The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will supersede the current Data Protection Act 1998.
Flight Solutions International Limited (‘Flight Solutions’) are committed to address EU data protection requirements, and will comply with applicable GDPR regulations as a data processor when they take effect on 25th May 2018.
As such, we are reviewing (and updating where necessary) relevant internal processes, procedures, data systems and documentation to ensure that we are compliant when GDPR comes into force.
What Personal Data do we process?
Flight Solutions International Limited provides passenger and baggage processing capabilities and solutions to airports, airlines and handlers. Each day we process passenger information behalf of these airports, airlines, handlers and border control agencies.
Passengers are legally obliged to provide certain information to airports, airlines and border control agencies when travelling by air. Our solutions are used to capture, process, transfer and store this passenger information.
We have no necessity to collect and process users' personal information beyond what is required for the functioning of our solutions on behalf of our customers.
What does this mean for our customers?
The GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data. Customers who use our products and solutions are controllers.
A processor is responsible for processing personal data on behalf of a controller. Flight Solutions is a processor.
Under the new legislation, our customers (the ‘controllers’) are liable for their compliance with the GDPR and must only appoint ‘processors’ who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Our customers can be assured that Flight Solutions will be compliant with the GDPR when it comes into effect.
As well as the ongoing compliance activities detailed below, Flight Solutions is registered with the Information Commissioner’s Office (ICO), to demonstrate our commitment to visibility and transparency in data processing.
All our systems are developed to industry standards and guidelines for passenger data collection and processing, and we have considered and integrated data protection and privacy by design into our product design and processing activities.
What are we doing to ensure compliance?
- We have appointed a Data Protection Lead to oversee GDPR activities.
- We are reviewing and revising current security and privacy processes.
- We are reviewing and revising current contracts with third parties & customers to meet the requirements of the GDPR.
- We are identifying and documenting the Personally Identifiable Information (PII)/Personal Data that is being processed and/or collecting using our systems.
- We are analysing how this information is being processed, stored, retained and deleted through Data Protection Impact Assessments (DPIAs) of all our systems.
- We are establishing procedures to respond to data subjects when they exercise their rights, and for data breach notification activities.
What should our customers do to be GDPR ready?
The GDPR makes written contracts between controllers and processors a general requirement.
Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR.
Flight Solutions are working towards a standardised GDPR Contract template, based on what the GDPR sets out as needing to be included in the contract. This will include the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.