BINDING CORPORATE RULES: ROYAL JORDANIAN AIRLINES
Royal Jordanian Data Protection Officer
Alia – The Royal Jordanian Airline Plc (Royal Jordanian)
Mohammad Ali Janah Street.
P.O Box 302 Amman
Version #1: [24 MAY 2018]
Alia- The Royal Jordanian Airlines Plc (hereinafter “Royal Jordanian” or “RJ”) sets out in this document its Binding Corporate Rules (the “BCRs”) that express its commitment to the protection of the Personal Data of RJ Customers, Suppliers and Business Partners. Their objective is to provide adequate protection for the transfers and processing of personal data by RJ staff and entities in the RJ, its companies, subsidiaries, affiliates and any other entity under its ownership or control.
The BCRs explain how this commitment is implemented by the RJ Group throughout its operations. They specifically set out RJ’s approach to transfers of Personal Data between entities in the RJ Group and apply to RJ’s operations worldwide.
The BCRs are communicated to all RJ employees and are published on the external RJ website accessible at www.RJ.com.
The BCRs apply to all Personal Data of employees, customers, suppliers, contractors and other natural persons in the European Economic Area (“EEA”), collected and used by RJ.
They specifically set out RJ’s approach to transfers of Personal Data between entities in the RJ Group.
For the privacy rules applicable to the personal data of RJ Employees in EEA, please refer to the Employee Privacy Notice.
1.2 Effective Date
The BCRs enter into force on 25 May 2018 (the “Effective Date”). The RJ BCRs supersede all prior RJ privacy policies and notices that exist on the Effective Date to the extent they cover the same issues or conflict with the BCRs.
1.3 Implementation of the BCRs
The operation of the BCRs are the responsibility of the Data Protection Officer. If there is a question as to the interpretation, implementation or applicability of the BCRs, RJ staff shall seek the advice of the Data Protection Officer prior to conducting any relevant Processing.
For the purposes of compliance with the GDPR, RJ has selected the United Kingdom Information Commissioner’s Office (“ICO”) as its Supervisory Authority.
The BCRs implement the obligations created by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
RJ is committed to interpret the terms of the BCRs according to the GDPR and relevant guidance from the European Commission and the ICO.
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
“Data Protection Officer” means the person appointed by RJ to oversee the observance of applicable data laws by Staff (including Processors), and to oversee the implementation of RJ’s data compliance policies
“Data Subject” means an identified or identifiable natural person
“European Economic Area” means the area of the 28 European Union Member States and Iceland, Liechtenstein and Norway where the European Economic Area treaty of 1 January 1994 applies
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), as such may be amended or modified
“Legitimate Purpose” means the authorised ground for collecting and processing Personal Data set out in Article 5 of these BCRs
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“RJ Group” means Alia – The Royal Jordanian Airlines plc (Royal Jordanian), Royal Wings Co., LTD., Royal Tours and Tikram For Airport Services PSC.
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin; political opinions or membership of political parties or organisations; religious or philosophical beliefs; membership of a professional or trade organisation or union; physical or mental health or condition, including disabilities; sexual orientation; criminal record; or social security numbers issued by state or public authorities
“Staff” means all RJ employees (including temporary or permanent staff) as of the Effective Date, who Process Personal Data as part of their duties or responsibilities using RJ data systems or working primarily from RJ premises. For the purposes of these BCRs, consultants hired to work for RJ are Staff.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data
(a) Staff access
Personal Data shall be held only:
(b) For as long as necessary to serve the applicable Legitimate Purpose;
(c) For as long as necessary to comply with an applicable legal requirement; or
(d) For as long as necessary in light of any applicable statute of limitations.
Promptly after the relevant retention period has ended, the Personal Data shall be treated in the following alternative ways
(a) It shall be securely deleted or destroyed; or
(b) It shall be pseudonymised in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, and that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed or attributable to an identified or identifiable natural person; or
(c) It shall be transferred to an Archive (unless this is prohibited by applicable local law or an applicable RJ records retention schedule).
Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
(a) RJ business purposes; or
(b) RJ management purposes.
Compliant purposes for the Processing of Personal Data necessary for RJ Business purposes include:
(a) The conclusion and execution of agreements with customers, suppliers and business partners, (including providing customer services and the purchasing goods and/or services);
(b) Recording and financially settling the delivery of services, products and materials to and from RJ;
(c) Conducting marketing activities and promotions;
(d) Finance and accounting management;
(e) Research and development;
(f) Internal management and control;
(g) Fulfilling obligations under laws and regulations, including conducting relations with government and regulatory agencies; and
(h) Transactions involving alliances, ventures, mergers, acquisitions, and divestitures.
Compliant purposes for the Processing of Personal Data necessary for RJ management purposes include:
(a) Internal management, such as Processing necessary for managing company assets, conducting internal audits and investigations, and implementing business controls;
(b) Internal management, such as Processing necessary for implementing RJ health, safety and security policy, including the protection of RJ and RJ Staff assets; authenticating customers, suppliers or business partners for status and access rights
(c) Internal management, such as Processing necessary for complying with legal obligations; and
(d) Internal management, such as Processing necessary to protect the vital interests of the Data Subject or of another natural person.
RJ shall ensure that whenever Personal Data is Processed, at least one of the following applies:
(a) The Data Subject has given Consent to the processing of his or her personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the RJ is subject;
(d) Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the purposes of the legitimate interests pursued by RJ, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Since a Data Subject may deny or withdraw Consent at any time, Processing by RJ will be discontinued unless RJ has taken action that relies on Consent that has previously been given. In this latter case RJ shall discontinue Processing as soon as reasonably practical.
RJ shall Process Sensitive Personal Data only to the extent necessary to serve a Legitimate Purpose as permitted under applicable law.
In situations when Sensitive Data is Processed based on a legal requirement other than the local law applicable to the Processing, or based on the consent of the Data Subject, Processing will only occur either: (i) Upon obtaining the prior approval of the Data Protection Officer; or (ii) A privacy sub-policy governing the Processing.
6.1 Sensitive Data may be Processed under one or more of the following circumstances:
(a) Where the Data Subject has expressly consented to the Processing, including “opt-ins”;
(b) When providing services to the Data Subject providing the Sensitive Personal Data;
(c) Where the Data Subject providing the Sensitive Personal Data is voluntarily participating in a research project or service/product test;
(d) With regard to racial or ethnic data, where this is necessary to safeguard RJ’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights, RJ may process photos and video images;
(e) With regard to genetic or biological data, where this is necessary to safeguard RJ’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights;
(f) To prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, breaches of contract, violations of law, or other breaches of the terms of access to RJ sites or assets;
(g) To establish, exercise or defend a legal claim;
(h) To protect the vital interest of the Data Subject or of another natural person, but only where it is impossible or impractical to obtain the relevant Consent first, (such as an accident requiring urgent action);
(i) Where this is required or necessary to comply with applicable law;
(j) Sensitive Data may only be processed for Secondary Purposes under the conditions set out in Article 7.
ARTICLE 7: LEGAL BASIS PROCESSING FOR OTHER PURPOSES THAN ORIGINAL PURPOSE
7.1 RJ shall generally only Process Personal Data for the purposes for which they were originally collected (“Original Purpose”).
7.2 Such data may be Processed for a secondary purpose than the Original Purpose (“Secondary Purpose”) where the Original and Secondary Purposes are closely linked.
7.3 The provisions of this Article apply to the Processing of Sensitive Data for a Secondary Purpose.
7.4 In Processing data for a Secondary Purpose, RJ shall conduct an impact assessment of the potential for harm to the Data Subject as a result of the Processing for a closely-linked Secondary Purpose, which shall assess the need for:
(a) Limiting access to the Personal Data;
(b) Implementing additional confidentiality and security measures;
(c) Informing the Data Subject about the Secondary Purpose, including providing an opt-out opportunity; and
(d) Obtaining the Data Subject’s Consent.
7.5 Permitted reasons for Processing Personal Data for Secondary Purposes, subject to clearance by the Data Protection Officer, are:
(a) Conducting internal audits or investigations;
(b) Implementing RJ business policy;
(c) Conducting statistical, historical or scientific research;
(d) Dispute resolution management and using legal or business consulting services;
(e) Insurance management; or
RJ shall limit the Processing of Personal Data to such data as is reasonably suitable for and relevant to the applicable Legitimate Purpose.
8.1 RJ shall retain Personal Data only:
(a) For the period required to address the applicable lawful purpose;
(b) To the extent reasonably necessary to comply with an applicable legal obligation or requirement;
(c) For as long as advisable in light of an applicable statute of limitations; and
(d) Without prejudice to the above, RJ may specify a time period for which certain categories of Personal Data will be kept (in an RJ notice or RJ records retention protocol).
RJ shall take reasonable technical and physical steps safely and securely to delete or destroy Personal Data that is not required or no longer required for the applicable lawful purpose.
Direct marketing shall be performed by RJ only with the consent of the targeted individual.
9.1 For the purpose of addressing direct marketing communications to existing or prospective customers, RJ shall do the following:
(a) Obtain the prior affirmative consent of the targeted individual (to the extent that this is required by law);
(b) Offer the individual the opportunity to choose not to receive such communications; and
(c) In every subsequent direct marketing communication that is made to such individuals, offer the opportunity to opt-out of further marketing communication.
RJ shall respect objections to marketing and if the targeted individual objects to receiving marketing communications from RJ, or withdraws consent to receive such communications, RJ shall cease sending further marketing materials as specifically requested by the individual and shall delete the individual’s Personal Data from its marketing data base (save under the conditions set out in Article 8).
RJ shall inform Data Subjects whose Personal Data is collected and processed by publishing a Privacy Notice which shall explain and provide information on:
10.1 The Legitimate Purposes for which Personal Data is Processed shall be Communicated to the Data Subject including the following Information:
RJ may use automated tools to make decisions about Data Subjects but decisions shall not be based solely on the results provided by this process.
11.1 This restriction does not apply if:
ARTICLE 12: SECURITY AND CONFIDENTIALITY
ARTICLE 13:RELATIONSHIPS WITH PROCESSORS THAT ARE MEMBERS OF THE GROUP
13.1 When transferring Personal Data to parties within the RJ Group, RJ shall transfer Personal Data only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (this includes processing for purposes for which the Data Subject has provided consent or for Secondary Purposes in accordance with Articles 5 and 7, respectively).
13.2 RJ shall ensure that Personal Data shall be Processed within the RJ Group in compliance with the terms of the BCRs and that the data privacy interests of Data Subjects concerned are protected as required by the BCRs and applicable laws.
ARTICLE 14: RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS (NOT MEMBERS OF THE GROUP)
14.1 When transferring Personal Data to parties not members of the RJ Group, a distinction shall be made between:
(a) Third Party Data Processors, namely parties that Process Personal Data solely on behalf of RJ and under RJ direction (e.g. Third Parties that Process passenger registration data on behalf of RJ); and
(b) Third Party Data Controllers, namely Third Parties that Process Personal Data and determine the purposes and methods of the Processing (e.g. RJ business partners that provide their own goods or services to Customers).
14.2 RJ shall transfer Personal Data to a Third Party only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (including processing for Secondary Purposes or for purposes for which the Data Subject has provided consent in accordance with Article 5).
14.3 RJ shall ensure that Third Party Data Controllers (other than public authorities) can Process Personal Data obtained in connection with their relationship with RJ only if such Third Party Data Controllers have a written contract with RJ.
14.4 RJ shall ensure that the data privacy rights of Data Subjects concerned by such Processing are protected contractually.14.5
14.5 The transfer of business contact information may be made to a Third Party Data Controller without a contract if RJ take reasonable steps to ensure that such information will be used by the Third Party Data Controller to contact the Data Subject for legitimate business purposes related to that same Data Subject’s business or interests.
14.6 RJ shall not transfer, sell, lease, or offer for hire Business Contact Information in bulk to a Third Party Data Controller without consent except as permitted or required under applicable law and to the extent such transfer, sale, lease, or rent serves a Business Purpose (per Article 5.1).
14.7 Third Party Data Processor Contracts
Third Party Data Processors may Process Personal Data only if the Third Party Data Processor has a written contract with RJ which includes terms and conditions addressing the following:
Transfers of Personal Data to a Third Party located in a country that is not considered by the European Commission to provide an ‘adequate level of protection’ for Personal Data under Chapter V of the GDPR (“Non-Adequate territory”) shall only be made if the following conditions are satisfied:
14.9 Non-Adequate Territory Consent for Transfer
When seeking consent pursuant to Article 14.8(j), RJ shall provide the Data Subject with the following information:
14.10 Transfers between Non-Adequate Territories
Personal Data collected by RJ in the EEA and transferred to a Third Party located in a Non-Adequate territory may in turn be transferred to a second Third Party located in that same or another Non-Adequate territory only if the following conditions are met:
RJ shall provide training on the BCRs and other data privacy and data security obligations and best practices to staff who have access to Personal Data or who have responsibilities concerning the management of Personal Data.
RJ shall bear responsibility for auditing all RJ entities’ business processes and procedures involving the Processing of Personal Data to assess their compliance with the BCRs:
Non-compliance with the BCRs may result in disciplinary action and sanctions including termination of employment.
In a situation where a legal requirement to transfer Personal Data conflicts with the national laws of EEA Member States or other countries with legal requirements regarding cross-border data transfer, any relevant Personal Data transfer shall be authorised in advance by the Data Protection Officer. Where appropriate, guidance shall be requested from the ICO or other competent public authority.
18.2 Conflicts between the BCRs and Local Law
19.1 Data Subjects shall be entitled to submit a complaint regarding compliance with the BCRs:
19.2 Within one month of RJ receiving a complaint, the Data Protection Officer shall inform the complainant in writing either:
ARTICLE 20: LIABILITY OF RJ AND THIRD PARTY BENEFICIARY RIGHTS
20.1 RJ entities and Staff shall comply with the BCRs:
20.2 As maybe permitted by the GDPR, RJ customers, contractors and employees shall have the right to claim enforcement of the BCRs or liability as third party beneficiaries as set out in the BCRs in respect of:
As maybe permitted by the GDPR, RJ customers, contractors and employees shall have the right to claim appropriate compensation from RJ before the ICO or courts in accordance with the BCRs and applicable law. The enforcement rights and mechanisms described in this Article are in addition to other remedies or rights provided available under applicable law.
ARTICLE 21: OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES
21.1 Obligations towards the ICO
21.2 Mutual Assistance and Cooperation with Data Protection Authorities
22.1 The BCRs shall only be amended with the prior approval of the Data Protection Officer.Where applicable, the Data Protection Officer shall obtain the authorisation of the ICO for any relevant changes to the BCRs.
22.2 No transfer of data shall be made to an RJ entity or Staff until the transfer is appropriately covered by the BCRs and relating compliance measures are in operation.
22.3 Any amendment shall only enter into force after it has been approved by the Data Protection Officer and published on the RJ website.
22.4 The Data Protection Officer shall be responsible for informing the ICO of significant changes to the BCRs on an annual basis.The Data Protection Officer shall inform the RJ Board of the advice, guidance or response of the ICO, if any.
22.5 Any request, complaint or claim involving the BCRs shall be determined by reference to the version of the BCRs that is in force at the time the request, complaint or claim is made.