Last revised: November 03, 2020
General Data Protection Regulation (GDPR) – means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller- means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Supervisory authority means an independent public authority which is competent in the field of monitoring compliance with GDPR pursuant to Article 51 GDPR;
Victoury platform – online travel booking platform, developed by GLOBUS SOFTWARE DEVELOPMENT CIE at the request of VICTOURY BVBA, made available to travel agencies;
Terms in this policy that have not been defined above will be interpreted in accordance with the GDPR unless they are given a distinct meaning.
VICTOURY BVBA, as a Controller, processes the personal data of the representatives of customers, partners and other persons who interact with the company and/or are the final beneficiaries of the Victoury Platform.
Our contractual partner GLOBUS SOFTWARE DEVELOPMENT CIE acts as Processor for the development and administration of the Victoury platform.
This policy describes how personal data should be processed, in accordance with the GDPR, the principles of personal data processing, as well as the rights and obligations of employees involved in the process of processing personal data.
- Compliance with the GDPR and good practices regarding the protection of personal data;
- Protection of the rights of the data subjects;
- Transparency on how personal data is protected;
- Protection against risks of breach of security of personal data.
This policy applies to:
- Management both of VICTOURY BVBA and GLOBUS SOFTWARE DEVELOPMENT CIE;
- To all employees involved in the administration of the Victoury platform;
- To all persons with whom the company is in contractual relations regarding the use of the Victoury platform.
Principles of personal data processing
Personal data are:
- Processed legally, fairly and transparently to the data subject;
- Collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes;
- Appropriate, relevant and limited to what is necessary for relation to the purposes for which they are processed;
- Accurate and updated in time;
- Retained in a form that allows the identification of the data subjects for a period not exceeding the period necessary to fulfill the purposes for which the data are processed;
- Processed in a manner that ensures the adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.
Types of personal data processed
Depending on the processing activities, VICTOURY BVBA processes the following types of data:
In order to contract the services, it processes the data of the representatives of the travel agencies and of the suppliers in the field:
- Forename, surname;
- E-mail address;
- Telephone number;
- Data regarding the conduct of the activities through the Victoury platform;
- For the activity of maintenance, support, solution of possible difficulties, optimisations and technical assistance, it has access to the data of the final beneficiaries of the Victoury Platform (clients of travel agencies), as follows:
- Title, forename, surname;
- Date of birth;
- Place of birth;
- Preferred language;
- Telephone number;
- E-mail address;
- Declared address;
- Level of skills for specific cases (for example, diving);
- Passport data;
- Data about travel (reserved destination, period, etc.);
- Other data of the profile (for example, VIP/Blacklister, health data, culinary preferences or other data relevant to the provision of customised services according to customer needs).
Legal basis of the processing
Mainly, at the level of VICTOURY BVBA, personal data processing operations are performed based on the contract concluded with travel agencies. In this regard, the legal basis is usually the conclusion, respectively the execution of contracts.
As a Processor authorised by VICTOURY BVBA, GLOBUS SOFTWARE DEVELOPMENT CIE will have access to the personal data entered on the Victoury platform in order to fulfil its contractual obligations.
The personal data will be disclosed or, where appropriate, transferred, in accordance with the principles of the GDPR, on the basis of the legal grounds applicable depending on the situation and only under conditions that ensure full confidentiality and security of data, to categories of recipients as well as state authorities empowered with control tasks in the financial field as well as service providers: Intercom (instant chat platform), Hetzner (server hosting company), Google (email provider), Mailchimp (newsletter service provider).
Technical and organisational measures taken to protect data
In order to comply with the requirements of the GDPR VICTOURY BVBA has implemented a series of technical and organisational measures that provide a high level of confidentiality and protection of personal data. Thus, among the measures are:
- Secure registration;
- Application monitoring;
- Data back-up solutions;
- Adoption of internal procedures such as: Business Continuity Plan, Disaster Recovery Plan;
- Restricting the physical access to the personnel data;
- Security solutions: Firewall, IPS/IDS, inspections to detect hostile activity, data encryption, complex passwords;
- System updates;
- Choosing service providers that comply with the GDPR;
Each employee involved in the administration of the VICTOURY PLATFORM is responsible, in accordance with his/her duties, for the protection of personal data. Moreover, the following persons carry out specific tasks:
I. Controller’s Management – is responsible for the compliance of the Victoury Platform with GDPR
II. Processor’s Management – provides sufficient guarantees at the organizational level that the requirements of the GDPR are respected and the rights of data subjects are protected; acts only on the basis of instructions received from the Controller;
III. The persons with responsibilities in the field of data protection:
- Informing and advising the organization as well as the employees involved in the processing of their obligations under the GDPR
- Informing the Management in a timely manner about all aspects of data protection (eg risks);
- Regular updating of the procedures and policies for the protection of personal data;
- Initiate and monitor the training of employees in the field of personal data protection;
- Providing on-demand advice on data protection impact assessment and monitoring of its operation;
- Cooperation with Supervisory Authorities – contact point regarding processing issues;
- Solving the requests of the data subjects, when they refer to the exercise of a right provided by the GDPR.
Rights of the data subject
Any data subject may exercise the following rights, as provided by the GDPR:
- The right of access;
- The right of rectification;
- The right to delete, after the expiry of the storage period or once the initial purpose of the processing has been reached;
- The right to restrict processing;
- The right to portability;
- The right to oppose processing;
- The right not to be the subject of a decision based solely on automatic processing, including profiling.
- The right to address complaints to concerned Supervisory authorities and courts;
Transparency of information
VICTOURY BVBA aims to inform all data subjects that their personal data are being processed and that they are aware of:
- The mode and type of data processing;
- Purposes and legal grounds for processing:
- Exercise of rights in connection with processing.
Any request for information on the processing of personal data or the exercise of the rights provided by the GDPR will be sent to the person with responsibilities in the field of data protection, who can be contacted at the e-mail address: firstname.lastname@example.org