GENERAL DATA PROTECTION REGULATION
Whizzard Helicopters holds personal data in the form of names, addresses and contact details of members of the flying school and participants on our scenic tours and charters. We are required to ensure compliance with the EU General Data Protection Regulations (GDPR), which are designed to ensure more robust security and more transparency in the use of personal data.
The GDPR places specific legal obligations on Whizzard Helicopters. We will have legal liability if we are responsible for a breach of confidential data. Members and participants have a right to request sight of the data we hold on them, how it is used and, if necessary, to request that data is removed from our systems.
Whizzard Helicopters policy is to hold the minimum amount of data necessary to legally operate according to the EASA regulations upon which our CAA approvals are based. For example, pilot training records are required to be held for a minimum of 3 years.
These paper records are held in a locked cabinet with access only to approved personnel.
Electronic personal data, such as that acquired during normal financial transactions, for example when customers purchase online vouchers, is held by third parties using industry standard security procedures, and accessible only to our authorised staff with access to secure log in codes. Whizzard Helicopters will promptly inform anyone affected should any breach occur.
Whizzard Helicopters will not circulate any personal information to third parties without prior consent.
WHAT WE HOLD
We currently hold data in the form of names, addresses and contact details of members of the flying school and participants on our scenic tours and charters, which is pertinent to GDPR
We hold email addresses of those above mentioned individuals
Subject to agreement by the individual, those email addresses may be used to advise of any offers or special future activities that may be of interest.
Whizzard Helicopters holds the names, addresses, contact numbers and e-mails, ages, bank details, tax and salary information, as well as working records, for members of staff and contractors. The information is accessible
only by the Accountable Manager.
It is noted too that staff members may deal with personal information which comes under the jurisdiction of the GDPR, in the form of e-mails and transactional records. All staff are required to read and sign a security brief annually. .
The GDPR requires that public authorities and large-scale data processing organisations designate a Data Protection Officer to take responsibility for data protection compliance. The size and structure of Whizzard Helicopters does not justify a dedicated post.
The GDPR includes the following rights for individuals: The right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
We are confident that current Whizzard Helicopters procedures fulfil the GDPR and we do not operate any data profiling processes. We will regularly review our procedures to ensure they cover areas such as the deletion of personal data and will provide individuals with the data we hold on them, if requested, in electronic format. The Accountable Manager will make any final decisions about deletion or release of information.
This Whizzard Helicopters data policy is available on the Whizzard Helicopters website. Any further updates will be communicated in a similar manner.
SUBJECT ACCESS REQUESTS
We acknowledge that individuals have a right to seek access to information held in Whizzard Helicopters databases or if they think there is a problem with the way we are handling their data. We will comply with any such request within the new statutory one month period. However, we can refuse or charge for requests that are manifestly unfounded or excessive.
Individuals will have the right to have their personal data deleted when they believe it is being held without a practical or lawful basis. If we refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. We must do this, at the latest, within one month.
There is a requirement to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. This is unlikely to affect Whizzard Helicopters.
BREACHES OF DATA
Should we become aware of any personal data breach, we will notify members, participants, staff members and contractors rapidly as possible, notifying the ICO if a breach is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to those concerned.