- Data Protection Officer
The operation of the BCRs are the responsibility of the Data Protection Officer. If there is a question as to the interpretation, implementation or applicability of the BCRs, RJ staff shall seek the advice of the Data Protection Officer prior to conducting any relevant Processing.
- Data Protection Authority
For the purposes of compliance with the GDPR, RJ has selected the United Kingdom Information Commissioner’s Office (“ICO”) as its Supervisory Authority.
- Applicable law being implemented by the BCRs
The BCRs implement the obligations created by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
RJ is committed to interpret the terms of the BCRs according to the GDPR and relevant guidance from the European Commission and the ICO.
- ARTICLE 2:DEFINITIONS
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
“Data Protection Officer” means the person appointed by RJ to oversee the observance of applicable data laws by Staff (including Processors), and to oversee the implementation of RJ’s data compliance policies
“Data Subject” means an identified or identifiable natural person
“European Economic Area” means the area of the 28 European Union Member States and Iceland, Liechtenstein and Norway where the European Economic Area treaty of 1 January 1994 applies
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), as such may be amended or modified
“Legitimate Purpose” means the authorised ground for collecting and processing Personal Data set out in Article 5 of these BCRs
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“RJ Group” means Alia – The Royal Jordanian Airlines plc (Royal Jordanian), Royal Wings Co., LTD., Royal Tours and Tikram For Airport Services PSC.
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin; political opinions or membership of political parties or organisations; religious or philosophical beliefs; membership of a professional or trade organisation or union; physical or mental health or condition, including disabilities; sexual orientation; criminal record; or social security numbers issued by state or public authorities
“Staff” means all RJ employees (including temporary or permanent staff) as of the Effective Date, who Process Personal Data as part of their duties or responsibilities using RJ data systems or working primarily from RJ premises. For the purposes of these BCRs, consultants hired to work for RJ are Staff.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data
- ARTICLE 3: DATA SECURITY
3.1 Staff shall take appropriate, commercially reasonable measures to protect Personal Data from misuse or accidental, unlawful or unauthorised destruction, erasure, loss, alteration, modification, disclosure, acquisition or access.
(a) Staff access
- Staff shall have access to Personal Data only to the extent necessary to serve the applicable business purpose and to perform their tasks.
- Staff who have access to Personal Data shall meet their confidentiality obligations as specified by their contract and by RJ staff guidelines and policies.
- ARTICLE 4: DATA QUALITY AND PROPORTIONNALITY
4.1 Processing of Personal Data shall be restricted to data that is reasonably adequate for and relevant to the applicable Legitimate Purpose.It should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Legitimate Purpose.
RJ shall take reasonable steps to securely delete or destroy Personal Data that is not required for the applicable Legitimate Purpose.
Personal Data shall be held only:
(b) For as long as necessary to serve the applicable Legitimate Purpose;
(c) For as long as necessary to comply with an applicable legal requirement; or
(d) For as long as necessary in light of any applicable statute of limitations.
Promptly after the relevant retention period has ended, the Personal Data shall be treated in the following alternative ways
(a) It shall be securely deleted or destroyed; or
(b) It shall be pseudonymised in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, and that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed or attributable to an identified or identifiable natural person; or
(c) It shall be transferred to an Archive (unless this is prohibited by applicable local law or an applicable RJ records retention schedule).
- The Data Subject shall be required to inform RJ if Personal Data they have provided are inaccurate, incomplete or outdated and RJ shall rectify the data in accordance with Article 10.
- ARTICLE 5: AUTHORISED PURPOSES FOR PROCESSING PERSONAL DATA
Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
(a) RJ business purposes; or
(b) RJ management purposes.
Compliant purposes for the Processing of Personal Data necessary for RJ Business purposes include:
(a) The conclusion and execution of agreements with customers, suppliers and business partners, (including providing customer services and the purchasing goods and/or services);
(b) Recording and financially settling the delivery of services, products and materials to and from RJ;
(c) Conducting marketing activities and promotions;
(d) Finance and accounting management;
(e) Research and development;
(f) Internal management and control;
(g) Fulfilling obligations under laws and regulations, including conducting relations with government and regulatory agencies; and
(h) Transactions involving alliances, ventures, mergers, acquisitions, and divestitures.
- 5.2 RJ Management Purposes
Compliant purposes for the Processing of Personal Data necessary for RJ management purposes include:
(a) Internal management, such as Processing necessary for managing company assets, conducting internal audits and investigations, and implementing business controls;
(b) Internal management, such as Processing necessary for implementing RJ health, safety and security policy, including the protection of RJ and RJ Staff assets; authenticating customers, suppliers or business partners for status and access rights
(c) Internal management, such as Processing necessary for complying with legal obligations; and
(d) Internal management, such as Processing necessary to protect the vital interests of the Data Subject or of another natural person.
- 5.3 Consent
RJ shall ensure that whenever Personal Data is Processed, at least one of the following applies:
(a) The Data Subject has given Consent to the processing of his or her personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the RJ is subject;
(d) Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the purposes of the legitimate interests pursued by RJ, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- 5.4 Denial or Withdrawal of Consent
Since a Data Subject may deny or withdraw Consent at any time, Processing by RJ will be discontinued unless RJ has taken action that relies on Consent that has previously been given. In this latter case RJ shall discontinue Processing as soon as reasonably practical.