutions competent to exercise inspections on the Company’s business or assets, which ask the Company to provide information, by the latter’s legal obligations. Such public authorities or institutions may be the police and regulatory authorities, border police, National Authority for Consumer Protection, National Authority for the Security of Personal Data Processing, The National Agency for Fiscal Admission, General Inspectorate for Immigration;
(ii) to comply with a legal requirement or to protect the rights and assets of our Company or other entities or people, such as courts of law;
(iii) to third-party purchasers, insofar the business of the Company would be (totally or partially) transferred and the subjects’ data would be part of the assets representing the object of the transaction.
Further on, for the processing purposes set out above, we may share your personal data with Blue Air branches and operating bases, which unfold their activities in Italy, the United Kingdom, Cyprus, companies that will comply with the Company's instructions regarding the processing of your personal data. For more information on these, please visit www.flyblueair.com.
The persons and entities we may share personal data with are the following:
b) To answer your questions, requests or complaints, we may share your personal data to our call center services providers;
c) For organizing and managing the promotional campaigns, as well as to analyse their effectiveness, we may send your personal data to advertising and marketing agencies, digital and social media agencies;
d) For direct marketing communications, we may send personal data to advertising and marketing agencies performing the communication on our behalf;
e) For conducting surveys, market studies, customer satisfaction inquiries or for obtaining our customers’ feedback on our products and services, we may share personal data to providers of survey or market studies / customer inquiries services.
4. TRANSFER OF PERSONAL DATA ABROAD
In the context of the operations described above, your personal data may be transferred abroad to states in the European Union (“EU”) or European Economic Area (the “EEA”).
We hereby inform you that any transfer performed by the Company in an EU or EEA member state will observe the legal requirements laid down by the GDPR.
The safeguards we have taken include implementing the European Commission's Standard Contractual Clauses for transfers of personal information to our non-EEA third party service providers and partners, which requires our non-EEA third party service providers and partners to protect personal information they process from the EEA in accordance with European Union data protection laws.
In this context, our Standard Contractual Clauses may be provided on request. If you have questions about, or need further information concerning, international data transfers, please send an email to [email protected].
5. HOW LONG WE STORE YOUR PERSONAL DATA
We will store your personal data only for the period of time necessary to achieve the processing purposes set out above, also by respecting the legal requirements in force. In case the Company will ascertain that it has a legitimate interest or a legal obligation to further process your personal data for other purposes, you will be properly informed on this. After the duration of the processing indicated above expires and the Company no longer has legal or legitimate reasons to process your personal data, the data will be deleted in accordance with the Company’s procedures, which may involve archiving, anonymizing, destroying them.
6. PROCESSING OF DATA OF CHILDREN UNDER THE AGE OF 16
All personal data processing presented in this Policy refers exclusively to persons that are at least 16 years old. The use of the systems, as well as the results of the processing is forbidden to children under this age without the consent of their parents/ legal representatives. In case such processing occurs, despite our reasonable efforts to prevent it, we will cease it upon noticing the fact that the users are under the age mentioned above.
7. SECURITY OF THE DATA PROCESSING
The Company hereby informs you that it constantly evaluates and upgrades the security measures implemented as to ensure a secure and safe personal data processing.
8. REFUSAL OF THE PROCESSING AND CONSEQUENCES THEREOF
The personal data provided under purposes 2.2., 2.3., 2.7., 2.8 represent a contractual obligation and the data subject has to provide the personal data in order to receive the solicited services, as well as to meet the requirements addressed by it. In case the data subject does not provide the data for the above-mentioned purpose, the company will be unable to carry out the activities for the aforementioned purposes.
9. RIGHTS OF THE DATA SUBJECTS
Within the context of the processing of your personal data, you have the following rights:
- The right of access to the processed personal data: you have the right to obtain a confirmation whether or not your personal data are being processed, and, if affirmative, to have access to the type of personal data and to the conditions of processing, by addressing a request in this respect to the data controller;
- The right to request the rectification or erasure of personal data: you have the possibility to request, by sending a request in this respect to the data controller, the rectification of inaccurate personal data, the supplementation of incomplete data or the erasure of your personal data in case
(i) the data are no longer needed for their original purpose (and no new lawful purpose exists),
(ii) the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists,
(iii) the data subject exercises the right to object and the controller has no overriding grounds for continuing the processing,
(iv) the data have been processed unlawfully,
(v) erasure is necessary for compliance with EU law or Romanian law, or
(vi) the data were collected in connection with the informational society services offered to children (if appropriate), where specific requirements regarding consent are applicable;
- The right to request the restriction of processing: you have the right to obtain the restriction of processing in cases where:
(i) you consider that the processed personal data are inaccurate, for a period enabling the controller to verify the accuracy of the personal data;
(ii) the processing is unlawful, however you do not want us to erase your personal data, but to restrict the use of data;
(iii) in case the data controller no longer needs your personal data for the above-mentioned purposes, but you are requiring the data for establishing, exercising or defending a legal claim or
(iv) you have objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject;
- The right to withdraw your consent for processing, when the processing is based on consent, without affecting the lawfulness of processing undertaken until that moment;
- The right to object to the data processing on grounds relating to your particular situation, when the processing is based on legitimate interest and to object at any moment to the data processing for direct marketing purposes, including profiling;
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects the data subject in a significant manner;
- The right to data portability, meaning the right to receive your personal data, which you provided to the data controller in a structured, commonly used and machine-readable format and the right to transfer those data to another controller, if the processing is based on your consent or the unfolding of a contract and is undertaken by using automatic means;
- The right to file a complaint with the Data Protection Authority (ANSPDCP) and the right to address to the competent courts of law.
The exercising of the above rights may be performed at any time. For using these rights, we encourage you to use the forms provided at https://www.flyblueair.com/ro/ro/contact/ on www.flyblueair.com or by addressing a written notice, dated and signed or in electronic format at the following address: Sos. Bucuresti-Ploiesti, nr. 42-44, complex Baneasa Business & Technology Park, cladirea A, aripa A1, et 3-4, sector 1, Bucuresti, Romania or by email at [email protected].
Also, in case you wish to withdraw your consent given for direct marketing purposes you have the possibility to use the “unsubscribe” option provided to you in every marketing communication.
In the case of travel tickets purchased through Business-to-Customer distribution channels (Blue Air website, Blue Air mobile application, Blue Air call center or Blue Air ticketing offices), their payment can be made by:
- Bank card;
- Bank transfer;
- Blue Air Wallet.
If the passenger chooses to pay by bank card, the payments must be authorized by the cardholder mentioned in the reservation. The air carrier reserves the right to cancel the reservation, without prior notice, if it has reasonable grounds to consider that the passenger or cardholder are involved in any type of fraudulent activity or acts contrary to the contractual relationship, good faith or the law. Such suspicion can start from the following situations:
- the information provided for making the reservation is erroneous, false, inappropriate, misleading, contradictory or related to fraudulent behavior;
- there have been several attempts to make the payment, contradictory data being introduced;
- the passenger did not provide, when requested based on a security check, the contact details of the cardholder;
- the cardholder has not authorized the payment and claims that the reservation was made fraudulently;
- the cardholder or the passenger have engaged in fraudulent activities in the past or have requested certain fraudulent refunds;
- the cardholder or the passenger use the B2C distribution channels in a manner that Blue Air reasonably considers to be an abuse of the contractual relationship, good faith or the law;
- the cardholder or the passenger infringes the copyrights, patents, trademarks, trade secrets or other intellectual property or confidentiality rights of the air carrier;
- the cardholder or the passenger act in a defamatory, threatening manner or offer Blue Air products and services, directly or indirectly, in an impermissible manner;
- the cardholder or the passenger use what Blue Air reasonably considers to be potentially fraudulent funds;
- the cardholder or the passenger use the B2C distribution channels, in a manner that may give rise to complaints, litigation, chargebacks, fees, fines or other liabilities that could affect the air carrier;
- the cardholder or the passenger facilitates any viruses or other programming routines that may damage, interfere with, intercept or expropriate any data, information or systems of the air carrier;
- the cardholder or the passenger use any automated device or manual process in order to monitor, copy, manipulate, modify or corrupt the security and functionality of the air carrier systems or B2C distribution channels;
- the cardholder or the passenger act or fail to act in a manner that may cause loss to Blue Air or any third party.
Passengers can pay for the purchased services using a Visa, MasterCard or Maestro card, at which point they will be redirected to TwisPay, PayOne and/or Safecharge/Nuvei in order to ensure the secure payment processing. Payment can be made in RON, EUR, GBP, USD, DKK and SEK.
If the passenger chooses to pay by bank transfer, the reservation will remain valid for 72 (seventy-two) hours, period of time in which the passenger must ensure that the bank transfer will be processed by the bank, the money reaching Blue Air’s accounts open at:
CITI BANK ROMANIA
145 Calea Victoriei, Bucharest, Romania
BIC / SWIFT: CITIROBU
IBAN (EUR): RO97CITI0000000824689245
IBAN (RON): RO75CITI0000000824689253
The bank transfer must be made in accordance with the instructions received by the passenger in the e-mail confirming the reservation. In order for this payment method to be available, the reservation must be made either in RON or EUR and at least 7 (seven) days before the travel date. The payment order certifying the payment must contain the reservation code as the payment reference. Blue Air is not responsible for erroneously deposited / transferred amounts.
If the passenger chooses to pay by using the amount available in the Blue Air Wallet, such passenger must first login into their account and select, in the last step of the reservation process, the use of the credit available in the Blue Air Wallet. If the amount of credit available in the Blue Air Wallet is not sufficient to cover the purchase of the desired products and services, the difference shall be covered by bank card payment also in the last step of the purchase process, directly on the Company’s website.
After confirming the payment to Blue Air, the passenger will receive the tickets on the e-mail address communicated in the reservation, within 48 (forty-eight) hours.
In the case of travel tickets purchased through Business-to-Business distribution channels (B2B portal, API or authorized aggregators), their payment can be made by:
- Bank card;
- Other payment methods exceptionally agreed between the parties.
The air carrier reserves the right to refuse payment, without prior notice, if it has reasonable grounds to believe that the Agent is involved in any fraudulent activity or acts contrary to the contractual relationship, good faith or the law. Such suspicion can start from the following situations:
- the information provided for making the reservation is erroneous, false, inappropriate, misleading, contradictory or related to fraudulent behaviour;
- there have been several attempts to make the payment, contradictory data being introduced;
- the Agent did not provide, when requested based on a security check, the necessary information concerning him or the passenger;
- the Agent has engaged in fraudulent activities in the past or has requested certain fraudulent refunds;
- the Agent uses the B2B distribution channels in a manner that Blue Air reasonably considers to be an abuse of the contractual relationship, good faith or the law;
- the Agent infringes the copyrights, patents, trademarks, trade secrets or other intellectual property or confidentiality rights of the air carrier;
- the Agent acts in a defamatory, threatening manner or offers Blue Air products and services, directly or indirectly, in an impermissible manner;
- the Agent presents himself as part of or acting in the name and on behalf of Blue Air;
- the Agent uses what Blue Air reasonably considers to be potentially fraudulent funds;
- the Agent uses the B2B distribution channels, in a manner that may give rise to complaints, litigation, chargebacks, fees, fines or other liabilities that could affect the air carrier;
- the Agent facilitates any viruses or other programming routines that may damage, interfere with, intercept or expropriate any data, information or systems of the air carrier;
- the Agent uses any automated device or manual process in order to monitor, copy, manipulate, modify or corrupt the security and functionality of the air carrier systems or B2B distribution channels;
- the Agent acts or fails to act in a manner that may cause loss to Blue Air or any third party.
Agents can pay for the services purchased in the B2B portal, using a Visa, MasterCard or Maestro card and payment can be made in RON, EUR, GBP, USD, DKK and SEK. Payment methods and currencies in the API channel may be limited.
Blue Air reserves the right to refuse payments by credit cards issued on behalf of the Agent or on behalf of a person authorized to act on behalf of the Agent, in cases where they have not been previously authorized by Blue Air. Such authorization shall be requested by e-mail to [email protected].
Blue Air reserves the right to apply payment processing fees if credit cards issued on behalf of the Agent or on behalf of a person authorized to act on behalf of the Agent are used.
Blue Air can offer Agents the ability to use alternative payment methods at no extra cost, such as pre-paid deposits via bank transfer in Blue Air’s accounts mentioned above.
Additionally, as communicated during the registration process or in the Newsletter page, Blue Air can offer Agents special conditions in order to manage, change or pay for bookings made via the B2B portal.
Blue Air reserves the right to remove the Agent’s ticketing authority or its access to the Business-to-Business distribution channels if Agent does not comply with Blue Air’s Payment Policy, Travel Conditions and/or any other agreements concluded between the parties.