Privacy Policy

2.1.  Personal data means any information about an individual from which that person can be identified. It does not include data which has been anonymised.

2.2. We will collect personal data from you when you visit our websites or interact with our social media platforms, buy a service or product from us for example by attending a course at our training centre, visit our airport, enter a competition, use our airport Wi-fi, make enquiries or otherwise provide us with your personal data.

2.3.  The categories of personal information we may collect for the purpose of managing your engagement with us as either a customer or website visitor include:-

2.3.1.  Contact Data: Your name and title, address, telephone number(s), personal e-mail address and any other contact details you may provide. If you are a corporate customer this could include the organisation you work for and details of your job title;

2.3.2.  Identification Data: Your internet protocol (IP) address and information regarding which website pages you accessed and when, and your car number plate when using NIAL's car parking facilities or drop off zone;

2.3.3. Video Surveillance Data:- We use CCTV, dash cams and body worn cameras to record data about individuals at NIAL sites;

2.3.4.  Marketing Data – We may collect information about your marketing preferences if we are entitled to send you marketing materials;

2.3.5. Skills and Qualifications Data: -if you attend a course at our training centre we will want to know what relevant qualifications, skills and experience you have to make sure the course is suitable for you and to enable us to meet the course objectives;

2.3.6. Attendance Data: information related to your attendance at a Training Course at our Training Centre including the course you took, and information relating to your attendance or performance at the course; and

2.3.7.  Health Data – if you attend a training course at our training centre we may need certain information about your health and medical history to make sure you are safe to undertake the course.

3.1. We will collect your personal information in the following ways:

3.1.1.  Information you give us. This is information (including Contact Data and Identification Data) you provide to us by: [visiting our website, booking parking, interactions on site if and when required]. Please note that your payment details are not held by us, this is collected by third‐party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below. We will also get some of this information by you corresponding with us (for example, by email or text or using social media messaging services)

3.1.2.   Information we observe. We will gather personal information about you through the monitoring of our systems including use of telephones and the internet, through the use of CCTV, and other video surveillance we use including dash cams, ANPR at our car parks, body worn cameras and other technologies.

3.1.3.  Information we create. If you attend a Training Course we will create information relating to your attendance at that course.

3.1.4.  Information given to us by third parties: If you fly a drone (also known as an unscrewed air system) within restricted airspace around the airport you are required to submit data about this operation in order to receive approval.  This is submitted through the NIAL website.  We will collect this data and contact you to discuss any intrusion of a drone registered in your name into our restricted airspace should this be necessary. This information can also be shared with the Police. If this data has not been submitted and there is an intrusion into our restricted airspace, we will pass the serial number of the drone to the police.

3.1.5.  Special Category Data: We may collect certain special category data about your physical health and/or medical condition if you require special assistance at NIAL sites or where you are participating in a training course at our Training Centre.

4.1.  We process your personal information for a variety of commercial purposes and will also process your personal information, including special category personal information where necessary for us to provide special assistance or comply with any statutory duties, to which we are subject.

4.2. In the table below, where we outline the lawful basis (processing condition) which we rely on to use your personal information, a number of bases are mentioned for processing personal information.  All data needs one of the "General" processing conditions. However, where we are processing special category data we also need one of the legal bases set out in the special category processing conditions. The key to the lawful bases is set out below the table.

4.3. The purposes for which we process your personal information and the lawful bases for such processing are as follows:

Why we use your personal information including type of data and any Special Category data we record	Type of data (please see above list of data types)	Lawful basis for processing (please see below for more information on legal bases)
Customer correspondence and engagement including social media, complaints and feedback;	Contact Data, Identification Data, Special Category Data	General: Legal obligation - the use of your personal information is necessary so that we are able to comply with aviation regulations in responding to complaints. Please note, many of the complaints or queries received are about services offered by our onsite partners.   Where this is the case, your complaint/query will be passed on to the relevant organisation. This will allow your complaint to be investigated and answered directly.   Legitimate interest – it is a legitimate interest of ours to keep various information about you which will allow us to respond to your correspondence and improve our service for you and others.   Special category data: Vital interests – we will process special category data where it is necessary to protect your vital interests and provide special assistance as required.
Management of our approach to and policies in respect of health and safety matters;	Video Surveillance Data	General: Legal Obligation – we have a number of legal obligations in respect of health and safety and will process your personal information in accordance with those obligations.
To provide car parking spaces at a date and time of your choosing;	Contact Data; Identification Data, Video Surveillance Data	General: Contract - the use of your personal information is necessary for the management and administration of your car parking service.   Legal Obligation – we have a number of legal obligations in respect of health and safety and will process your personal information in accordance with those obligations.
To provide customers with WIFI services;	Contact Data	General: Consent - When you initially provide us with your personal data, you will be provided with the opportunity to receive marketing communications from us. In doing so, you are providing us with your consent under Article 6 of the UK GDPR and the Privacy and Electronic Communications (EC Direction) Regulations 2003.   Legitimate interests – it's in our legitimate interests to make sure that your use of our network and systems does not compromise their security.  We will process your personal information in order to monitor our network and investigate any issues which arise.
Aviation safety	Contact Data, Identification Data	General: Legitimate Interests – If you fly a drone (also known as an unscrewed air system) within restricted airspace around the airport you are required to submit data about this operation in order to receive approval.  This is submitted through the NIAL website.  It is in our legitimate interests to collect this data and use it to contact you for public safety, aviation safety, health and safety, and for the commercial interests of NIAL . It is also a legitimate interest of ours to share this information with the Police for the purposes of the prevention of crime, public safety aviation safety and health and safety. If this data has not been submitted and there is an intrusion into our restricted airspace, it is in our legitimate interests to pass the serial number of the drone to the police.
Marketing purposes.	Contact Data, Identification Data, Marketing Data	General: Consent - If you have ticked the opt in box, we will send you electronic marketing information via your email address and via letter  based on the marketing preferences you've given to us.  This would include information about current and future flight destinations, airline offers, information about our airport partners, parking and shopping offers as well as advice on how to prepare for your journey through the airport.
Course administration and promotion	Contact Data, Identification Data, Skills and Qualification Data, Attendance Data, Health Data, Marketing Data	General Consent - If you have ticked the opt in box, we will send you electronic marketing information via your email address and via letter  based on the marketing preferences you've given to us..  This would include information about current and future training courses. We may also contact you to ask your permission to use your name or image on social media and elsewhere to promote the courses we run. Contract – if you or your organisation has paid for us to provide a course we will need to process your Contact Data, identification Data, Skills and Qualification Data and Attendance Data in order to fulfil our contractual obligations to the organisation who is paying for the course. Legal Obligation We need to gather certain Attendance Data and Health Data about your attendance at our Training Centre to fulfil our obligations under health and safety laws Vital interests We may need to process certain Health Data about you if a serious medical issue arises while you are participating in a Training Course Legitimate Interests It is in our legitimate interests to defend legal claims that may arise out of your participation in our Training Courses.  This will include sharing your Contact Data, identification Data, Attendance Data and Health Data with our insurers and solicitors Special category data:  Explicit Consent Where you attend a course in order to participate in certain activities it may be necessary tor you to provide certain Health Data so that we can make sure your participation in the activities is safe.

 

4.4.   Data protection laws require us to have a general data processing condition (such as consent, or processing required by law) for processing data.  However, if the data is special category data (such as data relating to racial or ethnic origin or health data) we need an additional processing condition which reflects the increased privacy requirement of such data.  The above table sets out the lawful basis for processing for various activities and indicates both the general data bases and the special category bases we rely on when we process your data.

4.4.1. The general data bases we use to process personal data are Consent: your consent to one or more specific purposes.  We will set out the basis for consent in a consent notice or in some other form of notice where it is clear we are asking for your consent.  Where we do not get your consent, we will not use your data for that purpose;

4.4.2.   Contract - in order to enter into any contract we may have with you and to meet our obligations under that contract;

4.4.3.  Legitimate interests: we’ve identified this type of processing is a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms.  We set out more detail on our legitimate interest processing below at section 4.6

4.4.4. Vital interests: we are entitled to process certain personal data to protect your vital interests.  This might happen if you have a serious medical issue while attending the airport.

4.4.5.   Legal obligation - we’re required by law to process this data.

4.5. The Special Category Data bases we use to process personal data are:

4.5.1.  Explicit consent - your explicit consent to one or more specific purposes;

4.6.  Our Legitimate Interests

4.6.1.   We sometimes process personal information on the basis that it is in our legitimate interests to do so. The occasions where we will rely on legitimate interests as our processing condition are set out above. The legitimate interests are as follows:

4.6.1.1.  To maintain up to date information about you -  we sometimes gather data about you which is useful for building a complete view of your NIAL airport and website use. Although some of this data is not strictly required by law, it is nevertheless useful to us and we consider it in our legitimate interest of running a successful, profitable business.

4.6.1.2.   Network and information security – we will monitor our network and your use of it.  It is a legitimate interest of ours to make sure that your use of our network and systems does not compromise our information security.

4.6.1.3.  To procure insurance policies and to respond to and defend legal claims – it is in our legitimate interests to use your personal information where necessary in the purchase of insurance policies and to respond to and defend legal claims.

4.6.1.4.  To respond to notifications that drones have flown in restricted airspace around the airport – it is in our legitimate interests to use personal data about you to contact you where you have flown a drone within the restricted airspace around the airport.

We will keep the personal information we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us if your personal details change or if you become aware of any inaccuracies in the personal information we hold about you. We will contact you annually to check your details are still up-to-date. We will also contact you if we become aware of any event which is likely to result in a change to your personal information.

We will not keep your personal information for longer than is necessary for the purpose(s) for which we process it. This means that information will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain information is likely to be kept before being destroyed, contact the Data Protection Officer, or by email at [email protected]. For further information on the retention of your personal information, please contact the Data Protection Officer.

7.1.  You have the right to:

7.1.1.  Request access to any personal information we hold about you:

7.1.1.1.  You have a right to access a copy of your own personal information.  We try to respond to all requests within one (1) calendar month. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.

7.1.1.2.  We will request information from you in order to help us confirm your identity and ensure you have a right to access the personal information you have requested to see. This is a security measure to ensure that we do not disclose personal information to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request.

7.1.1.3.  You will normally not have to pay a fee to access your personal information. However, we may charge a reasonable fee if your request is clearly unfounded or excessive (particularly where requests are repetitive). Alternatively, if your request is clearly unfounded or excessive we may refuse to comply with your request.

7.1.2.  Require us to rectify any personal information which we hold about you which is inaccurate.

7.1.2.1. Rectification enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

7.1.3.  Have personal information erased, in certain circumstances.

7.1.3.1.  This right enables you to have your data erased (the so-called "right to be forgotten").  The right relates only to personal information we hold at the time you make the request.  There are also some important restrictions on this right.

7.1.3.2. The right to have personal information erased applies where:-

7.1.3.2.1.  our use of your personal information is no longer necessary for the purpose for which we gathered it.  Most of the personal information we hold about you in the course of your engagement with NIAL is needed by us to manage you as site visitor, passenger, website user or course delegate.  However, we will review the information we hold about you if you ask us to erase it, to check we need all of the information we hold;

7.1.3.2.2.  we have relied on consent as the basis for processing and you withdraw your consent;

7.1.3.2.3.  we are processing your personal information on the basis of legitimate interests unless we have an overriding interest to continue the processing;

7.1.3.2.4.  we are processing your personal information unlawfully;

7.1.3.2.5. we have to do it to comply with a legal obligation.

7.1.3.3.   The right to erasure does not apply in certain circumstances including where:

7.1.3.3.1.   we have to process the personal information to comply with a legal obligation; or

7.1.3.3.2.  where we use the personal information to carry a task in the public interest such as where we are investigating fraud or preventing or detecting other unlawful acts.

7.1.4.   Have the processing of your personal information restricted, in certain circumstances.

7.1.4.1.  This enables you to ask us to suspend the processing of your personal information in the following scenarios:

7.1.4.1.1.   if you want us to establish the information's accuracy;

7.1.4.1.2.   where our use of the information is unlawful but you do not want us to erase it;

7.1.4.1.3.   where you need us to hold the information, even if we no longer require it as you need it to establish, exercise or defend legal claims; or

7.1.4.1.4.  you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

7.1.5.  In certain circumstances, be provided with the personal information that you have supplied to us, in a portable format that can be transmitted to another controller without hindrance.

7.1.5.1.  We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you

7.1.6.  Object to certain types of processing, including legitimate interests based processing and automated processing (which includes profiling)

7.1.6.1. where we are processing it on the basis of legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your interests, fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.

7.1.7.   The right to withdraw consent

7.1.7.1.  If we are processing any of your personal information based on you having given us consent to do so, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing we may have undertaken based on your consent before it is withdrawn.

7.1.8.  In certain circumstances, the right not to be subject to a decision that is based solely on automated processing which produces a legal effect or which has a similar significant effect for you.

7.1.8.1.  For information, we will not use any automated decision-making in our processing of your personal information for the purposes of your on-going employment with us other than the profiling we undertake in respect of the emails you send from your work email address and the websites you visit while using your work log-in.

7.2. If you wish to exercise any of the rights set out above, you must make the request in writing to the Data Protection Officer, email address [email protected].

7.3.  If you provided your consent to any of the processing of your personal information, you have the right to withdraw your consent to that processing at any time, where relevant. Please contact the Data Protection Officer if you wish to do so.

8.1. Keeping your data secure is important to us. We use reasonable and up to date security methods to keep your personal information secure and to prevent unauthorised or unlawful access to your personal information, and against the accidental loss of, or damage to, personal information.

8.2. We have in place procedures and technologies to maintain the security of all personal information from the point of collection to the point of destruction. These include adhering to various security standards, including physical and technological protection, data encryption, patching and software update management, management of access rights, vulnerability scanning and penetration testing, network configuration and monitoring. We will ensure your personal information is only accessible by those who need to see your information for their specific role. We will only transfer personal information to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.

8.3. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal information.

9.1.  Our employees who need to access your data will view it in order that we can manage your engagement with us and comply with our legal and statutory duties. All of our employees have been trained in data protection and understand the need to keep your information confidential.

9.2.  In addition to our employees, we also use service providers who may process personal information on our behalf (for example by passing details to The Chauntry Corporation Limited). Apart from our employees and service providers, we will not disclose your personal information to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal information to a third party, we will put in place arrangements to make sure your information is well protected and processed strictly in accordance with data protection laws.

9.3. We may disclose your personal information to third parties:

9.3.1.   in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;

9.3.2.   if we or substantially all of our assets are acquired by a third party, in which case personal information held by us will be one of the transferred assets; and

9.3.3.  if we are under a duty to disclose or share your personal information in order to comply with legal obligations or to protect our rights, property, or safety of our customers, suppliers or other employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

9.4. If your personal information is provided to any third parties, you are entitled to request details of the recipients of your personal information or the categories of recipients of your personal information .

10.1.  We will not transfer your personal information outside the UK unless such transfer is compliant with the UK GDPR. This means that we cannot transfer any of your personal information outside the UK unless:

10.1.1.the UK government has decided that another country or international organisation ensures an adequate level of protection for your personal information; or

10.1.2.  the transfer of your personal information is subject to appropriate safeguards, which may include:

10.1.2.1.  binding corporate rules; or

10.1.2.2.  the International Data Transfer Agreement or the UK Addendum.

10.1.3. one of the derogations in the UK GDPR applies (including if you explicitly consent to the proposed transfer).

If you consider that we have not complied with data protection laws in respect of personal information about yourself or others, you should raise the matter with our Data Protection Officer, email address [email protected]. Any breach of the UK GDPR will be taken seriously.

If you have any issues with our processing of your personal information and would like to make a complaint, you may contact the Information Commissioner's Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.