Data Processing Policy

Skylegs Data Processing Policy 08 May 2024

Hi, welcome to Skylegs! We are glad you use our Platform (as defined below), helping aircraft operators and pilots with efficient resource planning, administration and sales. Within the context of the performance thereof, Skylegs shall have access to personal data and/or will have to process these personal data, for which the Customer is responsible as ‘controller’ in accordance with (i) the Belgian Privacy Act of 30 July 2018 regarding the protection of privacy in relation to the processing of personal data and/or (ii) the General Data Protection Regulation (GDPR) of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC’), (iii) the UK Protection Act 2018, (iv) the Swiss Federal Act on Data Protection 2023 (FADP) and (iv) all (future) Belgian laws regarding the implementation of the aforementioned Regulation (hereinafter referred to as the “Privacy Legislation”). By concluding an agreement with Skylegs (hereinafter referred to as the “Agreement”), you accept the processing of personal data within Skylegs Platform as set out in this Data Processing Policy (hereinafter referred to as the “Policy”).

Please read this policy carefully, as this will inform you about the legal responsibilities of both Parties with regard to the processing of personal data and the security measures that need to be adopted in order to ensure the personal data is processed in accordance with the relevant Privacy Legislation.

1         DEFINITIONS

In this Policy, the following concepts have the meaning described in this article (when written with a capital letter):

Assignment:                      All activities, performed by Skylegs for the Customer, and any other form of cooperation whereby Skylegs Processes Personal Data for the Customer, regardless of the legal nature of the agreement under which this Processing takes place;

Controller:                         The entity, which determines the purposes and means of the Processing of Personal Data, meaning the Client as defined in the Agreement;

Data Subject:                     An identified or identifiable natural person where  an identifiable natural person should be considered one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Data Breach:                     Unauthorized disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data, which are processed by Skylegs on behalf of the Customer;

Data Importer:                  The recipient of personal data/processor of Skylegs in a third country, which is not subject to an adequacy decision of the European Commission

Personal Data:                  Any information relating to an identified or identifiable natural person (i.e. Data Subject);

Platform:                           The online application of Skylegs which offers an integration of various services that ensure a more efficient administration regarding the flight operation of its customers. It facilitates amongst others the following modules: schedule, operations, training, sales and finance, safety, compliance, maintenance, pilot logbook, system and electronic flight bag.

Processor:                         The entity which Processes Personal Data on behalf of the Controller;

Process/Processing:          Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, including but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

Services:                            All services, provided by Skylegs to the Customer with respect to the Platform (such as but no limited to support and maintenance);

Skylegs:                             The company Skylegs BV, incorporated and existing under the laws of Belgium, with registered office at BE- Luchthavenlei 7A, 2100 Deurne, with VAT/company number BE-0535.618.954;

Sub-processor:                  Any Processor engaged by Skylegs.

The Policy includes the following annexes:

Annex I:                             Overview of (i) the Personal Data, which Parties expect to be subject of the Processing, (ii) the use (i.e. the way(s) of Processing) of the Personal Data, (iii) the goals and means of such Processing and (iv) the term(s) during which the (different types of) Personal Data shall be stored;

Annex II:                            Overview and description of the security measures taken by Skylegs.

2         ROLES OF THE PARTIES

2.1      Parties acknowledge and agree that with regard to the Processing of Personal Data as instructed by the Customer, the Customer shall be considered ‘Controller’ and Skylegs ‘Processor’. Further, Skylegs is allowed to engage Sub-processor(s) pursuant to the requirements set forth in Article 6.

3         USE OF THE PLATFORM AND/OR THE SERVICES

3.1      The Customer acknowledges explicitly that:

✔       Skylegs purely acts as a facilitator of the Platform and/or the Services. Hence, the Customer shall be solely responsible on how and to what extent he/she makes use of the Platform and/or the Services as well as for all Personal Data collected through the Platform;

✔       As a result of the use of the Platform, a number of integrations shall automatically be made through the application programming interface (‘API’). All other integrations offered by Skylegs are optional and shall only be made upon explicit request of the Customer;

✔       It is responsible for the material and/or data provided by the Data Subject. The Customer is, as Controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;

3.2      The Customer shall avoid any misuse of the Services. In case of misuse by the Customer of the Platform and/or the Services, the Customer agrees that Skylegs can never be held liable in this respect nor for any damage that would occur from such misuse.

3.3      The Customer therefore undertakes to safeguard Skylegs when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

4         OBJECT

4.1      Customer acknowledges that as a consequence of making use of the Platform and/or the Services of Skylegs, the latter shall Process Personal Data as collected by the Customer.

4.2      Skylegs shall always Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data.

More specifically, Skylegs shall – during the performance of the Assignment – provide all its know-how in order to perform the Assignment according to the rules of art, as it fits a specialized and ‘good’ processor.

4.3      Nonetheless, Skylegs shall only Process the Personal Data upon request of the Customer and in accordance with its instructions, as described in Annex I, unless any legislation states otherwise.

4.4      The Customer, as Controller, owns and retains full control concerning (i) how Personal Data must be Processed by Skylegs, (ii), the types of Personal Data Processed, (iii), the purpose of Processing and (iv) the fact whether such Processing is proportionate (non-limitative).

Moreover, the Customer shall be solely responsible to comply with all (legal) obligations in its capacity as Controller (such as but not limited to the retention period) and shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data, entered into the Platform, and the means by which it acquired such Personal Data.

The responsibility and control concerning the Personal Data shall thus never be vested in Skylegs.

5         SECURITY OF PROCESSING

Skylegs takes the security of the Processing activities very seriously. Taking into account the state of the art, Skylegs implements appropriate technical and organizational measures for the protection of (i) Personal Data – including protection against careless, improper, unauthorized or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.

6         SUB-PROCESSORS

6.1      The Customer acknowledges and agrees that Skylegs may engage third-party Sub-processors in connection with the Assignment. In such case, Skylegs shall ensure that the Sub-processors are at least bound by the same obligations by which Skylegs is bound under this Policy.

6.2      Skylegs undertakes to make two (2) lists available on its Platform concerning the Sub-processors on which it appeals for the performance of the Assignment:

✔       A list of Sub-processors on which Skylegs always appeals since these interfaces are standard (cfr. Article 3.1);

✔       A list of optional Sub-processors on which Skylegs solely appeals if the Customer has selected these interfaces (cfr. Article 3.1).

Such list shall include the identities of those Sub-processors and their country of location.

6.3      Skylegs undertakes to inform the Customer of any intended change to the aforementioned list (e.g. adding or replacing a Sub-processor) by adding a ‘recently changed’ section to that list.

6.4      Without prejudice to Article 6.3, the Customer is entitled to oppose a new Sub-processor appointed by Skylegs in case it concerns a Sub-Processor of a standard interface.

If the Customer wishes to exercise its right to object, the Customer shall notify Skylegs in writing and in a reasoned manner by the latest within ten (10) days upon receipt of Skylegs’s notice (cfr. Article 6.3).

6.5      In the event the Customer objects to a new Sub-processor and such objection is well founded, Skylegs will use reasonable efforts to (i) make available to the Customer a change in the Platform and/or the Services or (ii) recommend a commercially reasonable change to the Customer’s configuration or use of the Platform and/or the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.

If Skylegs is, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Agreement with Skylegs on the condition that:

✔       The Platform cannot be used by the Customer without appealing to the objected new Sub-processor; and/or

✔       Such termination solely concerns the Services which cannot be provided by Skylegs without appealing to the objected new Sub-processor;

And this by providing written notice thereof to Skylegs within a reasonable time.

6.6      Skylegs takes responsibility for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Policy.

7         DATA PROTECTION OFFICER

7.1      Skylegs has appointed a data protection officer: Harald Denolf

7.2      The appointed data protection officer may be reached at: dpo@skylegs.com

8         TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

8.1      Skylegs assures the Customer that a transfer of personal data to a third country or international organization shall always be subject to (i) an adequacy decision by the Commission or (ii) one of the following safeguards:

–        Closing a data transfer agreement with the third country recipient, which shall contain valid standard contractual clauses (‘SCC’), as adopted by the European Commission. Before the transfer takes place, the Data Importer has to guarantee to Skylegs that an adequate level of privacy compliance is ensured in this third party country; and/or;

–        Binding corporate rules. As it is the case for standard contractual clauses, the Data Importer has to guarantee to Skylegs that an adequate level of privacy compliance is ensured in the third party country; and/or;

–        Certification mechanisms.

8.2      Every transfer to a third country or international organization, not recognized by an adequacy decision, is subject to an assessment by Skylegs to determine if there is anything in the law and/or practices in force of said third country that may infringe on the effectiveness of the appropriate safeguards in place (as identified above).

Where required on the basis of aforementioned assessment, Skylegs shall identify and implement appropriate supplementary measures to govern any data transfer to such international organization or a third country without adequacy decision to ensure the level of data protection as required by EU law.

Furthermore, Skylegs shall take all reasonable efforts to oblige the Data Importer to implement sufficient guarantees and measures to protect the Personal Data and ensure the effectiveness of the protection of the SCC’s, binding corporate rules and/or certification mechanisms.

8.3      In case of non-compliance by a Data Importer or where protections in the third country are not adequate, Skylegs shall – at its sole discretion – either:

–        Suspend the transfer of Personal Data to the Data Importer / such third country until the issue has been solved; or,

–        Terminate the transfer of Personal Data to the Data Importer / such third country and request the Data Importer to delete the Personal Data in its possession.

9         CONFIDENTIALITY

9.1      Skylegs shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without the prior permission of the Customer, unless when such disclosure and/or announcement is required by law or by a court or other government decision (of any kind). In such case Skylegs shall, prior to any disclosure and/or announcement, inform you in full transparency on the scope and manner thereof.

9.2      Skylegs shall ensure that its personnel, engaged in the performance of the Agreement, are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Skylegs shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

9.3      Skylegs shall ensure that its access to Personal Data is limited to such personnel performing the Assignment in accordance with the Policy.

9.4      The Customer acknowledges the login information to be strictly personal and ensures not to share this information with any third parties.

10       NOTIFICATION

10.1    Skylegs shall use its best efforts to inform the Customer within a reasonable term when it:

✔       Receives a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;

✔       Has the intention to disclose Personal Data to a competent public authority;

✔       Determines or reasonably suspects a Data Breach has occurred in relation to the Personal Data.

10.2    In case of a Data Breach, Skylegs:

✔       Notifies the Customer without undue delay (and within 48 hours) after becoming aware of a Data Breach and shall provide – to the extent possible – assistance to the Customer with respect to its reporting obligation under the Privacy Legislation;

✔       Likewise notifies Swiss (or Swiss-based) Customers and, in addition, notifies the Swiss Federal Data Protection and Information Commissioner, in accordance with the Swiss FADP 2023.

✔       Undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

11       RIGHTS OF DATA SUBJECTS

11.1    To the extent the Customer – in its use of the Platform and/or the Services – does not have the ability to correct, amend, block or delete Personal Data, as required by Privacy Legislation, Skylegs shall –to the extent it is legally permitted to do so – comply with any commercially reasonable request by the Customer to facilitate such actions.

To the extent legally permitted, the Customer shall be responsible for any costs arising from Skylegs’s provision of such assistance.

11.2    Skylegs shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Skylegs shall, however, not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to the Customer to which the Customer hereby agrees.

Skylegs shall provide the Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent the Customer does not have access to such Personal Data through its use of the Platform and/or the Services.

To the extent legally permitted, the Customer shall be responsible for any costs arising from Skylegs’s provision of such assistance.

12       LIABILITY

12.1    Parties are each individually liable towards authorized supervisory authorities and/or Data Subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of this Policy, and (ii) the Privacy Legislation or other applicable rules concerning personal data. Skylegs and the Customer indemnify each other in this regard.

12.2    The liability of Skylegs for a breach of this Policy is limited as described in the applicable contractual documentation (i.e. the General Terms & Conditions).

13       RETURN AND DELETION OF PERSONAL DATA

13.1    Upon termination of the Assignment and/or termination of the Agreement, Skylegs shall notify the Customer that it has the possibility during a term, as mentioned in such notification, to export the Personal Data from the Platform through the available export tools.

13.2    Once the aforementioned term regarding export has passed, Skylegs shall permanently delete the Personal Data resp. anonymize the Personal Data.

14       CONTROL

14.1    Skylegs undertakes to provide the Customer with all information, required by the Customer to allow verification whether Skylegs complies with the provisions of this Policy.

14.2    In this respect Skylegs shall allow the Customer (or a third party on which the Customer appeals) to undertake inspections – such as but not limited to an audit – and to provide the necessary assistance thereto to the Customer or that third party.

15       UPDATES

15.1    This Policy may be updated from time to time by Skylegs, in which case Skylegs shall notify you through the Platform of Skylegs its website. In any event, the latest version of this Policy can always be accessed on the Platform and Skylegs website.

15.2    You can find our archived Policy here: [hyperlink]

16       MISCELLANEOUS

16.1    The Policy lasts as long as the Agreement has not come to an end. The provisions of this Policy shall apply to the extent necessary for the completion of this agreement and to the extent intended to survive the end of this agreement (such as but not limited to Article 9 and 17).

16.2    If one or more provisions of this agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such event, Parties shall negotiate to replace the invalid provision by an equivalent provision in accordance with the spirit of this agreement. If Parties do not reach an agreement, then the competent court may mitigate the invalid provision to what is (legally) permitted.

16.3    Deviations, alterations and/or additions to this Policy shall only be valid and binding to the extent that they have been accepted in writing by both parties.

16.4    This Policy and the corresponding rights and obligations that exist in respect of the Parties, cannot be transferred, directly or indirectly, without the prior written consent of the other party.

16.5    (Repeatedly) non-enforcement by a party or by both parties of any right or provision of this Policy, can only be regarded as a toleration of a certain state, and does not lead to forfeiture

16.6    In exception of the service agreement, this Policy prevails to any other agreement between the parties.

17       APPLICABLE LAW AND JURISDICTION

17.1    All issues, questions and disputes concerning the validity, interpretation, enforcement, performance or termination of this Policy shall be governed by and construed in accordance with Belgian law, without giving effect to any other choice of law or conflict-of-laws rules or provisions (Belgian, foreign or international) that would cause the laws of any country other than Belgium to be applicable.

17.2    Any dispute concerning the validity, interpretation, enforcement, performance or termination of this Policy shall be submitted to the exclusive jurisdiction of the courts of Skylegs’s registered office.

Annex 1: Overview of Personal Data

 

  1. Overview of the Personal Data, which Parties expect to Process

Standard user:

  • Name
  • IP
  • E-mail address
  • User Agent
  • Language
  • Nationality
  • Residence Address

Optional user:

  • ICE (In Case of Emergency) contact details
  • Phone number
  • Passport details
  • Picture
  • Social security number
  • Flight details
  • Aviation Medical details
  • (Pilot) Certifications

Standard Passengers:

  • Name
  • Language
  • Nationality

Optional Passenger:

  • E-mail address
  • Weight
  • Residence Address
  • Passport details
  • Food allergies and preferences (for passengers)

  1. The use (= way(s) of Processing) of Personal Data and the means and purposes of Processing:

Use of Personal Data:

  • Retention in the Platform
  • Processing

 

Means of Processing:

  • Through Skylegs’s developed software
  • Interfaces (underlined handle personal data):
    • Included interfaces selected by the Customer:

AC-U-KWIK: Airport data download.

Eurocontrol: Flight plan download.

Jetex: Schedule and services upload with passenger data per flight. Services download.

PnrGo: Schedule upload with passenger data per flight.

Pulsar: Crew schedule upload.

Streamlane: Schedule upload with passenger data per flight.

  • Add-on and usage-based interfaces selected by the Customer:

Air Support PPS and CrewBriefing: Schedule upload with basic crew details and flight package download.

Aviapages: Flight time calculation download and schedule upload.

Avinode: Schedule upload and flight request download.

CAMP: Post flight data upload and next due item download..

Cockpit-IT: Schedule upload and post flight data download.

DeliSky: Catering request upload with basic crew details.

FlightBridge: Schedule upload with basic crew details.

FlyEasy: Empty leg upload with basic crew details.

ForeFlight: Schedule upload with basic crew details. Flight package and post flight data download.

GetJet: Empty leg upload with basic crew details.

Google Data Studio: Organisation’s data into graphics, reports and dashboards.

JSSI: Post flight data upload.

L3Harris: Post flight data upload with basic crew details.

MRX Systems: Post flight data upload with basic crew details.

Moove: Schedule download with passenger data per flight.

My Handling: Handling request upload with basic crew and passenger details.

MySky: Schedule upload.

OSTicket: Handling request upload optionally with basic crew and passenger details.

Paxfiles.com: Schedule upload with passenger data per flight.

Portside: Post flight data upload with basic crew details.

Microsoft Power BI: data upload from all modules across the Skylegs’ Platform with basic crew and passenger details.

Regula: Travel document reader/scanner with essential passenger details. Data stays within the Skylegs cloud.

RocketRoute: Schedule upload with basic crew details. Flight package and post flight data download.

Scandlearn: Crew training record and file download.

VOO: Schedule upload and download with passenger details.

Zendesk: Basic user data upload.

  • Via custom integrations with Customer’s back-end system

Purpose of Processing:

  • Authentication and logging
  • Scheduling
    • Crew status
    • Communication
    • Timeline
    • Aircraft status
    • Passenger declaration
  • Operations
    • Airport categorisation
    • Record keeping
    • Live flight plan data
    • Document control
  • Training
    • Qualification record keeping
    • Qualification control
    • Audit gallery
    • Schedule training
  • Sales
    • Client resource management
    • Manage requests
    • Create and send quotes
    • Manage products
    • Reporting
  • Finance
    • Invoicing
    • Reporting
  • Safety
    • Integrated occurrence reporting
    • Investigations
  • Compliance
    • Audits
    • Findings
  • Maintenance
    • Maintenance program
    • Manage DDL lists
  • Pilot logbook
    • Digital logbook
    • Personal licences
    • Flight map
    • Statistics
  • System
    • Dashboard
    • Notification system
    • Configuration
  • Electronic flight bag
    • Paperless cockpit flying
    • Manage EFB
  • Pilot app
  • Passenger app
  • Custom integrations selected by the Customer (the purpose of Processing of such integrations shall depend on the integrations selected)

  • The term(s) during which the (different types of) Personal Data shall be stored:

Skylegs shall retain all Personal Data as long as the Assignment is not terminated (and the Data Subject did not request deletion).

Once the Assignment is terminated, Skylegs shall retain all Personal Data as long as legally required (e.g. flight logs).

All Personal Data shall be kept at least a month, to enable the Customer to export its data.

When the retention period expires, all Personal Data shall be permanently deleted, or at least anonymized.

Annex II – Description of security measures

This document entails the technical and organizational security measures implemented by Skylegs in support of its (Processing) activities, as set forth by the Privacy Legislation.

Data protection

We use TLS (seen by the lock next to the url in the browser) to transfer data from server to the client and the other way around.

All EBS volumes used by the Kubernetes cluster are encrypted in both data-at-rest and data-in-transit levels. Application related keys and tokens are stored using Kubernetes secrets.

Next to security, is privacy one of our main concerns. We are compliant with EU GDPR legislation.

Access Protection

Our Kubernetes managed servers in cluster/container form run on Linux by Amazon EC2 data centers and are maintained on the latest versions of the Operating System. Access is only possible via specific ports to these servers. It is a simple and robust firewall which locks the entire infrastructure from the outside, only allowing specific connections. These connections are continuously monitored.

Data storage and back-up (how and when)

Using AWS RDS we have Point in Time Recovery enabled that allows us to restore data from any previous moment up to 14 days. We also have daily automated RDS snapshot creation, a manual backup that’s uploaded to S3, and to cope with the 0.00000001% chance of losing data and just to make sure when Amazon would stop its service, we have a physical back-up server at the Skylegs office which syncs one on one to the Amazon S3 file server. All data on this server is stored encrypted. See https://aws.amazon.com/s3/faqs/#data-protection for more details about durability.

System reliability and resilience

The Database has automatic failover enabled and is deployed in multiple availability zones within AWS (Ireland and Frankfurt), backups are taken as described above. The Kubernetes cluster is deployed across two availability zones and have daily backups enabled for both the cluster itself (uploaded to S3) and all attached EBS volumes (EBS snapshots)

Our devops team follows CI/CD practices which result in zero downtime during updates of the Platform. Monitoring is provided by dedicated monitoring tools like Grafana and New Relic.