The General Data Protection Regulation (GDPR) is a unified framework of data privacy rules, brought into force by the European Parliament, compliance with which is necessary for all EU member states and those states entering into certain contractual business with the EU and/or its member states.
The GDPR imposes strict regulations on how organizations operating in the EU collect, store and manage personal information.
GDPR requires all businesses collecting personal information to publish a ‘Privacy Notice’ which covers the following points:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects. The GDPR says that the information you provide must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
The following information contain the answers to the above questions.
Who is collecting the data?
ATPL OnTrack™ is a trading name of ATPL Ninja Limited (Company Number: 12447907)
Registered office: Aviation House (Hangar SE2A), Gloucestershire Airport, Cheltenham, GL51 6SR.
What personal data is being collected?
Names of subscribers, E-mail addresses of subscribers
Who are we collecting the data on behalf of?
In order to avoid unnecessary duplication of resources and to reduce the risk of loss and/or theft of your personal information, ATPL Ninja Limited collects and processes data on behalf of ATPL Ninja Limited and specified companies for which it provides services. This does not absolve those companies from their own duties under the GDPR and you will be made aware of any companies presently subscribing to ATPL Ninja Limited services.
What is the legal basis for processing the data?
ATPL Ninja Limited is required to process certain personal information, in order to maintain subscriber specific records, that will benefit the subscribers in the analysis of his/her own progress through training processes.
We may also be required to contact you periodically to keep you advised of regulatory information, and to ensure that your study is being undertaken in accordance with applicable regulations, best practices and to your best advantage.
Will the data be shared with any third parties?
Your data will not be shared with any third parties, without your explicit permission.
How will the information be used?
Your personal information will be held and processed for the purpose of ensuring that your training records and the data analysis thereof are specific to you.
How long will the data be stored for?
Your data will be kept for a period of six months from the end date of your subscription. You may apply at any time within that six-month period for your records to be removed, and on acceptance by you that all of your training records with ATPL Ninja Limited will be deleted, we will remove all of your data within 72 hours.
How do we store your data?
We store your data within electronic storage and retrieval systems only, held and/or managed by ATPL Ninja Limited. No physical records are maintained.
ATPL Ninja Limited electronic records are stored on a cloud-based, secure Microsoft Azure dedicated server, to which only ATPL Ninja Limited and Microsoft has access:
Details of Microsoft’s privacy policy can be obtained at - Microsoft Policy
Sales
ATPL Ninja Limited does not hold any personal financial information.
Any sales via ATPL Ninja Limited websites are processed by the website’s payment processing system, managed by Stripe, and those details are encrypted and not made available to ATPL Ninja Limited.
Details of Stripe's UK privacy policy can be obtained at - https://stripe.com/gb/privacy
Aviation Authorities
We do not expect that any aviation authority would request any of your training records; however, none of your training records will be made available to any aviation authorities without your explicit permission.
Security of Data
Security is of the highest priority when it comes to your personal information. We are committed to protecting your personal data and have appropriate technical and organisational measures in place to make sure that happens.
These include, as appropriate;
- Conducting Data Protection Impact Assessments (DPIA)
- Appointing a Data Protection Officer (DPO), responsible for;
- Ensuring compliance with the GDPR and data protection legislation, as applicable
- Data protection awareness and training
- Monitoring policy, practices and procedures
To reduce risks, so far as is practicable, of theft, loss, misuse, unauthorised access, disclosure and alteration of your personal information, we minimise access to personal information to those persons only, for whom access is absolutely necessary. We also use firewalls and data encryption where practicable. Physical access to our data sources is restricted, and information access authorisation controls.
What rights does the data subject have?
The GDPR provides the following rights for individuals:
- 1. The right to be informed
- 2. The right of access
- 3. The right to rectification
- 4. The right to erasure
- 5. The right to restrict processing
- 6. The right to data portability
- 7. The right to object
- 8. Rights in relation to automated decision making and profiling.
Detailed guidance can be obtained from: ICO – Your Rights but in summary:
You have the right to know that we hold information about you and to receive a copy of any information we hold about you.
You have the right to request that we amend any information we hold about you which you believe to be incorrect and you have the right to require us to delete any information we hold about you.
You also have the right to object to any activities involving the processing of your personal data.
You have the right to instruct us not to process any information we hold about you and you also have the right to obtain and reuse your personal data for your own purposes.
You have rights in relation to automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). ATPL Ninja Limited is limited to training records data analysis only and that is made available to you as the subscriber and to our data administration staff only. ATPL Ninja Limited does not have any control over any data that may be held by any aviation authority that may be subject to such automated decision-making or profiling.
How can the data subject raise a complaint?
If you have any complaints about the manner in which we hold or process your personal data you are requested, in the first instance to write to us at:
Data Protection Officer, ATPL Ninja Limited, Aviation House (Hangar SE2A), Gloucestershire Airport, Cheltenham, Gloucester, GL51 6SR, or via email to dpo@atplninja.com.
We will reply to your enquiry in writing within fourteen days.
If your enquiry is of an urgent nature, please contact us by telephone on +44 (0)1452 238012 and we shall endeavour to take immediate action to rectify any problem.
If you are not satisfied with our response, you can report the matter directly to the Information Commissioner’s Officer by telephone on 0303 123 1113 or by visiting the ICO website at https://ico.org.uk.
Contacting you
We may be required to contact you periodically, to keep you advised on any matters which may concern private or professional flight crew licensing; or to keep you advised, or check, on the continued progress of your training with us, to ensure that you are completing your training to your best advantage.
Your consent?
We are not permitted to store this data without your consent, we are not permitted to contact you without your consent and we are not permitted to supply that data to any third party without your written consent.
Whilst we have no intention to deliberately or mistakenly supply your data to any third party, the GDPR requires that we obtain your written consent to process any personal data, relating to yourself.
What is the cost to you?
There is no cost to you for the storage or processing of your personal information; and there is no cost to you for us to supply you with copies of your personal information.
What is required of you now?
We are unable to assume your permission to any of the above; and we are required to obtain your consent to process your data and to hold that consent on record.
It would be appreciated if you would ensure you have read these notes thoroughly and thereafter, provided that you are satisfied that we will manage your data securely, and that we will only process it as is absolutely necessary only please tick the box below to indicate your acceptance of this GDPR Privacy Policy.