Home / Privacy Policy
Privacy Policy
Euro Creative Tours (U.K.) Ltd (hereinafter referred to as the “The Company”) provides this privacy statement to describe how we may collect, use, share and otherwise process your personal information, as an employee of one of our corporate clients or other individuals whom we offer our services – travel, events and related products and services.
Processing of Personal Data in GDPR
The Company process and protect customers’ personal data as follows, pursuant to the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the JAL Group’s Basic Policies for Information Security and Personal Data Protection.
1. Protection and Management of Personal Data
The Company properly manages and protect customers’ personal data pursuant to the JAL Group’s Basic Policies for Information Security and Personal Data Protection.
2. Personal Data Controller and Data Protection Officer
-
(1) Personal Data Controller
Standon House, 21 Mansell Street, London E1 8AA
Email: pdc@ectuk.com -
(2) Data Protection Officer
Japan Airlines Group Data Protection Officer
2-4-11 Higashi-Shinagawa, Shinagawa-ku, Tokyo, 140-8637
Email: dpo@jal.com
2. Purpose and Legal Basis for Processing Personal Data
The Company properly processes customers’ personal data within the scope of the following purposes:
| Purpose of Processing | Legal Basis | |
| 1 | Booking transportation services (reservations, sales, check-in, airport handling, etc. Including solidarity transportation, joint undertakings, code sharing, and consigned transportation, etc., in addition to normal transportation) | Contract performance |
| 2 | Provision of other products and services | Contract performance |
| 3 | Announcing and informing of products, services, events, and campaigns, etc., and conducting surveys | Legitimate interests |
| 4 | Sales analysis and other surveys/research, development of new services and products | Legitimate interests |
| 5 | Work incidental or relating to 1-4 above, responding to inquiries, etc. |
Contract performance Legitimate interests |
4. Personal Data Categories
The Company processes customers’ personal data necessary for the purposes stated in “3. Purpose and Legal Basis for Processing Personal Data”. Such personal data includes:
- · Basic Data
Name, address, contact details (telephone number, email address), gender, date of birth, country/region of residence, passport number, credit card number, employer, etc.
- · Data for Making Reservations and Itineraries
Reservation information (flight name, etc.), itinerary information, copy of eTicket, EMD, (online) check-in, fellow passengers, incidental services (upgrades, additional baggage, etc.), etc.
- · Communications Data
Records of communications with the Company (records of responses to questions submitted via email or web inquiry forms, etc. Where necessary, records may be kept of questions or complaints, etc. received at airport counters or when boarding)
- · Data Collected from Websites and Apps, etc.
Where a customer requests the company’sservices for arrangement of travel, airline tickets and hotels or other services via a third party such as another airline company, some of the above-stated personal data may be collected from such third party. This policy also applies to personal data collected in such way.
- · Collection and Use of Sensitive Personal Data
The company may collect and use sensitive personal data on customers upon arrangement of travel, airline tickets, hotels or other services. The collection and use of such sensitive personal data is limited to cases in which customers request special arrangement in travel, airline tickets, hotels or other services arrangements, and such data is not used for any other purpose.
(Examples of Processing Sensitive Personal Data)
- Where requesting escort from check-in counter to departure gates for passengers that use a wheelchair or are visually impaired.
- Where requesting to be lent medical oxygen bottles or permission to carry-on a medical oxygen bottle.
- When a pregnant passenger requests to board a flight within 28 days of the date due to give birth.
Where a customer requests a special in-flight meal, etc., data may be processed that is not sensitive personal data but may indicate a customer’s religious beliefs or state of health.
Customers have the right to withdraw consent for the processing of sensitive personal data. Customers wishing to withdraw consent should contact the counter at which he or she applied for the service. It may not be possible to provide all or some services if consent is withdrawn.
5. Refusals to Provide Personal Data
The provision of personal data on customers is necessary for customers to be provided with services by the company(air transportation services, land arrangements, visa applications, etc.). The company may not be able to provide a service in whole or in part if personal data is not provided.
6. Legitimate Interests
The company have a legitimate business interest in the use of personal data they collect to provide effective services and to perform the operations as a travel agent or tour operator.
7. Disclosure and Provision of Personal Data to other Companies
-
The company disclose and provide customers’ personal data to JAL Group companies to achieve the purposes stated in “3. Purpose and Legal Basis for Processing Personal Data”.
Refer to the following website for details on group companies.
JAL Group Information
http://www.jal.com/ja/outline/group_category/ - Customers’ data may be disclosed or provided to affiliated airlines or companies entrusted with ground handling and check-in operations to provide air transportation services such as when using code sharing flights or connecting flights, and to achieve purposes such as mileage registration.
- Where required by law, customer data relating to reservations and itineraries (including passport, visa, and API data) may be submitted to the tax authorities or immigration bureaus in the customers’ departure country, arrival country, transited countries or stopover countries.
- Customers’ personal data may be disclosed or provided to authorities or recipients prescribed in laws and regulations where necessary to comply with EU law or the laws and regulations of members of the EU/EEA.
8. Transfer of Personal Data to Non-EU Third Countries
The company may transfer customers’ personal data from within the EU/EEA to non EU/EEA countries and regions where customers requested ECT for arrangement of travel, airline tickets, hotels or other services in order to achieve the purposes stated in “3. Purpose and Legal Basis for Processing Personal Data”.
In such case, except when the European Commission determines that the country or region has secured data protection at an adequate level, in principle, customers’ personal data is transferred after executing standard data protection clauses as an appropriate protection measure in accordance with the provisions of the GDPR and the laws and regulations of EU/EEA member states.
Contact the inquiries desk stated in “12. Inquiries” with questions, etc. regarding the above stated protection measures.
9. Management of Personal Data
The company retain customers’ personal data for the period necessary to achieve the purposes stated in “3. Purpose and Legal Basis for Processing Personal Data”. Records concerning such as reservations records and ticket information, are normally retained for a maximum of three years.
Furthermore, records concerning contracts and invoices are retained for the period necessary to meet legal obligations. If it is necessary for the establishment, exercise or defence of legal claims, we may keep personal data for a longer period.
Data collected during communication with customers (customer service records, records of emails received, etc.) is retained for the period necessary to provide even better services to customers.
10. How to Request Disclosure, etc. and Make Inquiries
When a data subject or his or her representative makes a request concerning personal data retained by the company, the Company shall respond as follows in accordance with GDPR:
· Disclosure
The Company discloses retained personal data that identifies the data subject. (The Company will inform the data subject to such effect it there is no retained personal data that identifies the data subject.) However, where corresponding to any of the following, the Company may notify the data subject of the reason and refuse to disclose data in whole or in part.
- Where the data subject’s or a third party’s life, health, property, or other rights or interests are likely to be harmed
- Where the proper implementation of the company’s operations are likely to be hindered
- Where disclosure will violate laws and regulations
· Rectifications
Where requested to rectify or make additions (hereinafter referred to as “Rectification, etc.”) to retained personal data due to the retained personal data that identifies the data subject being incorrect, unless special procedures are prescribed in the provisions of laws and regulations regarding the Rectification, etc. of such details, the Company shall conduct necessary investigations without delay within the scope necessary to achieve purpose of processing. The Company shall notify of details without delay when all or a part of the retained personal data is Rectified, etc. as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Rectification, etc.
· Erasure
Where requested to erase retained personal data that identifies the data subject, the Company shall conduct necessary checks without delay such as where personal data is necessary in light of the purpose of processing. The Company shall notify of details without delay when all or a part of the retained personal data is erased as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out erasure.
· Suspension of Use, etc.
Where requested to suspend use, erase, or suspend provision to a third party (hereinafter referred to as “Suspension of Use, etc.”) of retained personal data, and when there is discovered to be grounds for such a request, the Company shall Suspend Use, etc. of such retained personal data without delay, to the extent necessary; provided, however, that where Suspension of Use, etc. of such retained personal data requires a considerable expense, or where Suspension of Use, etc. is otherwise difficult, the Company may substitute Suspension of Use, etc. with alternative measures necessary to protect the rights and interest of the data subject. The Company shall notify the data subject of such effect without delay when it has Suspended Use, etc. of all or a part of the retained personal data. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc.
· Data Portability
Where legal requirements are fulfilled, the Company shall provide personal data provided by data subjects that has been structured, generally used, and is in a machine readable format. Furthermore, where technically possible, personal data provided by data subjects shall be transmitted to other data controllers. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to provide or transmit personal data.
· Procedure for Making Requests
If customer wishes to make request for items listed above, contact information indicated in “12. Inquires” where the customer will be informed of the necessary procedure. In such case, procedure will be taken without delay as per set under the law after identity verification. Explanation will be made when part or all of the customer’s requests cannot be complied.
11. Protect and Store your Information
We maintain reasonable administrative, technical, and physical security measures to protect your information from unauthorized access and use.
All the personal information collected is recorded in a secure database. Any payment instruction details will be encrypted, all aspects of which comply with the Payment Card Industry (PCI) security standards.
Please note that unless encrypted, email messages send via the internet may not be secure and could be intercepted and read by somebody else. Please bear this in mind when deciding whether to include personal or sensitive information in any email messages you intend to send.
12. Complaints Concerning Personal Data
-
Customers have the right to lodge an objection to the processing of their personal data retained by the company if legal requirements are fulfilled concerning a particular situation. Where an objection is lodged and such objection fulfils legal requirements, the company shall delete or suspend use of retained personal data in whole or in part, and notify the data subject of such effect without delay.
Where objections are lodged regarding direct marketing, the company shall promptly suspend such direct marketing and notify the data subject of such effect without delay. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc. due to the lodging of an objection. - Customers have the right to make complaints concerning the processing of their personal data, against the EU/EEA member country in which the customer lives or works, or EU/EEA member countries’ supervisory authorities that have engaged in illegal conduct. Contact each supervisory authority concerning specific complaint procedures, etc.
13. Inquiries
Inquiries concerning the company’s protection of customers’ personal data should be sent to:
Personal Data Controller
Euro Creative Tours (U.K.) Ltd
4th Floor, Standon House, 21 Mansell Street, London E1 8AA
Email: pdc@ectuk.com
Phone: 0207 850 4407