review date: 2018-05- pg 061 privacy policy ... - avianca.com · applications, physical documents...
TRANSCRIPT
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
1
REVISION REGISTER
Revision Number Date Section Changes
01 2018 /05/25 Entire Document Creation of the
Document
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
2
CONTENT
1. OBJECTIVE AND SCOPE
2. RESPONSIBILITY
3. AUTHORITY
4. CONTENT
4.1 WHO WE ARE
4.2 Acceptance of this Privacy Policy and Purpose of Treatment of Information
4.3 Personal Information and Data we treat
4.4 Purposes of personal information and data treatment
4.5 Validity of treatment of personal data and information
4.6 Truthfulness of the Information
4.7 Information of children and underage teenagers
4.8 Use of Cookies
4.9 Protection, security and confidentiality of personal information and data
4.10 Rights of the Information Holder
4.11 Area Responsible of Personal Data Protection
4.12 General procedure to exercise the rights of Clients, Travelers and Users as holders of personal
information.
4.13 Modifications to the Privacy Policy
4.14 Ethics Hotline
4.15 Validity
5. Annexes
5.1 Colombia Annex
5.2 Mexico Annex
5.3 Peru Annex
5.4 European Union Annex
5.5 Canada Annex
5.6 United States Annex
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
3
1. OBJECTIVE AND SCOPE
We recognize the importance of security, privacy and confidentiality of personal information that
travelers, Clients and users provide our Companies through various channels (including websites,
applications, physical documents and others), and we are committed to adequately protect and treat it,
pursuant to the personal date legal protection regime available in each territory where we operate.
Therefore, the objective of this Policy is to inform travelers, clients and users who are Holders of personal
information regarding the type of data, the purpose of the Treatment so that we may provide our service,
the protection and rights available to the Holder of the information and the procedures to exercise them.
This Privacy Policy also applies to personal data of Eligible Passengers, as they are defined in the Terms
and Conditions of the PREFERENCIA Program “Program for Corporate Travel”, on behalf of who, entities
related to said PREFERENCIA Program, such as Corporate Clients, make Institutional Purchases.
Therefore, personal data of Eligible Passengers, including travel itineraries, methods of payment and
any other personal information will be treated under the terms of this Privacy Policy, with the possibility
of being transferred to the Corporate Client related to said Eligible Passenger for the purpose of
presenting reports, audits, requests of the Corporate Client and any other matter related to the operation
of the PREFERENCIA Program.
2. RESPONSIBILITY
Responsible for treatment: Aerovias del Continente Americano S.A. Avianca
Tax ID. No.: 890.100.577-6 NIT
Postal address: Calle 26 # 59-15 (Colombia)
Phone: 5877700
E-mail: [email protected]
3. AUTHORITY
Directorate of Risk, Security and Compliance with Information
4. CONTENT
4.1 WHO WE ARE
4.1.1 The Companies:
Aerovías del Continente Americano S.A. Avianca a commercial company incorporated in the Republic of
Colombia acting in its capacity as employer, directly or through its legally incorporated branches in the
territories of Argentina, Aruba, Colombia, Brazil, Curacao, Spain, London, Panamá and Venezuela.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
4
Tampa Cargo S.A.S., a commercial company incorporated in the Republic of Colombia acting in its
capacity as employer, directly or through its legally incorporated branches in the territories of Colombia
and The United States.
Taca International Airlines S.A., a commercial company incorporated in the Republic of El Salvador
acting in its capacity as employer, directly or through its legally incorporated branches in the territories
of El Salvador and Guatemala.
Trans American Airlines S.A., a commercial company incorporated in the Republic de Perú acting in its
capacity as employer, directly or through its legally incorporated branches in the territories of Argentina,
Bolivia, Brazil, Guatemala, Paraguay, Perú.
Avianca Ecuador S.A., a commercial company incorporated in the Republic of Ecuador acting in its
capacity as employer in the territory of Ecuador.
Líneas Aéreas Costarricenses S.A. Lacsa, a commercial company incorporated in the Republic of Costa
Rica, acting in its capacity as employer, directly or through its legally incorporated branches in the
territories of Costa Rica, Cuba, Dominican Republic and Venezuela.
Aviateca S.A., a commercial company incorporated in the Republic of Guatemala de Guatemala, acting
in its capacity as employer in the territory of Guatemala.
Aviaservicios S.A. a commercial company incorporated in the Republic of Guatemala de Guatemala,
acting in its capacity as employer in the territory of Guatemala.
Pitasa S.A. a commercial company incorporated in the Republic of Guatemala de Guatemala, acting in
its capacity as employer in the territory of Guatemala.
American Central Corporation a commercial company incorporated in The United States de América
acting in its capacity as employer, directly or through its legally incorporated branches in the territories
of The United States, Canada and Puerto Rico.
Grupo Taca de Chile S.A. a commercial company incorporated in the Republic of Chile, acting in its
capacity as employer in the territory of Chile.
Isleña de Inversiones, S.A. de C.V., a commercial company incorporated in the Republic de Honduras
acting in its capacity as employer in the territory of Honduras.
Servicio Terrestre, Aéreo and Rampa S.A. a commercial company incorporated in the Republic of Costa
Rica, acting in its capacity as employer in the territory of Costa Rica.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
5
Servicios Aéreos Nacionales S.A. a commercial company incorporated in the Republic of Costa Rica,
acting in its capacity as employer in the territory of Costa Rica.
Servicios Aeronáuticos PilotCrew-CR S.A. a commercial company incorporated in the Republic of Costa
Rica, acting in its capacity as employer in the territory of Costa Rica.
Servicios Misceláneos Australes S.A. a commercial company incorporated in the Republic of Costa Rica,
acting in its capacity as employer in the territory of Costa Rica.
Tripulantes de Taca S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its
capacity as employer in the territory of Costa Rica.
Vu-Marsat S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its capacity
as employer in the territory of Costa Rica.
Taca de Costa Rica S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its
capacity as employer in the territory of Costa Rica.
Pilotos de Taca S.A. de C.V. a commercial company incorporated in the Republic of El Salvador acting
in its capacity as employer in the territory of El Salvador.
Technical and Training Services, S.A. de C.V. a commercial company incorporated in the Republic of El
Salvador acting in its capacity as employer in the territory of El Salvador.
Avianca Inc. a commercial company incorporated in The United States de América acting in its capacity
as employer in the territory of The United States.
Taca de Honduras S.A. de C.V. a commercial company incorporated in the Republic de Honduras, acting
in its capacity as employer in the territory of Honduras.
Grupo Taca Panamá S.A. a commercial company incorporated in the Republic of Panamá, acting in its
capacity as employer in the territory of Panamá.
Nicaragüense de Aviación S.A., a commercial company incorporated in the Republic de Nicaragua, acting
in its capacity as employer in the territory of Nicaragua.
Taca de México S.A., a commercial company incorporated in The United States de México, acting in its
capacity as employer in the territory of México.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
6
C.R. Int'l Enterprises, Inc. a commercial company incorporated in The United States de América acting
in its capacity as employer in the territory of The United States.
All of them hereinafter individually and collectively referred to as the Companies, who, for the purpose
of the provision and commercialization of passenger and product air transport services and related
services such as tour packages, air and/or land cargo transport services, express courier and courier
services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA,
AVIANCA ECUADOR S.A., AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA
TOURS, DEPRISA, PREFERENCIA "Corporate Travel Program", AVIANCA EXPERIENCE
AIRPASS, AVIANCA STORE, or solely under the trademark AVIANCA, each and all of them respectively
and as corresponds Responsible and/or In Charge of Treatment of information and personal data.1
4.2 Acceptance of this Privacy Policy and Purpose of Treatment of Information
For purposes of this Policy, the term "treatment" is understood as any operation or set of operations
over personal data and information such as, use, collection, storage, disclosure, distribution or deletion
thereof.
Acceptance of this Privacy Policy and of the Treatment of personal data and information pursuant to
the terms thereof takes effect when the Traveler, Client or Holder provides his or her personal data
through any channel or mean set forth by The Companies, such as sales and service points, including
the Call Center, or when they purchase any of our products, or when they click the button “Continue”
or when they continue browsing our websites:
Avianca.com, Deprisa.com, Lifemiles.com, Programapreferencia.com, Aviancaservices.com, Aviancacar
go.com, Flybox.co, Aviancaexpress.com, Sociosyamigos.com., or when thy use any of our mobile apps
or electronic services in any version such as electronic kiosks; proof of any of these facts, shall be
unequivocal proof of acceptance of this Privacy and Personal Data Treatment Policy.
By accepting this Privacy Policy, each of the Travelers, Clients or Users, acting as holders of the
information, expressly authorize THE AIRLINES to Treat said information, partially or fully, including
collection, storage, recording, use, distribution, Treatment, deletion, transmission under the terms of
this Privacy Policy and/or transfer within the country and/or to third countries under the terms set forth
in this Privacy Policy and for the purposes of Treatment described in this document, especially:
• Send the boarding pass and/or document confirming the transaction, pursuant to the contract
of carriage, to the Traveler’s, Client’s and User’s registered e-mail addresses, as well as any
other information related to the product or services purchased or the provision of services.
• Use the information received for the purpose of marketing our own products and/or services, or
those of third parties with whom THE AIRLINES maintain a business relationship, depending on
the region where the personal data is treated, and on regulations.
1 The LifeMiles loyalty program, managed and operated by LifeMiles Corp., has its own Privacy Policy available at www.lifemiles.com The Privacy Policy available for the Flybox program is available at www.flybox.com
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
7
• Share information and personal data, when it is included in the provision of the service with:
commercial representative, tourism operators (including hotels), car rental companies, insurers,
among others, as required to manage travel plan reservations and other tourism services.
• Provide information and personal data to control and surveillance, administrative, policy and
judicial, domestic and international authorities responding to a legal or regulatory requirement
and/or revealing this information and personal data to uphold the rights and/or property of THE
AIRLINES, its clients, our own websites or those of our users, to detect and prevent fraud, to
prevent, detect, capture or prosecute illegal acts or when THE AIRLINES in good faith consider
that disclosing the information and personal data is in the best interest of aviation security.
• Allow access to personal data and information to auditors or third parties contracted by the
Companies to perform internal or external audit processes of the commercial activities carried
out by the Organization.
• Check or update information and personal data of travelers, clients and users, during
performance of commercial activities developed by the Companies.
• Outsource storage and/or Treatment of personal data and information for the proper
performance of agreements entered into with us, under the security and confidentiality
standards which bind us.
• Trasfer your personal data and information, in the event of a change of control in one or more
of THE AIRLINES or in any of the business units due to merger, acquisition, bankruptcy,
demerger, or creation, to the new entity controlling THE AIRLINES or their business units. If, as
a result of the change of control, there is a change of the Person in Charge of the Treatment of
personal data and information, such situation will be reported to the Holders of the personal
data and information, so that they may exercise their rights pursuant to applicable law. The
conditions under which the Holders may exercise their rights will be indicated upon report of the
change of control.
4.3 Personal Information and Data we treat
The AIRLINES may collect personal data and information about Travelers, Clients and Users, which
information may vary according to the requirements of local authorities, technological facilities, nature
of the products or services provided, among others, for such purposes, we may collect the following
personal information, which may be stored and/or treated in servers located in various countries,
pursuant to the principle of transparency we have compiled a list of personal data Treated by the
airlines2:
• General Identification Data: Traveler’s, Client’s and/or User’s first and last name, date of birth,
ID number or ID, international travel ID No., gender, marital status and/or kinship with
underage children or disabled people requesting our services, occupation or trade.
• Location Data: postal and/or electronic address (personal and/or work), nationality or country
of residency, Nationality and country of residence, contact landline or cell phone (personal
and/or work), company where he or she works and position.
2 The list of personal data set forth in section 4.3 herein is not limited and may be updated or changed according to the business unit and the services provided to Travelers, Clients and Users of our Companies.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
8
• Socioeconomic Content Data: Cardholder personal data (name, last name, ID type and number),
address where the cardholder receives bank statements, credit card information.
• Sensitive Data: including images, photographs, videos, voices and/or sounds, biometric data,
that identifies, or makes our Travelers, Clients and Users, and/or any person who is or transits
through any location where the AIRLINES have installed equipment, identifiable. Health
information (medical conditions that are considered contraindications for flying by the treating
physician) and medical certificates required by the Customer, Travel or Use, to provide, as
possible and available in our operation, the facilities and elements to provide proper medical
care during provision of the air transportation service, as well as to determine the feasibility of
the trip.
• Other information: Client’s IP address, through cookies, LifeMiles’ Member ID and information
on transactions and activities related to the LifeMiles Program.
• For flights to and from the United States, the “Redress Number” may be collected as a
requirement of that country’s governmental authorities.
• Information required to facilitate travel and other services, including the name of the travelling
party, emergency contacts, seat preference, special meals or medical requirements.
• Purchase channel information (including travel agencies, direct points of sale or representatives
or agents, call center, websites, mobile apps).
• Use of products and services such as self-check-in machines, flight status notification and online
check-in).
• Personal information and data collected through surveys, focus groups and other market
research methods.
• Information requested by THE AIRLINES’ officers or representatives, such as sales and/or
customer relations representatives, with the purpose of responding to requests or claims.
Holders of personal data and information will not be required in any case to authorize the Treatment of
sensitive data. Notwithstanding the to allow for the proper provision of services, they shall expressly
consent to treatment of the sensitive personal data or information by THE AIRLINES pursuant to this
Privacy Policy.
In addition, for security purposes, THE AIRLINES may collect, store, share and compare personal data
and information with different national or international administrative, control and supervising, police
and judicial authorities, including biometric data, of our Travelers, Clients and Users, obtained through
any image, audio or video recording device, located in our facilities (such as administrative offices,
points of sale, VIP lounges, airport modules for customer service, call centers). THE AIRLINES will inform
the general public about this by publishing Privacy Warnings , in the locations where this personal data
and information is collected.
Due to our activity as carriers, the AIRLINES are required to provide certain personal data and
information about passengers or cargo or courier and/or express shipments to airport, immigration and
customs authorities, as well as any other domestic or international government, regulatory or safety
authorities prior to the departure or before landing of flights in any destination after performing the
contract of carriage. By general rule, this information refers to identity information of the passengers
on board, their itineraries, as well as the data contained in their respective travel documents (passport,
visas) or related to transported goods.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
9
4.4 Purposes of personal information and data treatment
Collected personal data and information is used to process, confirm, fulfill and provide the purchased
products and/or services, directly and/or with the participation of other airlines or third-party suppliers
of products or services, as well as to make reservations, modifications, deletions, changes of itinerary,
refunds, respond to requests, claims and complaints, payment of compensation and indemnities,
accounting records, correspondence, processing and verification of credit cards, debit cards and other
payment instruments, to promote and advertise our products, services and activities, to perform
financial payment transactions, charges or refunds, to respond to legal proceedings, to report or process
the requirements domestic or international control and surveillance administrative authorities, police
and legal authorities, banking institutions and/or insurance companies, for internal and/or commercial
administrative processes, including market research, auditing, accounting reports, statistical analysis,
billing, and offering and/or recognition of benefits through loyalty programs in order to perform the
contract of carriage and other services and supplementary activities, detect and prevent fraud, money
laundering and other criminal activities and/or or for the proper operation of loyalty programs and other
activities indicated herein.
Personal data and information Treatment by the people/entities responsible for or in charge of the
Treatment is framed within the guarantee of and respect to the Treatment principles set forth by
applicable law. These principles are legality, freedom, transparency, consent, information, quality,
access and restricted distribution, purpose, loyalty, proportionality, safety and confidentiality.
We inform Clients, Travelers and Users, that third parties may be involved in performance of THE
AIRLINES’ activities, including providers of flight booking systems, security tools for processing of
banking, transactions, call centers, tour operators, banking entities, insurance companies, our
representatives or agents, loyalty program managers and/or operators, and that these activities can be
carried out in countries other than those where the service is contracted or the product is purchased,
without prejudice to other purposes that have been set out in this document and under terms and
conditions of each of our business units’ products and services and/or Privacy Policies of said third
parties.
Through our LifeMiles loyalty Program, by LifeMiles B.V., THE AIRLINES acknowledge and provide
incentives for traveler loyalty. Each member of the Program is subject to the terms and conditions of
the LifeMiles Program and their Privacy Policy, available at www.lifemiles.com. Any f personal data of
members of the LifeMiles Program treated by THE AIRLINES, shall be carried out in their capacity as
Responsible Party for the purposes set forth in the personal data protection regulations. THE AIRLINES
do not sell, assign or transfer personal information of their Travelers, Clients and Users to third parties.
4.5 Validity of treatment of personal data and information
The validity of the information is subject to fulfilling its purposes, therefore, information provided by
Travelers, Clients and Users may remain stored for up to ten (10) years from the date of the last
Treatment, to enable us to comply with legal and/or contractual obligations under our charge,
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
10
particularly in accounting, fiscal and tax matters or for the time deemed necessary to comply with the
provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal
and historical aspects of the information, or in any event provided by law and the provision of the
service.
4.6 Truthfulness of the Information
Travelers, Clients and Users have the duty of providing THE AIRLINES with truthful personal information
in order to formalize the reservation and enable the provision of the contracted services, as well as to
carry out any other services required.
The AIRLINES presume the accuracy of the information provided by Clients, Travelers and Users and
are not under the obligation to verify identity of Travelers, Clients and Users, or the truthfulness, validity,
adequacy and authenticity of the data provided by each one of them. Therefore, the Companies shall
assume no liability for any damages of any nature that may originate due to the lack of truthfulness,
adequacy, sufficiency or authenticity of the personal data and information, including damages derived
from homonyms or identity theft.
4.7 Information of children and underage teenagers
THE AIRLINES, acknowledge the special level of protection required in relation to personal data of minors
and teenagers, and therefore, in cases when the latter are users of the products and services offered
by THE AIRLINES, it is understood that they act through their legal representatives duly authorized
person, parents or guardians, or legal representation of the minor pursuant to the specifications of the
region or country where the minor’s data is treated. In the event that their parents or guardians of these
children become aware of an unauthorized data Treatment, they may submit their inquiries or
complaints to [email protected].
The AIRLINES shall ensure the proper use of personal data of children and underage teenagers,
guaranteeing that treatment of their data complies with applicable laws, as well as the protection of
their best interests and fundamental rights where possible, taking into account their opinions as holders
of their personal data.
4.8 Use of Cookies
The AIRLINES may use cookies and other similar technologies on their websites, mobile applications,
electronic kiosks and electronic devices used to access them, in order to learn the origin, increase
functionality and accessibility to website, verify that users meet the required criteria to process their
requests and adapt their products and services to Users’ needs, being able to obtain the following
general information:
• The type of browser and operating system used
• Websites visited
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
11
• IP address
• Duration of browsing
• Device language
• Accessed links
• The last website visited before accessing www.avianca.com
These cookies and other similar technologies can be disabled and deleted by the User whenever they
want. For this purpose, the candidate, collaborator bound by labor agreement, family group and/or
beneficiary, retired collaborator and/or any other interested Holder, may verify and/or request help on
the Internet browser they are using.
Check our Cookies Policy and learn how we use your personal data for a better user experience.
4.9 Protection, security and confidentiality of personal information and data
Protection, security and confidentiality of the personal data and information of Travelers, Clients and
Users is highly important for THE AIRLINES.
THE AIRLINES have policies, procedures and information security standards, which may change at any
time at their discretion and which aim to protect and preserve the integrity, confidentiality and
availability of personal data and information, regardless of its nature or format, its temporary or
permanent location or how it is transmitted. Therefore, we rely on technological security tools and
comply with renowned industry security practices, including: transmission and storage of sensitive
information through secure mechanisms, such as encryption, use of secure protocols, safeguarding
technological components, restriction of access to the information only to authorized personnel, data
backup, safe development of software, etc.
Third parties contracted by the AIRLINES are equally bound to comply with this Privacy Policy, as well
as THE AIRLINES’ policies and manuals of information security and the safety protocols applied to all of
our processes.
Any contract entered into by the AIRLINES with any third party (contractors, external consultants,
temporary collaborators, etc.) which involves the Treatment of personal data and information of
Travelers, Clients and Users includes a confidentiality agreement that specifies their commitments to
the protection, care, safety and preservation of confidentiality, integrity and privacy thereof.
4.10 Rights of the Information Holder
The Information Holder is hereby informed of the rights granted by applicable laws as a Holder of
personal data and which are listed below:
• To know, update and rectify their personal data and information before the entity that is
responsible or in charge of the Treatment of their personal data and information.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
12
• To request proof of the authorization granted to the entity that is responsible for the Treatment
of their personal data and information, unless such request constitutes an express exception for
such Treatment.
• To be informed, upon request, by the entity that is responsible for the Treatment of their
personal data and information about how such personal data and information have been used.
• To file complaints before competent authorities for violations to the applicable personal data
protection regime.
• To revoke the authorization and/or request the removal of the personal data and information
under the terms of this Privacy Policy.
• To access their personal data and information that was subject to Treatment, upon previous
request to the AIRLINES and under the provisions of the corresponding valid and applicable
regulations. If the requests exceed one per calendar month, the Companies will charge the
Holder requesting such information for its shipment, reproduction and, if applicable, certification
costs.
4.11 Area Responsible of Personal Data Protection
Responsible for treatment: Aerovias del Continente Americano S.A. Avianca
Tax ID. No.: 890.100.577-6 NIT
Postal address: Calle 26 # 59-15 (Colombia)
Phone: 5877700
E-mail: [email protected]
4.12 General procedure to exercise the rights of Clients, Travelers and Users as holders of
personal information.
Travelers, Clients and Users of THE AIRLINES are entitled to know the details of their personal data
treatment and to exercise their rights as Holders thereof, under the terms of applicable data protection
regulations and pursuant to the provisions of this Privacy Policy.
For the purpose of the above, this policy defines the general procedure for Holders of information to
exercise their rights, notwithstanding the enforcement of specific stipulations and procedures of
domestic laws in each territory. In the event of a discrepancy between the general procedure and the
specific stipulations or procedures contained in applicable local regulations in each territory, the specific
regulations shall prevail.
The Personal Data Privacy area is the responsible department within the Organization to promote and
enforce the Personal Data Protection Program. For this purpose, the Organization has enabled specific
service channels for interested parties to exercise their Personal Data protection rights, such as the
[email protected] email address.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
13
4.12.1 Queries
a) The Holder of the Information and/or the person exercising the right on his or her behalf, must
prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person
other than the Interested Party and/or whoever has the power to act on its behalf.
• Proof by the Holder shall be confirmed by submission of: a physical or digital company
of the pertinent identification document and passport (identification number on
international flights), depending on the method of submission of the query.
• When the request is made by a person other than the Holder, the third party must duly
prove power of attorney to act on behalf of the Holder by sending any supporting
documents.
b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on
a physical and/or digital mean through the channels enabled by the Organization for that
purpose and identified in this Privacy Policy.
c) The request to exercise any of the aforementioned rights must contain at least the following
information:
• Name of the interest party, his or her representative and/or the person exercising the
right on his or her behalf.
• Concrete, accurate and justified request of the invoked right.
• Physical and/or electronic address for notifications.
• Documents that support the request (if applicable)
• Signature of the requesting party depending on the method of request.
d) The request will be handled by the area and/or delegate within the organization in charge of
protection of personal data only when Ownership of the information is proven and it meets the
abovementioned requirements.
4.12.2 Claims
a) The Holder of the Information and/or the person exercising the right on his or her behalf, must
prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person
other than the Interested Party and/or whoever has the power to act on its behalf.
• Proof by the Holder shall be confirmed by submission of: a physical or digital company
of the pertinent identification document and passport (identification number on
international flights), depending on the method of submission of the query.
• When the request is made by a person other than the Holder, the third party must duly
prove power of attorney to act on behalf of the Holder by sending any supporting
documents.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
14
b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on
a physical and/or digital mean through the channels enabled by the Organization for that
purpose and identified in this Privacy Policy.
c) The request to exercise any of the aforementioned rights must contain at least the following
information:
• Name of the interest party, his or her representative and/or the person exercising the
right on his or her behalf.
• Concrete, accurate and justified request of the invoked right.
• Physical and/or electronic address for notifications.
• Documents that support the request (if applicable)
• Signature of the requesting party depending on the method of request.
d) The request will be handled by the area and/or delegate within the organization in charge of
protection of personal data only when Ownership of the information is proven and it meets the
abovementioned requirements.
4.12.3 Security Violation
a) When the Holder’s request identifies a violation that may lead to a regulatory breach or the
violation of a right associated to personal data, the process in the previous numerals shall be
followed along with the following specifications and exceptions:
Classification of the type of incident:
• Critical Level: Involves sensitive data, or disclosure of private or semi-private data
without authorization of the Holder that leads to a possible loss of confidentiality of the
information.
• Intolerable Level: Involves private or semi-private data associated to improper handling
pursuant to contractual obligations or the authorization granted by the Holder.
b) Mitigation actions pursuant to the Internal Information Privacy and Handling Manual.
4.12.4 Terms
The following general terms of reference shall be used, however, the region of origin of the Holder of
the information must be considered, response times and requirements may vary, therefore, depending
on the region, the construal of this numeral must be made jointly with the annexes and reference must
be made to those that are pertinent.
Query: They will be handled within a maximum of ten (10) working days as of reception of the query.
When it is not possible to respond within said term, we will inform of the reasons for the delay and the
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
15
date on which the query will be answered, which in no case may exceed five (5) working days after
expiration of the first term.
Claims: They will be handled within a maximum of fifteen (15) working days as of reception of the duly
supported claim. When it is not possible to respond to the claim within said term, we will inform of the
reasons for the delay and the date on which the query will be answered, which in no case may exceed
eight (8) working days after expiration of the first term.
If the claim in incomplete, the Holder will be asked to cure any faults within the following five (5) days.
After two (2) months of the date of the request, without receiving the required information from the
interested party, we will understand that the claim has been desisted.
4.12.5 Channels enabled to handle queries and claims
To exercise their rights, Travelers, Clients and Users may enforce their rights to know, update, rectify
and eliminate personal data or information by sending a request to [email protected]
In the event that any Traveler, Client and User considers that the use of content in any of our
communication channels, such as websites, mobile applications and kiosks constitutes a breach to their
intellectual property rights, they shall notify us by sending a communication with the following
information to the abovementioned email address:
• Personal data: name, address, telephone number and e-mail address of the claimant.
• Authentic signature, with the personal data of the Holder of the intellectual property rights
subject to infringement or of the person authorized to act on behalf of the Holder of the
intellectual property rights subject to infringement.
• Accurate and complete indication of the content that is protected by the intellectual property
rights infringed and its location.
• Express and clear statement of the fact that such content has been used without the
authorization of the Holder of its intellectual property rights.
• Express and clear statement, and under the responsibility of the claimant, that the information
provided is accurate and that the use of such content is an infringement to the intellectual
property rights thereof.
The claims arising from these facts shall be subject to proper Treatment and resolution under the
applicable legal proceedings, pursuant to the nature and applicability thereof.
The request for deletion of information and the revocation of the authorization or the request to restrict
the use and disclosure of personal data will not proceed when the Holder is legally or contractually bound
to remain in the database, under the terms set forth by the applicable laws.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
16
Notwithstanding the enforcement of the general procedure set forth in this Privacy Policy, we have
identified some territories where specific provisions are set out by local laws. In case you wish to know
such specific provisions, please see the Annexes listed below:
• Colombia Annex
• Mexico Annex
• Peru Annex
• European Union Annex
• Canada Annex
• United States Annex
These annexes apply in accordance to and are an integral part of the General Privacy Policy for the
protection of Personal Data of Travelers, Clients and Users.
4.13 Modifications to the Privacy Policy
THE AIRLINES reserve the right to make changes or updates to this Privacy Policy at any time in
compliance with new legislations, internal policies or new requirements in order to provide or offer their
services or products.
These modifications will be made available to the public through the following channels: visible notices
on their premises or customer service centers, on our websites, smartphone applications (Smartphones)
or electronic kiosks (Privacy Notice) or through the last e-mail provided.
Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail over any other version
disclosed in any language. In the event that there is any inconsistency between the Spanish version and
any translation of this Privacy Policy in another language, the Spanish version shall prevail.
4.14 Ethics Hotline
The Organization has an Ethics Hotline, managed by Navex Global Inc., a company incorporated under
the laws of Delaware, USA, and independent from The Organization so that collaborators, related third
parties, suppliers, shareholders, Travelers, Clients, Users and the general public to submit complaints
or inquiries, reveal conflicts of interests , which shall be treated confidentially. The Ethics Hotline
guarantees anonymity in the event that the reporting party wished to hide his or her identity.
The Ethics Hotline is available 24/7 at http://aviancaholdings.ethicspoint.com and on several phone
lines available on this link.
Treatment of personal data and protection of privacy will be performed by companies integrated into
Avianca Holdings, S.A., with the purpose of investigating claims, absolving queries and taking
administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available
on the “Policies” section of the Ethics Line portal.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
17
4.15 Validity
This General Privacy Policy shall enter into force on the day it is published.
5. Annexes
5.1 Colombia Annex
Regarding information and personal data treated in Colombia, the procedures to exercise of the rights
of the holders of such information will be the one set out by Law 1581 from 2012 and its regulatory
decrees. Pursuant to Article 10 of Decree 1377 from 2013, the AIRLINES request your authorization to
continue Treatment of your personal data and information under the terms set forth by this Privacy
Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 from 2012, we inform you that
by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your
personal data and information to other countries in which we operate, where different levels of protection
of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia,
Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.
You can exercise your rights to know, update, modify and/or delete your personal data and information
by sending an email to [email protected] or through the Suggestions and Claims service at
www.avianca.com, or through our Call Centers in Bogota 4013434 or in other cities in Colombia on
018000953434, in accordance with this Privacy Policy.
The contact information for THE AIRLINES in Colombia are:
Address: Avenida Eldorado No. 59 – 15, Bogota
Phone Number in Bogota: 4013434
Other cities in Colombia: 018000953434
E-mail: [email protected]
5.2 Mexico Annex
Regarding information and personal data treated in Mexico, the procedures for the exercise of the rights
of the holders of such information will be the ones set out by Federal Law on Protection of Personal Data
Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).
Procedures for exercising ARCO rights in Mexico: Pursuant to the provisions of Mexican law, holders of
personal data and information have the right to access, rectify, cancel or oppose the Treatment of their
personal data, for which purpose the following procedure shall be carried out: The area responsible for
the Treatment of personal data (Direction and Intelligence of Information) may be contacted through
the following channels in order to send the required information and documentation:
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
18
Address: Avenida Eldorado No. 59 – 15, Bogota, Colombia
E-mail: [email protected]
The request to access, rectify, cancel or oppose shall include, at least:
• Full name and address of the holder of the personal data and information, or provide any other
means to response to the request.
• Documents proving the identity or legal representation of the holder of the personal data and
information.
• Clear and accurate description of the personal data and information subject to the enforcement
of the aforementioned rights.
• Any other item or document that facilitates the location of personal data and information.
• Indicate the modifications to be made and/or limitations on the use of personal data and
information.
• Provide documentation to support your request. THE AIRLINES shall communicate the adopted
resolution to holder owner of the personal data and information, within a term not exceeding 20
working days from the date of receipt of the request. If necessary, this term may be extended
on a single occasion for an equal term.
Based on the above, and in accordance with the provisions of the Law, THE AIRLINES shall inform the
owner of the personal data and information the meaning and motivation of the resolution, through the
same means through which the request was carried out, and that resolution shall be accompanied with
relevant evidence, if any.
If the request is appropriate, it will be executed by THE AIRLINES within 15 working days following the
communication of the adopted resolution
Based on the response or lack of response by the AIRLINES, the holder may file a request for data
protection with the Federal Institute of Access to Information (IFAI). Such request shall be submitted
by the owner within 15 working days from the date the AIRLINES communicate the response to the
owner, and shall be subject to the provisions of the Law.
For requests of access to personal data and information, the petitioner or their legal representative shall
be required to prove their identity.
The obligation of access to information shall be fulfilled when THE AIRLINES make available the personal
data and information to the owner or when such information is provided in form of photocopies or
electronic documents.
In the event that a traveler, client or user requests access to their personal data and information under
the assumption that THE AIRLINES are the responsible entities thereof, and it is ultimately concluded
that THE AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner
through any means for the request to be considered fulfilled.
The response to the request for access, rectification, deletion or opposition of personal data will be free
of charge. Our customers, Travelers or Users should only cover the reasonable costs of shipping or
reproduction of copies or other formats, which will be informed in due time.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
19
In the event that the same client, traveler or user restates the request for access, rectification, deletion
or opposition of personal data and information in less than 12 months from the date of the last request,
the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions
of Article 35 of the Federal Law on Protection of Personal Data.
The AIRLINES may refuse total or partial access to personal data and information or the rectification,
deletion or opposition to the Treatment thereof in the following cases:
• If the petitioner is not the owner or legal representative or is not authorized.
• If the petitioner’s personal data and information is not contained in the databases of the
AIRLINES.
• If the rights of any third party are violated.
• If there exists any legal impediment or resolution by an authority.
• If the rectification, deletion or opposition was previously carried out and the request is no longer
pertinent.
The cancellation of personal data and information will result in a lockout period after which the deletion
of the data will be performed. Once the personal data and information are cancelled, the AIRLINES shall
notify the owner thereof.
Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the
purposes of the Treatment obligations arising from this policy. If the personal data and information are
transmitted to third parties or entities in charge before the rectification or deletion and if they are subject
to Treatment by such third parties, the AIRLINES shall inform such third parties about the request filed
by the owner in order to make such rectifications and deletions.
The AIRLINES are not under any obligation to cancel the personal data and information in cases where
the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or
when the owner has a legal or contractual duty to remain in the database, under the terms set forth by
the law. In addition, once the collected personal data and information are no longer necessary for the
compliance with the purposes set forth by this policy and with the applicable legal provisions, such
personal data and information will be cancelled from the databases of the AIRLINES.
Mechanisms and procedures to revoke your consent:
Holders may at any time revoke their consent to the Treatment of their personal data and information.
In order to do so, the owner shall send an e-mail written in Spanish to the following address:
[email protected], which shall include the same requirements previously indicated for the
exercise of ARCO rights, indicating the personal data and information subject to such revocation. The
AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the
e-mail.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
20
Options provided to the owner to limit the use or disclosure of personal data and information:
Holders may at any time limit their consent to the Treatment of their personal data and information for
marketing and promotional purposes by sending an e-mail to the following address:
[email protected], mentioning such limitations. The AIRLINES will stop sending information
within ten (10) working days from the date of receipt of the e-mail.
Contact details THE AIRLINES in Mexico are:
Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Phone Number in Mexico : 01800 1233120
E-mail: [email protected]
5.3 Peru Annex
Regarding information and personal treated in Peru, the procedures for the exercise of the rights of the
owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS
(hereinafter “the Law and its regulations”).
Travelers, Clients and Users are entitled to see and know the details of the Treatment of personal data
and information we perform, to know the collected personal data and information, to oppose if
necessary, to request their rectification if inaccurate or incomplete and to cancel them if not used
according to the law, the terms and conditions of the purchased product or service, the corresponding
contract or the terms set forth by this Privacy Policy.
By accepting this Privacy Policy, you freely and expressly state that you were previously informed about
the following rights to which you are entitled as the owner of your personal data and information under
Peruvian law:
• Access.
• Information.
• Rectification and Updating.
• Deletion.
• Opposition.
In order to exercise such rights, a request shall be sent to THE AIRLINES including the following
information:
• Names and last names and certification of the petitioner’s identity (copy of their ID or passport).
• Specific reasons for the request.
• Address or electronic address for the purposes of response notifications.
• Documents supporting the request (in the case of the right to rectify, cancel or oppose).
• Signature of the petitioner.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
21
The procedures to exercise your rights are the following:
1. Right to access and information: Owners may exercise the right to access the data contained in
our database, in which case they will be provided with requested access information. The access
request will be answered within a maximum term of twenty (20) working days from the day of receipt
of the request. If processing of the claim within this term is not possible, they will be informed of the
reasons for the delay and the term for the response will be extended to twenty (20) additional
working days. The holder of the data may exercise their right to information to know the manner in
which such information has been collected. Such request will be answered within a maximum term
of eight (8) working days from the day of receipt of the request. If the request to exercise the right
of access or information is incomplete, the owner will be required to correct the information within a
term of five (5) days from the date of receipt of the claim. If the required information is not presented
after such 5-day term, the request shall be deemed not filed.
2. Right to rectify, update, oppose or cancel: If the holder considers that the information contained
in a database must be subject to correction, updating or deletion, they may file a duly supported
request, which will be processed under the following rules: If the request is incomplete, the owner
will be required to correct the information within a term of five (5) days from the date of receipt of
the claim. If the required information is not presented after 5 days from the date of the request, the
request shall be deemed not filed. On the other hand, if the information or documents supporting
the request are insufficient, the AIRLINES may require additional documentation to process the
request within seven (7) days from the date of receipt of the request and such information shall be
submitted by the owner within ten (10) working days. In addition, if you have not submitted the
required information after such term, such information shall be deemed not submitted. During the
rectification or deletion processes, the AIRLINES or the responsible entities will block third-party
access to the data. The maximum term to process a request of rectification, updating, opposition or
deletion will be ten (10) working days from the date of receipt of the request. If Treatment the claim
within this term is not possible, you will be informed of the reasons for the delay and the date your
claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of
the request.
Contact details for THE AIRLINES in Peru are:
Address: Avenida Jose Pardo 831 (4th Floor) Miraflores Lima Peru
Phone Number in Peru (Lima): 2136060
E-mail: [email protected]
5.4 European Union Annex
The provisions of this annex, which applies in relation to the General Privacy Policy for the Protection of
Personal Data of Travelers, Clients and Users and is an integral part thereof, shall apply for Travelers,
Clients and Users residing in a member country of the European Union, as well as for passengers who
buy their tickets in a member country of the European Union.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
22
5.4.1 Who is responsible for treatment of your personal data?
Identity: Aerolineas del Continente Americano, S.A. Avianca
Register: NIF A4801001A
Mailing Address: C/ Castello No. 23 – 4 izq. Madrid (Spain)
Email: [email protected]
THE AIRLINES, as Responsible Party and/or In Charge, located outside the European Union, in
compliance with applicable regulations, has designated Aerovias del Continente Americano S.A. Avianca
Spain Branch as its Representative in the EU, with MAIN OFFICES AT (C/ Castelló, nº 23 – 4º Izquierda,
Phone.: +34 91 758 91 22 and e-mail [email protected]).
5.4.2 How do we obtain your personal data?
THE AIRLINES collect personal data of travelers, clients and users each time they use our services
(either provided by others or by companies or agents acting on our behalf), including when they make
a reservation and/or travel with us, when they use our website or when they interact with us through
electronic means or at our customer service centers.
THE AIRLINES can also receive personal data on travelers, clients or users from third parties such as:
companies contracted by THE AIRLINES to provide a service (handling company, etc.); companies that
intervene in your travel itinerary, including aviation companies that operate your trip before or after,
airport operators and customs and immigration authorities; companies that participate in THE AIRLINES’
loyalty programs and other customer programs (i.e. car rental companies and hotels).
5.4.3 What personal data do we collect and treat?
THE AIRLINES may collect information and personal data from Travelers, Clients and Users, which may
vary depending on the requirements of local authorities, technological facilities, the nature of the product
and/or the service being provided, among others, and for that purpose we may collect the following
personal information:
• General Identification Data: Traveler’s, Client’s and/or User’s first and last name, date of birth,
ID number or ID, international travel ID No., gender, marital status and/or kinship with
underage children or disabled people requesting our services, occupation or trade. Postal and/or
electronic address (personal and/or work), nationality or country of residency, Nationality and
country of residence, contact landline or cell phone (personal and/or work), company where he
or she works and position.
• Socioeconomic Content Data: Cardholder personal data (name, last name, ID type and number),
address where the cardholder receives bank statements, credit card information.
• Sensitive Data: including images, photographs, videos, voices and/or sounds, biometric data,
that identifies, or makes our Travelers, Clients and Users, and/or any person who is or transits
through any location where the AIRLINES have installed equipment, identifiable. Health
information (medical conditions that are considered contraindications for flying by the treating
physician) and medical certificates required by the Customer, Travel or Use, to provide, as
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
23
possible and available in our operation, the facilities and elements to provide proper medical
care during provision of the air transportation service, as well as to determine the feasibility of
the trip.
• Other information: Client’s IP address, through cookies, information about the location of your
device if you are browsing our website or using our mobile app, LifeMiles’ Member ID and
information on transactions and activities related to the LifeMiles Program.
• For flights to and from the United States, the “Redress Number” may be collected as a
requirement of that country’s governmental authorities.
• Information required to facilitate travel and other services, including the name of the travelling
party, emergency contacts, seat preference, special meals or medical requirements.
• Purchase channel information (including travel agencies, direct points of sale or representatives
or agents, call center, websites, mobile apps).
• Use of products and services such as self-check-in machines, flight status notification and online
check-in.
• Personal information and data collected through surveys, focus groups and other market
research methods.
• Information requested by THE AIRLINES’ officers or representatives, such as sales and/or
customer relations representatives, with the purpose of responding to requests or claims.
• Certain categories of personal data, such as those related to racial origin, ethnicity, religion,
health, sexual orientation or biometric data, constitute special categories of personal data that
require additional protection pursuant to the European Union data protection regulations.
Although THE AIRLINES attempt to limit the circumstances in which we collect and treat data of
this nature, it is possible that we may collect and treat this information from travelers, clients
and users in the following cases:
- When THE AIRLINES and/or an airport operator request specific medical assistance,
such as a wheelchair or oxygen.
- When they request to travel with THE AIRLINES with a specific medical condition or after
the 32nd week of pregnancy.
- Likewise, when a special service is requested (such as a menu) that does not constitute
in itself a special category of personal data, but could imply or suggest information about
your religion, health or other information.
5.4.4 Why do we treat your personal data?
Complementing the purposes listed in numeral 5 herein, THE AIRLINES treat personal data for the
following reasons:
1. To enter into and manage a contractual relationship: The personal data and information are
used to perform and process the reservation, to process the services related to your trip, to
perform the contract of carriage, to provide air transportation passenger services, and related
products and services such as tourism packages, air and/or ground transportation services,
express and courier messenger services, airport services, itinerary modification, cancellation or
changes, internal administrative purposes, update status and service or operating notifications
about the contracted service, check-in or if the flight is delayed, notifications about services that
have been booked (such as travel itinerary), notifications about advance passenger information,
notifications that allow adding options and complements to the services being used (such as
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
24
advance seat selection, excess baggage, etc.), assisting you with flight connections and upon
boarding the aircraft, locating your baggage, access to VIP lounges, changes to reservations,
claims, queries and complaint reception, payment of compensation and indemnities, billing,
processing of charges and payment, accounting records, audits, accounting reports,
correspondence, processing and verification of credit cards, debit cards and other payment
instruments, to promote and advertise our products, services and activities, to perform financial
payment transactions, charges or refunds, among other purposes necessary to fulfill the
contracts of carriage and other agreements entered into with THE AIRLINES.
2. Management of Marketing Activities: Promote and advertise activities, products and services of
THE AIRLINES, associated airlines and/or our commercial partners, for commercial purposes,
including market research and statistical analysis; Mailing or texting information about THE
AIRLINES’ products and services; Adapting the content of our website, apps, e-mails and other
communications, to guarantee that they are as interesting as possible for you – including offers
and/or services related to destinations where you have travelled and similar ones; Offering you
information about offers, such as access to upgrades; Surveys; We will only send commercial
communications when you have consented to receive them.
3. Compliance with legal and security obligations: Passenger registration, responding to legal
processes, making reports or responding to requirements from various authorities and domestic
or international entities, control and surveillance administrative authorities, or policy or judicial
authorities, and specially incompliance with the information regulations and requirements from
trans-border control and customs authorities at countries of destination, in transit or overflown
during your itinerary, fraud identification and prevention of money laundering and other illegal
activities, facilitating immigration procedures and entry into the territory of a State, ethics
hotline.
4. Loyalty Programs; Offering and/or recognizing benefits through loyalty programs, and/or the
operation of loyalty programs. We recognize and provide incentives for our traveler’s loyalty
through the LifeMiles loyalty program, from LifeMiles B.V. If you are a member of this program,
you are subject to the terms and conditions thereof and its Privacy Policy, available at
www.lifemiles.com. Likewise, we recognize and provide incentives for our Corporate Clients’
loyalty through the Preferencia Program of THE AIRLINES. If your company is a Corporate Client,
it is subject to the Program’s terms and conditions, available at www.programapreferencia.com
5.4.5 How long will we keep your personal data?
Information provided by Travelers, Clients and Users may remain stored for up to ten (10) years from
the date of the last Treatment, to enable us to comply with legal and/or contractual obligations under
our charge, particularly in accounting, fiscal and tax matters or for the time deemed necessary to comply
with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-
related, legal and historical aspects of the information, or in any event provided by law and the provision
of the service.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
25
5.4.6 What is the legitimacy for treatment of your data?
The fundamental legal grounds that allow us to treat our clients’, travelers’ and users’ personal data is
the performance of any agreement with THE AIRLINES, as well as the contract of carriage (pursuant to
the terms and conditions that you can find in the Contract of Carriage section of our website), from
where the rights and obligations for both parties are derived.
There are also legal obligations in matters of immigration, fiscal, tax, aeronautical (such as APIS
(Advanced Passenger Information System), PNR (Passenger Name Record), among others, which
obligate us to perform certain treatments of data in compliance with procedures and requirements with
which THE AIRLINES must comply before the control and surveillance authorities and control entities at
any jurisdiction where they operate.
For example, for certain travel routes, the law requires that we provide border control entities with
information related to travel documents and your travel itinerary. We may have to disclose your
information to Authorities in other countries, whether from Civil Aviation, Immigration or others, to
comply with the legal obligations of the countries where your flight operates or overflies.
To contract transportation and provide the purchased services, as well as incompliance of certain legal
requirements, indispensable data must be collected. The client, traveler or user is under the obligation
to provide certain personal data (true and updated) legally required and necessary to execute the
contract. If they are not provided, we may not manage or perfect the contractual relationship and even,
if imprecise data is provide, boarding or entry into a foreign country could be denied.
In some cases, treatment is performed with a legitimate corporate interest, such as fraud prevention;
or by physically sending commercial communications of our products and similar services contracted by
you; as long as they do not prevail over the interests or rights and liberties of our clients.
Treatment of personal data to send commercial communications and, in its case, treatment of special
data categories is performed by THE AIRLINES based on consent granted by the traveler, client or use.
When we request your consent for some treatment, we will always inform you about it. In any case, we
inform that you have the right to withdraw your consent at any time, without conditioning performance
of the contract to withdrawal of said consent. If you are a registered user in our website, you can change
your privacy preferences at any time, modifying your online profile, accessing your private area. Also,
all commercial communications we send via email will have the option to “unsubscribe”, which allows
you to stop receiving commercial electronic communications. Even though we do everything within our
power to process unsubscribe requests within 15 working days after receiving the request, it is possible
that you may receive a commercial communication during this period.
5.4.7 Who are the recipients of your data?
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
26
The data of clients, travelers and users can be legitimately disclosed to the following third parties:
• To manage a contractual relationship: The companies integrated under Avianca Holdings S.A.
(of which Aerovias del Continente Americano S.A. is a part) or its related companies; and the
airlines that participate in your reservation and operate any of the purchased flights when, for
example, part of your itinerary includes a flight operated by a different airline (said airline will
be identified upon making your reservation); car rental companies, hotels, bus or train
companies when, for example, part of your itinerary includes a car rental, a hotel reservation a
bus or train ticket (said companies will be identified upon making your reservation); airports,
suppliers of flight reservation systems, of security tools to process bank transactions, airports,
call centers, tour operators, companies that provide ground services at airports where we are
present, banking entities, credit and debit card companies that issued the card you used to
make your reservation, insurers, our representatives or agents, among others.
• If you made a reservation with THE AIRLINES where one of your flights is operated by another
airline, this other airline will be, likewise, independently, responsible for treatment under the
data protection laws of the European Union, as well as under the local data protection laws that
apply to said company. Likewise, other entities, such as a hotel or car rental company, inter-
urban or train services operators, shall also be responsible for treatment. You can access the
privacy policies of those entities directly with them.
• For Marketing Activities: although we can share your data with those in charge of treatment or
commercial partners, we hereby inform that THE AIRLINES will not sell your personal data to
any third party.
• For Compliance with legal obligations: Authorities, such as customs, immigration and/or airport
authorities at countries included in your itinerary or that you overfly, governmental,
environmental and judicial authorities, security forces and bodies, police forces and regulatory
and control entities, when applicable laws so require or in response to a procedure, requirement,
request or other by any authority. THE AIRLINES, in their condition as aviation companies, are
obligated by the laws of the EU, the US and other countries, to provide border control and
customs authorities access to information of reservations and travel, when the flight is destined
or originates at said countries, including stopovers, and when it overflies it to arrive to its
destination. Navex Global Inc., a company incorporated under the laws of Delaware, US, for
administration of the ethics hotline.
• For Loyalty Programs: If the traveler is a member of these programs, to the companies that
manage THE AIRLINES’ loyalty programs, and operators and/or administrators of loyalty
programs. The LifeMiles loyalty program is managed and operated by LifeMiles, who will also be
responsible for treatment of your personal data. You can access its Privacy Policy at
www.lifemiles.com.
Since Avianca is located outside the European Union, many of our dependents are too. It is possible that
in some cases, recipients of the personal data and information are located outside the European Union,
since the nature of THE AIRLINES’ activity, that operates in many countries around the world, makes it
sometimes necessary to send personal data of travelers, clients and users outside the European
Economic Area to manage services related to the flight (i.e. if you fly outside the European Economic
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
27
Area). This, with the sole purpose of performing the contract of carriage and/or purchased services or
products, or for reasons legally stipulated and covered by the regulation.
If data is transferred outside the European Economic Area, it shall be done pursuant to current
regulations (Regulation (EU) 2016/679 issued by the European Parliament and the Council, April 27,
2016, in relation to Protection of Physical Persons regarding personal data treatment and free circulation
of this data and whereby Directive 95/46/CE is repealed – General Data Protection Regulations – as well
as national legislations of Member States in relation to his matter). For transfer outside the EEA, THE
AIRLINES will use standard Contractual Clauses for data protection adopted by the European
Commission and the EU – US Privacy Shield, as a guarantee that transfers made to countries that do
not have a decision that adapts to the European Commission.
5.4.8 What are your rights when you provide us with your data?
You have the right to obtain information of whether or not we are treating your personal data.
You have the right to access your personal, as well as to request rectification of inaccurate data or, in
your case, to request its suppression when, among other reasons, data is no longer necessary for the
purpose for which it was collected. You will also have the right to data portability in cases stipulated by
regulations.
In certain cases, you may request to limit treatment of your data, in which case, except for its
preservation, we will only treat it to formulate, exercise or defend claims and other motives set forth in
applicable legislation.
In certain circumstances and for reasons related to your specific situation, you can oppose data
treatment. We will stop treating your data, except tor imperious legitimate purposes, or to formulate,
exercise or defend possible claims.
Finally, regarding treatment to which you have consented voluntarily, you may withdraw your consent
at any time; but said withdrawal may not affect compliance with THE AIRLINES’ legal obligations.
To exercise your rights, you must send a request through the means enabled by the organization,
attaching a document that certifies your identity, the passport for validation associated with international
flights, the description of your request and how to contact you: Enabled means:
• Address: Avianca C/ Castello 23, 4o Izq., 28001, Madrid, Spain.
• Email: [email protected]
If you wish to obtain more information regarding your rights, if you are not satisfied with the exercise
of your rights and/or if you wish to present a claim, you must do so by addressing the data protection
control authority (Agencia Española de Protección de Datos). Contact information available at:
http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
28
5.4.9 Information on children and minor teenagers
THE AIRLINES do not directly market minors and its services are not directly offered to them, even
though minors can be users of the products and services we offer, as long as they act through, or are
duly authorized by, their parents or whoever has guardianship or legal representation.
In the event of treatment of data of minors under the age of 16 (or the minimum age for consent
pursuant to regulations that apply to your Member State of residence) and for persons with disability to
provide their consent, treatment of personal information of these holders shall be authorized by whoever
has guardianship or representation of the minor or the legal representative of the holder.
5.4.10 Use of cookies and web beacons
Please visit our Cookies Policy and learn how we use your personal data to provide you with a better
experience.
5.4.11 Ethics Hotline
The Organization has an Ethics Hotline, managed by Navex Global Inc., a company incorporated under
the laws of Delaware, USA, and independent from The Organization so that collaborators, related third
parties, suppliers, shareholders, Travelers, Clients, Users and the general public to submit complaints
or inquiries, reveal conflicts of interests , which shall be treated confidentially. The Ethics Hotline
guarantees anonymity in the event that the reporting party wished to hide his or her identity.
The Ethics Hotline is available 24/7 at http://aviancaholdings.ethicspoint.com and on several phone
lines available on this link.
Treatment of personal data and protection of privacy will be performed by companies integrated into
Avianca Holdings, S.A., with the purpose of investigating claims, absolving queries and taking
administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available
on the “Policies” section of the Ethics Line portal.
5.4.12 Validity
This General Privacy Policy shall enter into force on the day it is published.
5.5 Canada Annex
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
29
Regarding information and personal data treated in Canada, the procedures to exercise the rights of
holders of such information will be the ones set out by the Personal Information Protection and Electronic
Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the
establishment of rules governing collection, use and distribution of personal information in Canada. This
Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since
such provinces are exempt from the application of this statute since they have their own local
regulations, which are substantially similar to the provisions of PIPEDA.
PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are
reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles
with which every private organization must comply when collecting, using or distributing personal
information of any traveler, client or user, which can be seen at PIPEDA.
If requested any contact electronic address, Users may reject the option to receive any kind of
information related to the services of the AIRLINES and may, at any time, unsubscribe from the
information services in which they have signed up.
Owners of personal data and information may exercise their rights by sending a request, complaint or
claim to [email protected], which will be processed in accordance with the terms set out by this
Privacy Policy and any other applicable law.
5.6 United States Annex
The Department of Transportation of the United States of America (hereinafter DOT) states that THE
AIRLINES shall adequately report the collection, use and disclosure of personal data and information of
Travelers, Clients or Users.
Although there is no federal statute that specifically regulates the Treatment of personal data and
information in this country, the DOT may investigate and prevent any practice related to trading air
transport services, which also covers the Treatment of the personal data and information of our
Travelers, customers or Users.
The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of
America (also known as COPPA).
The COPPA Act regulates the protection of the privacy of children in the United States and authorizes
the DOT to investigate any online use of the personal data and information of those under 13.
In the event that a person under 13 provides personal data and information without their parents or
guardians’ consent, they may contact the AIRLINES through [email protected], in which case
the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the
provisions set out by applicable laws.
Additionally, and as applicable, you can check our Privacy and Data Protection Policies:
PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS
Review Date: 2018-05-25
Rev.: 01
30
• If you are a supplier of one of THE AIRLINES and wish to check the privacy conditions that apply
to your personal data and information, please check the Privacy Policy for Suppliers.
• If you are an active employee, retired employee, related third party, beneficiary or candidate to
a position with THE AIRLINES and you wish to check the privacy conditions that apply to your
personal data and information, please check our Privacy Policy for Collaborators.
• If you are a shareholder of Avianca S.A. and you wish to check the privacy conditions that apply
to your personal data and information, please check our Privacy Policy of Aerovias el Continente
Americano S.A. for Personal Data Protection of Shareholders and Investors.
• If you are a shareholder of Avianca Holdings S.A. and you wish to check the privacy conditions
that apply to your personal data and information, please Privacy Policy of Avianca Holdings S.A.
for Personal Data Protection of Shareholders and Investors.
If you have a hearing and/or speech disability and you require personalized service, please call our toll-
free line (1 866) 998-3357 or write to us at [email protected]. Remember that you can request
special services for persons with disabilities during our online purchase process.