Privacy policy
Here you can find all the information regarding the data processing principles of Nordic Aviation Group AS and its subsidiaries Nordic Aviation Advisory OÜ and Regional Jet OÜ (together as The Group). The objective of The Group is to be a reliable partner that will respect your rights in the processing of personal data and lead the way for the others on the market.
Definitions provide the meanings of the words and expressions that are capitalised and used frequently in this Privacy Policy.
1. DEFINITIONS
1.1 Data Subject is a natural person about whom The Group has got information or data enabling to identify the natural person. Data Subjects are, for example, the Clients, Visitors and cooperation partners, as well as the employees who are natural persons and whose personal data is held by The Group.
1.2 Privacy Policy is this text which sets out the principles for Personal Data Processing by The Group.
1.3 Personal Data is any information concerning an identified or identifiable natural person.
1.4 Personal Data Processing is any operation or set of operations which is performed with the Personal Data of a Data Subject, such as collection, recording, organisation, structuring, storage, alteration and disclosure, enabling an access to, retrieval, consultation, use, transmission, cross-checks, alignment or combination, restriction, erasure or destruction of Personal Data, irrespective of the manner of performing these operations or the means exploited.
1.5 Client is any natural or legal person that uses or has expressed a desire to use the Services of The Group.
1.6 Agreement is the Service Agreement or any other agreement entered into between The Group and the Client.
1.7 General Terms and Conditions set forth the general terms and conditions applied to the entry into an Agreement with The Group.
1.8 Website means the websites of The Group, the list whereof is available here:
1.8.1 www.nordica.ee
1.8.2 www.xfly.ee
1.8.3 www.flightacademy.ee
1.8.3 jobs.nagroup.ee
1.9 Visitor is any person using the Website of The Group.
1.10 Child is a person who is under 13 years of age in the context of Personal Data Processing upon provision of information society services in the Republic of Estonia.
1.11 Services are any services and products offered by The Group , including the information society services that The Group offers.
1.12 Cookies are the data files sometimes recorded in the device of a Visitor of the Website.
1.13 Data Protection Officer of The Group is the person who monitors the implementation of the Personal Data Processing principles in The Group and who can be contacted by the Data Subject in case of a complaint.
1.14 Sales Channels are the means used by The Group for communicating with a Data Subject, devices created for selling the goods and providing the services, including e-mail, telephone, public and social media, various chat lines, individualised and interactive advertisements and other tools on the Websites and elsewhere.
1.15 Group includes the following legal persons (public limited companies): Nordic Aviation Group AS, registry code 12927848, registered address Lennujaama tee 13, Tallinn 11101; the subsidiary Regional Jet OÜ, registry code 12964950, registered address Lennujaama tee 13, Tallinn 11101 and the subsidiary Nordic Aviation Advisory OÜ, registry code 14361747, registered address Lennujaama tee 13, Tallinn 11101.
The above words and expressions are used in the meanings set out above in the Privacy Policy, Agreement, General Terms and Conditions and in the communication between the parties.
General Provisions tell you who the controller of Personal Data is and when the Privacy Policy applies.
2. GENERAL PROVISIONS
2.1 The Group may process Personal Data as:
(1) a controller, while determining the purposes and means of processing;
(2) a processor in accordance with the instructions from the controller; and
(3) a recipient to whom the Personal Data is transferred to the extent data is transferred.
The Group keeps a list of the processors of The Group and other data (see section 13: Important Documents, Guidelines and Procedures).
2.2 This Privacy Policy of The Group constitutes an inseparable part of the Agreement and General Terms and Conditions entered into between The Group and the Client.
2.3 The Privacy Policy shall apply to the Data Subjects, and the rights and obligations set out in the Privacy Policy shall be followed by all the employees and cooperation partners of The Group who come into contact with the Personal Data that is in the possession of The Group.
2.4 The Privacy Policy may supplement the privacy statements published on the Website or in the devices, and the Privacy Policy may also be amended and supplemented by the same.
Here you find the principles that are always followed by The Group while Processing your Personal Data.
3. PRINCIPLES
3.1 The Group shall always take into account the interests, rights and freedoms of Data Subjects.
3.2 The objective of The Group is to Process Personal Data responsibly, based on the best practice, with the aim of always being prepared to demonstrate the conformity of Personal Data Processing to the established purposes.
3.3 All the processes, guidelines, operations and activities of The Group that are related to Personal Data Processing are based on the following principles:
(1) Lawfulness. There is always a legal basis for the Processing of Personal Data, e.g consent;
(2) Fairness. Personal Data Processing shall be fair, while providing a Data Subject with sufficient information and communication on how the Personal Data is Processed, for example via keeping a register of processing activities (see section 13: Important Documents, Guidelines and Procedures);
(3) Transparency. Personal Data Processing shall be transparent for the Data Subject, including via the user account created for the very same purpose, and via keeping a register of processing activities (see section 13: Important Documents, Guidelines and Procedures);
(4) Purposefulness. Personal Data shall be collected for legitimate purposes that have been established precisely and clearly, and shall not be processed in any manner which is in conflict with these purposes.;
(5) Minimisation. Personal Data shall be adequate, relevant and limited to what is necessary for the purpose of Processing the given Personal Data. The Group shall be guided by the principle of minimum Processing in Personal Data Processing, and as soon as the Personal Data is no longer necessary or needed for the purposes for which it was collected, the Personal Data shall be deleted;
(6) Accuracy. Personal Data shall be correct and shall be updated as necessary, and all reasonable measures shall be taken to ensure that Personal Data which is incorrect in the light of the purpose of Personal Data Processing shall be deleted or corrected without delay after being notified of incorrectness;
(7) Limit of storage. Personal Data shall be stored in the format enabling the identification of Data Subjects only as long as it is necessary to achieve the purpose for which the Personal Data is processed. It means that in case The Group wishes to store the Personal Data for a longer period of time than necessary for the purpose of collecting the data, The Group shall anonymise the data in such manner that the Data Subject shall no longer be identifiable. The Group shall store the data that has been received by The Group via a client relationship or any other similar relationship, in accordance with the best practice, and the data processed on the basis of consent generally for as long as the consent is withdrawn. The storage periods regarding different purposes of Processing are set out in the register of processing activities (see section 13: Important Documents, Guidelines and Procedures);
(8) Reliability and confidentiality. Personal Data Processing shall be carried out in the manner ensuring the adequate security of Personal Data, including its protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, by taking reasonable technical or organisational measures. The Group has internal guidelines, rules for the employees, and separate agreements with every processor, stipulating the best practices, on-going risk assessment and adequate technical and organisational measures for Personal Data Processing;
(9) Data protection by design and by default. The Group shall ensure that all the systems used shall meet the required technical criteria. The suitable data protection measures have been planned upon the renewal or design of every information or data system (e.g. the information systems and business processes are constructed using pseudonymisation and encryption).
3.4 Upon Personal Data Processing The Group shall act with the purpose of always being capable of evidencing the conformity to the aforesaid principles and additional information regarding the conformity to these principles can also be requested from the Data Protection Officer.
Here you find information on how we collect Personal Data.
4. COMPOSITION OF PERSONAL DATA
4.1 The Group keeps a detailed list of the Personal Data Processed by The Group in the register of processing activities of The Group (see section 13: Important Documents, Guidelines and Procedures).
4.2 The Group collects, inter alia, the following types of Personal Data:
(1) the Personal Data disclosed to The Group by the Data Subject (e.g., entering data necessary for the purchase of a ticket on the Web site);
(2) the Personal Data generated as a result of the day-to-day communication between the Data Subject and The Group (e.g. correspondence);
(3) the Personal Data manifestly made public by the Data Subject (e.g. in social media);
(4) the Personal Data generated upon consumption of Services (e.g. in the use of possible e-services of The Group);
(5) the Personal Data generated as a result of visiting and using the Website (e.g. the time spent on the Website);
(6) the Personal Data received from third persons (e.g. traveller’s information);
(7) the Personal Data created and combined by The Group (electronic correspondence or order history in the context of a client relationship).
Here you find out for which purposes and under which bases we can Process your Personal Data.
5. COMPOSITION, PURPOSES AND BASES FOR PROCESSING OF PERSONAL DATA
5.1 The Group keeps detailed information and list of the Personal Data Processed by The Group, as well as of the manners, purposes and means of Processing in the register of processing activities of The Group (see section 13: Important Documents, Guidelines and Procedures).
5.2 The Group shall Process Personal Data only upon legal basis, such as consent. Legal bases for Processing of Personal Data include, but are not limited to, legitimate interests or an Agreement between the Data Subject and The Group.
5.3 The Group shall Process Personal Data on the basis of consent precisely within the limits, to the extent and for the purposes determined by the Data Subject. As for consents, The Group shall follow the principle that every consent shall be clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Consent may be given in writing or by electronic means or as an oral statement. A Data Subject shall give the consent freely, specifically, informedly and unambiguously, for example by ticking a box on the Website.
5.4 Upon entry into and performance of an Agreement, Personal Data Processing may be additionally provided for in the specific Agreement, but The Group may Process Personal Data for the following Purposes:
(1) in order to take steps at the request of the Data Subject prior to entering into the Agreement;
(2) to identify the Client to the extent required by due diligence;
(3) to perform the obligations to the Client regarding the provision of its Services;
(4) to communicate with the Client;
(5) to ensure the performance of the payment obligation of the Client;
(6) to submit, realise and defend claims.
5.5 For entry into an employment agreement, the Processing of the Personal Data of a job applicant by The Group based on the entry into the agreement and legitimate interest shall include:
(1) Processing of the data submitted by the job applicant to The Group for the purpose of entering into an employment agreement;
(2) Processing of the Personal Data received from the person indicated as the referee by the job applicant;
(3) Processing of the Personal Data collected from state databases and registers and public (social) media.
In case a job applicant is not selected, The Group shall store the Personal Data collected for the entry into an employment contract for two years in order to make a job offer to the job applicant in case a suitable position becomes vacant. When two years have passed after the submission of a job application, the Personal Data of the job applicant who was not selected shall be deleted.
5.6 Legitimate interest means the interest of The Group in the management and direction of its business in order to be able to offer the best possible Services on the market. The Group shall Process Personal Data on a legal basis only after careful consideration in order to ascertain the legitimate interest of The Group, based on which the Personal Data Processing is necessary and is in compliance with the interests and rights of a Data Subject (after carrying out the so-called three-step test). In particular, Personal Data Processing may take place on the basis of a legitimate interest for the following purposes:
(1) for ensuring a trust-based relationship with a client, for example Personal Data Processing that is strictly necessary to determine the ultimate beneficiaries or to prevent fraud;
(2) for the administration and analysing of the client base to improve the availability, selection and quality of Services and products, and to make the best and more personalised offers to the Client upon the Client’s consent;
(3) for the identifiers and Personal Data collected upon the use of websites, mobile applications and other Services. The Group shall use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving the functioning, for statistical purposes and for analysing the behaviour and user experience of Visitors and for providing better and more personalised Services;
(4) for the organisation of campaigns, including organisation of personalised and targeted campaigns, carrying out Client and Visitor satisfaction surveys, and measuring the effectiveness of the performed marketing activities;
(5) for analysing the behaviour of the Clients and Visitors in different Sales Channels and on Websites;
(6) for monitoring of the service. The Group may record the messages and instructions given in its premises as well as by means of communication (e-mail, telephone, etc.), as well as information and other operations carried out by The Group, and shall use those recordings as needed to evidence instructions or other operations;
(7) for network, information and cyber security considerations, for example for fighting against piracy and for ensuring the security of the Websites, as well as for the measures taken for making and storing backup copies;
(8) for corporate purposes, in particular for financial management and for transferring Personal Data within the Group for internal administrative purposes, including the Processing of the Clients’ or employees’ Personal Data;
(9) for the establishment, exercise or defence of legal claims.
5.7 For performing a legal obligation, The Group shall Process Personal Data to perform the obligations set forth by law or to exercise the rights permitted by law. Legal obligations derive, for example, from adhering to the rules of payment processing and prevention of money laundering.
5.8 In case Personal Data Processing is carried out for a new purpose, different from those for which the Personal Data was originally collected, or is not based on the consent given by the Data Subject, The Group shall carefully assess the permissibility of such new Processing. The respective new purposes of Processing will always be covered in the register of processing operations (see section 13: Important Documents, Guidelines and Procedures). In order to determine whether the Processing for the new purpose is in compliance with the purpose for which the Personal Data were originally collected, The Group shall take into consideration, inter alia, the following:
(1) any link between the purposes for which the Personal Data was collected and the intended further purposes Processing;
(2) the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and The Group;
(3) the nature of the Personal Data, in particular whether any special categories of Personal Data, or Personal Data related to criminal convictions and offences is processed;
(4) possible consequences of the intended further processing for the Data Subjects;
(5) existence of appropriate protection measures which may consist of, for example, encryption and pseudonymisation.
Here you find information on when we may transfer your Personal Data to our cooperation partners.
6. DISCLOSURE AND/OR TRANSFER OF CLIENT DATA TO THIRD PERSONS
6.1 The Group publishes and / or transmits Personal Data to third persons in accordance with statutory obligations coming from law (in particular transfer of flight information).
6.2 The Group cooperates with persons, to whom The Group may transfer data regarding the Data Subjects, including their Personal Data, in the context and for the purposes of co-operation.
6.3 Such third persons may be entities within The Group, its advertising and marketing partners, companies carrying out client satisfaction surveys, debt collection agencies, credit registers, IT partners, persons, authorities and organisations intermediating or providing (electronic) mail services, provided that:
(1) the respective purpose and the Processing are lawful;
(2) the Personal Data Processing is carried out in accordance with the guidelines of The Group and on the basis of a valid agreement;
(3) the data regarding the respective processors is kept and available to the Data Subjects (see section 13: Important Documents, Guidelines and Procedures).
6.4 The Group shall transfer Personal Data to outside the European Union only if :
(1) The Commission of the European Union has decided that there is adequate protection in that country;
(2) The Group has taken protection measures (e.g. binding internal rules of the group or standard data protection clauses);
(3) the Data Subject has given explicit consent for the transmission after The Group informed him/her of the potential risks associated with such transmission resulting from the lack of a protection adequacy decision and the relevant protection measures;
(4) if the transmission is necessary for the performance of an agreement between the Data Subject and the processor or the implementation of pre-contractual measures taken at the request of the Data Subject;
(5) if the transmission is necessary in order to conclude an agreement or to perform the contract between the controller and another natural or legal person in the interest of the Data Subject;
(6) transmission is necessary for compelling reasons of public interest; to prepare, present or protect legal claims; to protect the essential interests of the Data Subject or other persons if the Data Subject is physically or legally incapable of giving consent;
(7) The transfer is made from a register which, under Union or national law, is intended to inform the public and is open to inspection either to the general public or to anyone who can demonstrate a legitimate interest, but only to the extent that, in the case at hand, the conditions for access are in accordance with the Union or national law;
(8) the transfer is not repeated, it concerns only a limited number of Data Subjects; it is necessary for protecting the legitimate interests of The Group which are not overridden by the interests, rights or freedoms of the Data Subject, and if all the circumstances related to the transfer have been assessed and suitable protection measures have been established to protect the Personal Data, or if there is some other legal basis therefor. The Group shall inform the Data Protection Inspectorate of such transfer based on a legitimate interest.
Here you find a description of how we will protect your Personal Data and where you can find information on the storage periods of Personal Data.
7. SECURITY OF PERSONAL DATA PROCESSING
7.1 The Group shall store the Personal Data strictly only for the minimum period required. Further information on the storage periods of Personal Data is held in the register of processing activities of The Group (see section 13: Important Documents, Guidelines and Procedures). The Personal Data with an expired storage period shall be destructed using the best practice and in accordance with the procedure established for this purpose by The Group.
7.2 The Group has established guidelines and procedural rules for ensuring the security of Personal Data by both organisational and technical measures (see section 13: Important Documents, Guidelines and Procedures). Further information on the security measures taken by The Group can be obtained also from the Data Protection Officer of The Group.
7.3 In case of an incident related to Personal Data, The Group shall take all necessary measures to mitigate the consequences and hedge any relevant risks in the future. Inter alia, The Group shall register all the incidents and shall inform the Data Protection Inspectorate and the Data Subject directly (e.g. by email) or in public (e.g. via the news) in prescribed cases.
The Group does not collect Children’s Personal Data from Children. Access to The Group’s Services are provided to Children only with the consent of the parent or guardian.
8. PROCESSING OF THE PERSONAL DATA OF CHILDREN
8.1 The Group’s Services are provided to Children only with the consent of the parent or guardian. You can find out about the Services available to children here: Travelling with children.
8.2 The Group does not collect Children’s Personal Data from Children. When we process Children’s Personal Data, we will do it in accordance with the wishes of the parent or guardian or under an obligation arising from the law.
8.3 The consumer of The Group’s or in particular its co-operation partners’ services may be a Child, , in which case we advise you to get acquainted with the co-operation partner’s privacy policy (e.g. Lufthansa).
Your Personal Data belongs to you, and here you find information on the rights you have in protecting your Personal Data.
9. RIGHTS OF DATA SUBJECTS
9.1 Rights related to consent:
(1) A Data Subject will always be entitled to inform The Group about his or her wish to withdraw the consent for the Personal Data Processing.
(2) The consent given to The Group can be changed and cancelled by contacting The Group’s Data Protection Officer by e-mail at data@nordica.ee.
9.2 A Data Subject has also the following rights upon Personal Data Processing:
(1) Right to receive information, i.e. the right of a Data Subject to receive information regarding the Personal Data collected about him or her. A Data Subject will be able to receive information, inter alia, from the Group’s Data Protection Officer and their User Account, where also additional information regarding the exercising of one’s information rights can be found.
(2) Right of access to data which, inter alia, includes the right of a Data Subject to a copy of the Processed Personal Data.
(3) Right to rectification of inaccurate Personal Data. A Data Subject will be able, inter alia, to correct inaccurate data by contacting The Group’s Data Protection Officer at data@nordica.ee (see section 13: Important Documents, Guidelines and Procedures).
(4) Right to erasure of data i.e. in certain cases a Data Subject will be entitled to demand the deletion of Personal Data, for example if the Processing is carried out only on the basis of a consent.
(5) Right to demand restriction of Personal Data Processing. This right is created, inter alia, in case the Personal Data Processing is not permitted under law or if the Data Subject challenges the accuracy of the Personal Data. A Data Subject will be entitled to demand the restriction of the Personal Data Processing for a period enabling the processor to check the accuracy of the Personal Data or if the Personal Data Processing is unlawful but the Data Subject does not request the deletion of the Personal Data.
(6) Right to data portability i.e. a Data Subject shall have, in certain cases, the right to receive the Personal Data in a machine-readable format, and to take the data along or transfer it to another controller.
(7) Rights related to automated Processing mean, inter alia, that a Data Subject will have the right to object, on grounds relating to his or her particular situation, at any time to Processing of Personal Data concerning him or her, based on automated decision-making. For the avoidance of doubt – The Group may Process Personal Data for automated decision-making promoting its business (i.e. for segmentation of Visitors in marketing context, and for sending them personalised messages, in the context of commencement of an employment relationship, and in order to ensure that our employees shall adhere to our internal security regulations). Automated Processing may include also data collected from public sources. You have the right to avoid any decisions based on automated Personal Data Processing if they can be classified as profiling;
(8) Right to the assessment of a supervisory authority on whether the Processing of the Personal Data of the Data Subject is lawful;
(9) Compensation for damage, if the Personal Data Processing has caused damage to the Data Subject and it is proven.
9.3 If the request involves the need to identify the Data Subject, the availability of sufficient data for The Group for identification is the prerequisite for completing the application. The Group’s Data Request Form can be used to simplify the application.
Here you find information on how to receive explanations or how and to where a complaint should be filed.
10. EXERCISING OF RIGHTS AND FILING OF COMPLAINTS
10.1 Exercising of rights:
A Data Subject will be entitled to address The Group or the Data Protection Officer of The Group using the contact details set out in section 14.
10.2 Filing of complaints:
(1) A Data Subject will be entitled to address a complaint to The Group and the Data Protection Officer of The Group, to the Data Protection Inspectorate or to a court if the Data Subject is of the opinion that his or her rights have been infringed in Personal Data Processing.
(2) The contact details of the Data Protection Inspectorate are available on the website of the Data Protection Inspectorate: http://www.aki.ee/.
Here you find information on the types of Cookies or other technologies we use and how you can control the use of such technologies.
11. COOKIES AND OTHER WEB TECHNOLOGIES
11.1 The Group may collect data regarding the Visitors of the Websites and other information society services by using Cookies for this purpose (i.e. small pieces of information stored by the Visitor’s browser on the hard disk of the computer of any other device of the Visitor) or other similar technologies (e.g. IP address, equipment information, location information) and process the data.
11.2 The Group uses the collected data to enable the provision of the Service in accordance with the habits of a Visitor or Client; to ensure the best Service quality; to inform the Visitor and Client about the contents and give recommendations; to update advertisements and make marketing efforts more efficient; and to facilitate logging in and protection of data. The collected data shall also be used for counting the Visitors and recording their using habits.
11.3 The Group uses session Cookies, persistent Cookies and advertising Cookies. A session Cookie is deleted automatically after every visit; persistent Cookies shall remain upon repeated use of the Website, and advertising Cookies and third party Cookies are used by the Websites of the partners of The Group which are connected with the Website of The Group. The Group does not control the generation of those Cookies, therefore information on these Cookies can be obtained from third persons. Further information on Cookies is available in the explanatory materials (see section 13: Important Documents, Guidelines and Procedures).
11.4 As to the Cookies, Visitors agree with the use of Cookies on the Website, in information society service devices or the web browser.
11.5 Most of the web browsers allow Cookies. Without fully allowing Cookies, the functions of the Website are not available to a Visitor. The allowing or prohibiting Cookies and other similar technologies shall be under the control of a Visitor via the settings of the Visitor’s own web browser, settings of the information society service and platforms for making such privacy more efficient (see section 13: Important Documents, Guidelines and Procedures).
We have different products. Here you find adequate information on specific products, of which Personal Data Processing constitutes a significant part.
12. SPECIAL PROVISIONS FOR THE GROUP’S PRODUCTS
12.1 The Group offers a variety of services in addition to air travel in cooperation with several cooperation partners.
12.2 The Group uses only trusted co-operation partners to provide the Services, who can ensure adequate protection of Personal Data, and information about the co-operation partners is listed in the Register of processing activities (see Section 13: Essential documents, guidelines, procedures).
Here we set out all the documents, procedures and registers, through which you will be able to exercise your rights in the best way, and know how we store and Process your Personal Data.
13. IMPORTANT DOCUMENTS, GUIDELINES AND PROCEDURES
13.1 The Privacy Policy of The Group shall be implemented on the basis of the following documents, guidelines and procedures:
(1) The Group keeps a Register of processing activities which sets out the purposes and manners of Personal Data Processing, types and categories of the Personal Data being Processed, and the respective bases for Processing;
(2) Policy of the organisational and technical measures taken by The Group which sets out various measures taken by The Group to always maintain the confidentiality and security of Personal Data;
(3) All About Cookies : Descriptions of cookies and other web technologies used by The Group;
(4) Your Online Choices; About Ads; Network Advertising: the platform of controlling and monitoring of cookies and other web technologies, where Data Subjects themselves can change and control how their Personal Data is used and collected.
(5) Data Request Form to help the Data Subject with potential requests.
Here you find our contact details.
14. CONTACT DETAILS AND INFORMATION
14.1 The contact details of The Group that are important for a Data Subject:
(1) Regarding Personal Data issues, The Group can be contacted by e-mail data@nordica.ee.
(2) The Data Protection Officer of The Group is Annika Talve who can be contacted by e-mail data@nordica.ee.
Here you find information on the validity of and amendments to the Privacy Policy.
15. OTHER TERMS AND CONDITIONS
15.1 The Group will be entitled to unilaterally amend this Privacy Policy. The Group shall inform Data Subjects about amendments on the website of The Group, by e-mail or by other means.
15.2 The latest amendments and entry into force of the Privacy Policy: 16 June 2022