Privacy Policy

GENERAL DATA PROTECTION REGULATION – AIRBORNE SERVICES LTD
1. OUR DETAILS
This website is owned and operated by Airborne Services Ltd
We are registered in England and Wales under registration number 03145135, and our registered office is at
One The Centre, The High Street, Gillingham, Dorset, SP8 4AB
Our principal place of business is at Airborne Services Ltd, Henstridge Airfield, Templecombe, Somerset BA8
0TN
You can contact us by writing to the business address given above, by email to mail@yakovlevs.com,
or by telephone on 01963 365728.

2. INTRODUCTION
As a company which holds a limited amount of personal data in the form of customer contact details, purchase
history information and pilot training records, we are required to ensure compliance with the EU General Data
Protection Regulations (GDPR), which are designed to ensure more robust security and more transparency in
the use of personal data.
The GDPR places specific legal obligations on Airborne Services Ltd. For example, we are required to maintain
records of personal data processing activities. We will have legal liability if we are responsible for a breach of
confidential data and customers have a right to request sight of the data we hold on them, how it is used and if
necessary to request that data is removed from our database.

3. OVERALL POLICY
We only hold data when there is a justifiable need to do so and will remove data if it is no longer required. We
have robust security systems to protect data and information, and will promptly inform anyone affected
should any breach occur. Finally, the Airborne Services Ltd will not circulate any member information to third
parties without prior consent.
Transactional Data
Held electronically and in some cases as hard copy. Records of purchases from ASL, including aircraft parts,
merchandise and flight training courses. Records of sales transactions are held for three years in case of
queries. All credit card records are destroyed following any transaction. Charges and transactions are
controlled internally and by contracted accountant via Quickbooks accounting software.
Employee Information
Name, address, contact numbers and e-mails, age, bank details, tax and salary information, as well as working
records, for members of staff, contractors and some volunteers. Accessible only to senior personnel.
It is noted too that every staff member holds personal information which comes under the jurisdiction of the
GDPR, in the form of e-mails, applications and transactional records. All staff members are to be reminded that
all correspondence and address details held remain confidential, and a Data Handling Code of Conduct,
including advice on computer security, will be followed. All e-mails issued should contain a standard
confidentiality notice.

4. OVERSIGHT
The GDPR requires that public authorities and large-scale data processing organisations designate a Data
Protection Officer to take responsibility for data protection compliance. The size and structure of our company
does not justify a dedicated post, therefore a GDPR steering team led by the CEO will provide this oversight.

5. INDIVIDUALS’ RIGHTS
The GDPR includes the following rights for individuals: The right to be informed; the right of access; the right to
rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to
object; and the right not to be subject to automated decision-making including profiling.
We are confident that current procedures fulfil the GDPR and we do not operate any data profiling processes.
We will regularly review our procedures to ensure they cover areas such as the deletion of personal data and
will provide a customer with the data we hold on them, if requested, in electronic format. The CEO will make
any final decisions about deletion or release of information.

6. SUBJECT ACCESS REQUESTS
We acknowledge that individuals have a right to seek access to information held on our databases or if they
think there is a problem with the way we are handling their data. We will comply with any such request within
the new statutory one-month period. However, we can refuse or charge for requests that are manifestly
unfounded or excessive.
Individuals will have the right to have their personnel data deleted where they believe it is being held without
a practical or lawful basis. If we refuse a request, we must tell the individual why and that they have the right
to complain to the ICO and to seek a judicial remedy. We must do this, at the latest, within one month.

7. DATA PRIVACY IMPACT ASSESSMENT (DPIA)
Company systems fulfill the GDPR recommended ‘privacy by design’ approach. ‘Data Protection Impact
Assessments’ will be carried out if a new technology is being deployed, or if there is processing on a large scale
of the special categories of data held. While this is unlikely to directly affect the company, we will work with
our IT contractors to ensure that awareness of this is included in any future development programmes.

8. BREACHES OF DATA
Should we become aware of any personal data breach, we will notify customers as rapidly as is feasibly
possible, notifying the ICO if a breach is likely to result in discrimination, damage to reputation, financial loss,
loss of confidentiality or any other significant economic or social disadvantage to those concerned.
May 2018