We take care of the security of your data

The personal data we provide to different entities is one of the most important values for each of us. Each person has the right to privacy, a matter protected by law. The recent development of information technologies: computer networks, the Internet as well as mobile telephony and cloud computing, etc. has increased the importance of personal data protection, leading to changes in legal regulations. Below you will find basic information on the new data protection regulations introduced by the Regulation on Personal Data Protection, the so-called “GDPR”.

1. What is GDPR?
The GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. What is the purpose of GDPR?
The GDPR directly and comprehensively regulates personal data protection in the European Union. The intent of the document was to reduce the diversity of regulations between Member States. The GDPR brings new solutions and strengthens existing requirements. It also introduces many new rights for individuals and responsibilities for Controllers. Important! Due to the GDPR, you do not need to contact us additionally, just read the information available on this page.

3. Since when will GDPR apply?
The new provisions will apply in all EU Member States from 25 May 2018.

4. What is personal data?
Personal data is any information relating to an identified or identifiable natural person. Personal data is e.g. full name, email address, address, telephone number.

5. Who is the data subject?
The data subject is the natural person to whom the personal data refers. For example, a web shop customer, an employee, a self-employed person, a bank account holder.

6. What is personal data processing?
Personal data processing shall mean any operation or sets of operations which are performed upon personal data or sets of personal data by automatic or non-automated means. For example collecting, recording, organising, storing, sending, viewing, using, deleting or destroying.

7. Who is the Controller?
The Controller (personal data controller) is the entity that determines the purposes and means of the processing of personal data, i.e. decides how and why personal data is processed.

8. Who is the Processor?
Processor means the natural or legal person who processes personal data on behalf of the Controller. The Processor may only process personal data on the basis of a written agreement which imposes certain mandatory conditions on the Processor as set out in the GDPR.

Information concerning the processing of personal data by Port Lotniczy Wrocław S.A.

Port Lotniczy Wrocław S.A. informs you about the manner and purpose for which we process personal data and ensure the application of the provisions on the processing of personal data in accordance with Article 13(1-2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”).

Contact details of the Controller:
The Controller of your data is Port Lotniczy Spółka Akcyjna, with its registered office in Wrocław at ul. Graniczna 190, registered in the District Court for Wrocław-Fabryczna, VI Economic Department of the National Court Register under KRS [National Court Register] number 0000086071, NIP [Tax ID No.]: 8960006282. Share capital PLN 206,830,000. (paid in full). You can contact the Controller at the e-mail address: [email protected], or by phone at the number: (71) 35 81 100, as well as in person at the Controller’s premises.

Purpose of data processing and legal basis.
Your personal data is collected, depending on the situation, but we inform you that we collect and process the data only to the extent necessary to achieve the purposes for which they were collected. We obtain and process your personal data for the following purposes:

  1. Conclusion and performance of a binding agreement (legal basis: Article 6.1 b of the GDPR) for the provision of services ordered electronically (Parking, Fast Track, Executive Lounge) for the duration of the agreement and settlements after its completion);
  2. Providing newsletter service based on your consent. The legal basis for such processing is Article 6(1)(a) of the GDPR (Newsletter),
  3. Compliance with our legal obligations (legal basis Art. 6(1)(c) of the GDPR e.g:
    a) Issue and storage of invoices and accounting documents,
    b) provision of service and responding to complaints within the time limits and in the form provided by law,
    c) acceptance of notifications within the framework of the Security Management System at Wrocław Airport SA;
    d) implementation of the National Civil Aviation Security Programme and the National Quality Control Programme
    e) issuance of passes
    f) monitoring,
  4. In our legitimate interest (legal basis Article 6(1)(f) of the GDPR, e.g:
    a) to send direct marketing offers,
    b) to compile summaries, analyses and statistics for the duration of the agreement, and thereafter for no longer than the period after which the claims become time-barred,
    c) to monitor, improve and respond to the quality of service,
    d) Executive Lounge Service,
    d) VIP PASS Services,
    e) to answer questions and requests,
    f) business contacts – in order to invite to a meeting organised by the Controller, or to contact for the implementation of the concluded agreement.
    g) to contact via social networks.

We would also like to inform you that when you browse through the Wrocław Airport website we may also collect the Internet protocol address and browser type of the device used to access, but none of this information is used to identify you.

Data storage period
Your personal data will be stored for different periods of time depending on the legal basis of the processing:

  1. personal data is stored by the Controller for the period necessary to achieve the purpose for which it has been collected, and after this purpose has been fulfilled, in accordance with the deadlines resulting from the provisions of law
  2. monitoring data will be automatically deleted after one month,
  3. when processing your data for the purpose of taking action before the conclusion of an agreement and in connection with the performance of an agreement to which you are a party, your personal data will be stored for the period necessary for the performance of the agreement and after that period in accordance with the deadlines resulting from the provisions of law,
  4. we will store the data processed for the purpose of asserting claims or defending rights for the duration of the statute of limitations on claims resulting from the provisions of law,
  5. data processed on the basis of consent will be stored until it is voluntarily withdrawn. However, the withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of consent before it is withdrawn,
  6. data processed on the basis of the legitimate interest of the Controller will be processed until you object to such processing.

Recipients of personal data
The Controller may be obliged to provide your personal data to the following entities in accordance with the applicable law: Civil Aviation Office, Border Guard, Police, courts, Tax Office.

Your data may also be accessed by entities with which the Controller cooperates, as well as the Controller’s subcontractors, such as: IT companies providing services for the Controller, loyalty program operators, entities conducting postal or courier activities.

Requirement to provide personal data
In case of data processing on the basis of consent, the provision of data is voluntary. In the case of not providing data, the Controller will not be able to provide the newsletter service.

In some cases, the obligation to provide personal data results from provisions of law such as the Act of 3 July 2002 on the Aviation Law and the Regulation of the Minister of Transport, Construction and Maritime Economy of 31 July 2012 on the National Civil Aviation Security Programme. In case of fulfilling the legal obligations incumbent on the Controller, providing data is a statutory requirement.

In the case of providing services on the basis of an agreement, providing personal data is necessary for the performance of the agreement to which you are a party. Failure to make the data available will make it impossible to use the services offered by the Controller.

Rights of the data subjects
In connection with the processing of your personal data by the Controller, you have the following rights:

  1. Right of access to data – using this right you have the opportunity to obtain information about what data, how and for what purpose we process:
  2. Right of rectification (correction of data – you can report to us the need to correct incorrect data or to complete data due to an error in data collection or processing.
  3. Right to delete data – in the case of provisions of law (e.g. unjustified processing, the data is no longer necessary for the purpose for which they were collected, withdrawal of consent) you have the possibility to request the deletion of data. If the request is justifiable, we will delete the data immediately.
  4. Right to restrict processing – using this right, you can request a restriction of the processing of your data, e.g. if the correctness of the data processed is questioned. If the request is justifiable, we can only store data. The unlocking of processing may take place once the conditions justifying the restriction have been fulfilled.
  5. In the case of data processed on the basis of a legitimate interest of the Controller, you have the right to object – you have the right to object at any time for reasons relating to your specific situation to the processing for the purposes of direct marketing (including profiling) as well as to the processing of your personal data by us if the use of the data is based on our legitimate interest.
  6. For data processed on the basis of consent, you have the right to withdraw your consent – you can withdraw your consent at any time. For this purpose, please contact us by e-mail. The withdrawal of consent does not affect the lawfulness of the processing of your data before the withdrawal of consent.
  7. Right to transfer data – with this right, you have the opportunity for us to transfer your data directly to another Controller, as well as to receive a copy of your data in a structured, machine-readable format so that you can transfer your data yourself to another Controller.

The scope of each of these rights and the situations in which they may be exercised are determined by the provisions of law. Whichever rights you may exercise will depend, for example, on the legal basis for our use of your data and the purpose of processing. In order to exercise your rights, you may contact the Controller personally or send a request to the Controller’s address by post or e-mail. The Controller shall, without undue delay, and in any case within one month from the date of receipt of the request, notify the data subject of the measures taken to exercise these rights. If necessary, this period may be extended by another two months due to the complexity of the request or the number of requests. Within one month from the receipt of the request, the controller shall inform the data subject about such an extension of the deadline, giving the reasons for the delay.

Right to lodge a complaint
If you believe that your data is being processed in violation of the law, you have the right to lodge a complaint with the President of the Personal Data Protection Office.

Automated decision making including profiling
Your personal data will not be transferred to a third country outside the European Economic Area.

Transfer of personal data outside the EEA
Your personal data will not be transferred to a third country outside the European Economic Area.

Protection of personal data
The Controller processes your data using all technical and organisational measures necessary to ensure the security of the data. The Controller has implemented and is implementing appropriate technical and organisational measures to ensure the protection of personal data processing, in particular to protect the data against unauthorised access, removal by unauthorised persons, loss and alteration, damage or destruction. Persons employed by the Controller and persons through whom the Controller performs tasks related to airport management are obliged to keep personal data confidential.