Privacy Policy

Norse Atlantic Airways AS and Norse Atlantic UK Ltd

1. GENERAL PROVISIONS

1.1 Introduction

Norse Atlantic Airways AS and Norse Atlantic UK Ltd ("Norse Atlantic"), in their capacity as data controllers, collect and process personal data about you in order to provide you with their general services as well as the services accessible on their website or their mobile applications.

This privacy policy ("Policy") applies to all data that is processed, including when you make a booking, purchase a ticket, travel with Norse Atlantic, purchase or use any of its services, visit its website, use its mobile applications or interact with Norse Atlantic through the various channels available to you.

You will find information about the types of personal data we collect, the reasons why personal data is collected, how personal data is used and how long it is kept as well as information on your privacy rights and how you can exercise them.

In this Policy a reference to "Data Protection Legislation" means all applicable legislation relating to privacy or data protection in force from time to time, including any statute or statutory provision which amends, extends, implements, consolidates or replaces the same, and in particular to the extent applicable and without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), the GDPR as it forms part of the domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2018. The terms "personal data", "controller", and "process" (and its derivatives) shall have the meanings given to them in the Data Protection Legislation. Where this Policy uses terms which are defined in Data Protection Legislation, the definitions set out in Data Protection Legislation will apply.

This Policy is not a contract and does not create any contractual obligation.

1.2 Contact details

Should you have any questions in regard to this Policy and/or the exercise of your rights under the Policy, please contact the Norse Atlantic Data Protection Officer by mail or by e-mail:

Norse Atlantic Airways AS
Fløyveien 14, 4838
Arendal, Norway
[email protected]

1.3 Modifications

This version is applicable as from 13 February 2023.

The Policy is regularly reviewed and updated as necessary. All changes are published on the Norse Atlantic website with the date of publication mentioned.

2. PROCESSING OF PERSONAL DATA

2.1 Types of collected personal data

The following categories of personal data may be collected and processed by Norse Atlantic:

2.1.1 Name, passport number and other identification data

When making a booking, the identification data that is collected may include your title, surname and first name, gender, date of birth, nationality, country of residence and other information appearing on your travel documents (passport or National Identity Card).

If you add other passengers to your booking or book a flight for other people, we also collect their identification data. In this case, you will also need to ensure, where appropriate, that, they understand that their personal data is collected, how it is used and how they can exercise their rights.

In the case of unaccompanied minors, the identification data of the parents or legal guardian is collected, as well as of the persons responsible for dropping the child off at the airport of departure and picking him/her up at the airport of arrival.

2.1.2 Contact, personal account or registration information

Your contact information includes your telephone number and email address.

When you create an account or subscribe to a specific service, your postal address may also be collected, as well as login details and any other data provided through the registration forms.

If you are traveling for business, information about your company may also be collected, such as the company name and address.

2.1.3 Information about bookings, ticket purchases or other services

When you make a booking on a flight, the data you provide when you make this booking is processed. This data includes the details of your flights as well as the prices and dates of your bookings. This furthermore includes information relating to the additional services you may select, such as extra luggage and seat options, as well as data necessary to finalize and pay for your booking.

2.1.4 Information about your journey

Information about your journey, such as your itinerary, online or airport check-in, your mobile or hardcopy boarding pass, and information about your travel companions is collected.

Furthermore, when applicable, data relating to certain needs for specific assistance during your stay at the airport or during the boarding/disembarking process of the aircraft, as well as meal preferences may be collected.

In order to facilitate your trips to the airport, to alert you on the status of your flight and to guarantee a reliable and punctual service, data on the confirmation of your passage through the various checkpoints through the airport may also be collected from certain airport management entities.

For airports that have implemented optional biometric screening devices, only confirmation of the verification of your identity at the various stages of your journey (check-in, baggage drop-off, boarding) is collected as well as the data necessary to automatically link this information to your booking and complete your boarding. No biometric data about passengers is collected or processed. Please read the privacy policies of the entities or authorities responsible for processing and collecting your personal data in the context of these biometric boarding systems for more information on the use of this data.

Finally, for some destinations and due to the health context linked to the Covid-19 epidemic, certain documents (certificates, supporting documents, questionnaires, negative Covid-19 test) required by the authorities of the country of destination for public health purposes prior to boarding or disembarking may be collected and verified.

2.1.5 Interactions, electronic or telephone communications

When you communicate with Norse Atlantic by email, online chat or on social networks, these exchanges are retained. Telephone calls may also be recorded when you contact the customer service department by telephone as part of the service quality monitoring or for evidentiary or fraud prevention purposes. Your communication preferences are also recorded, for example when you subscribe or unsubscribe to a newsletter or when you choose to receive communications related to your booking (such as boarding passes and flight status updates) through other channels.

2.1.6 Information collected when using the website, mobile application or other digital services

When you visit Norse Atlantic's website or use its mobile application, your IP address, browser type, operating system, referring site and browsing or application usage behaviour may be recorded.

Information through the use of cookies or other similar technologies is also collected. For more information, please read the Norse Atlantic Cookie Policy.

2.1.7 Information about social networks

In order to facilitate the creation of your account as well as future connections, you have the possibility to link your Norse Atlantic account with most social networks (Facebook, Twitter, Instagram, etc.). You will therefore benefit from an optimised navigation on the website or the mobile application. No personal data is shared with the providers of these social networks.

2.1.8 Other information you choose to share

We process the information you choose to share, such as when you share your interests and preferences on the website, leave a comment on the Facebook page or complete a customer satisfaction survey.

2.1.9 Categories of special category data

As mentioned above, in order to provide you with the appropriate service, it may be necessary to collect information that is sensitive under Data Protection Legislation. This data, such as specific assistance needs or meal preferences, may indirectly reveal information about your ethnic origin, your religious beliefs or your state of health and may therefore be deemed special category data under Data Protection Legislation.

This data is only collected with your explicit consent — when you select the corresponding services at the time of booking — and is only used to provide the relevant service during your trip. You may of course refuse to give your consent at the time of collection of this information, but this may result in you not being able to benefit from these services or benefits.

2.1.10 Cookies and similar technologies

When you use the website or mobile application, information through cookies and other similar technologies is collected. For more information, please read the Norse Atlantic Cookie Policy.

2.1.11 Collection of data about minors

Personal data relating to minors under the age of 16 is only collected and processed with the prior consent of their parents or guardians.

If personal data concerning minors under the age of 16 is collected without this consent via the website or application, parents or guardians have the possibility to object to the corresponding processing or to request the deletion of said data.

2.2 Processing purposes

2.2.1 Provision of services and products

Your personal data is collected and processed in order to manage your account or booking, provide you with the products and services you want to purchase and help you with any orders and refunds you may ask for.

The processing of this data is necessary for the performance of the contract of carriage and the performance of the services.

2.2.2 Managing and improvement of products, services and operations

Personal data is used for the creation of anonymized statistics to manage and improve products, the website and mobile app, customer loyalty or recognition programme(s) and other services.

The usage of the services is monitored in order to help protect your personal data, detect and prevent fraud, other crimes and the misuse of services.

Personal data may be used to respond to and to manage security operations, accidents or other similar incidents, including for medical and insurance purposes.

If further legal requirements for this are fulfilled, if applicable, personal data is used to carry out market research and internal research and development, and to develop and improve the product range, services, shops, IT systems, security, know-how and communication.

The processing of this data is necessary for the performance of the contract of carriage and the performance of our services as well as for the legitimate interests of Norse Atlantic in order to be able to serve you in the best way possible.

2.2.3 Personalisation of experience

Norse Atlantic wishes to ensure that marketing communications relating to its products and services, including online advertising, are relevant to your interests.

In order to achieve this, your personal data may be used to better understand your interests so that it is possible to predict other products, services and information which you might be most interested in. This enables Norse Atlantic to tailor its communications to make them more relevant and interesting for you.

Looking at your browsing behaviour and purchases helps to better understand you as a customer and it allows us to provide you with personalised offers and services.

Your responses to marketing communications may also be measured as it enables us to offer you products and services that better meet your needs as a customer.

This data is processed based on you consent or for the legitimate interests of Norse Atlantic in order to be able to serve you in the best way possible. If you do not want to receive a personalised service from us, after you have agreed to it once, you can change your preference online, over the phone or by writing (e.g. email) at any time.

Norse Atlantic Airways may also send you information and offers related to your upcoming flights via email; for this purpose we will process your e-mail address and booking history.

In addition, Norse Atlantic Airways sends email to customers who have shown interest in booking a flight but did not complete the booking process. These emails serve as a helpful reminder to assist customers in finalizing their booking, thereby enhancing the customer experience and ensuring that interested individuals can easily complete their transaction. You are free to use the straightforward unsubscribe option in these emails. For this purpose your email address and your selections online for your uncompleted booking will be processed.

2.2.4 Communication and interactions

If you contact Norse Atlantic by email, post, phone or via social media, your personal data may be used in order to provide clarification or assistance to you.

You may be invited to take part in customer surveys, questionnaires and other market research activities.

2.2.5 Safety of flights

It might be necessary to process personal data in the event of any incident likely to affect the safety or security of a flight in order to respond to and manage security operations, accidents or other similar incidents, including medical and insurance purposes.

This data may also be used, in an anonymised manner, for statistical purposes and systemic analysis in the field of flight safety.

The processing of this data is necessary in order to comply with legal or regulatory obligations as well as for the legitimate interests of Norse Atlantic in order to be able to ensure the safety of its flights and passengers.

2.2.6 Management of disputes, prevention of fraud or compliance with legal obligations

Data is collected, stored and used for internal business purposes, such as record keeping, managing disputes, preventing non-payment and fighting fraud. In the event of fraud, your personal data may be included in our internal control and alert systems. In addition, personal data is processed in accordance with legal and tax obligations.

It may be required by law to collect and share your identification, booking and travel information with public authorities or governmental organisations for border control, immigration, entry, security or anti-terrorism purposes.

2.3 Legal basis

All personal data will only be collected and processed if at least one of the following legal bases applies:

Your consent has been obtained. The consent given can be withdrawn at any stage;
It is necessary for the performance of the contract of carriage and the performance of the services or to take steps at your request prior to entering into a contract;
It is necessary to comply with a legal obligation;
It is necessary to protect your vital interests or those of another individual;
It is in the public interest or performed under an official authority;
It is in Norse Atlantic's or a third party's legitimate interests and these are not overridden by your interests or fundamental rights.

3. SECURISATION OF PERSONAL DATA

Norse Atlantic implements all appropriate technical and organisational measures in accordance with the applicable legal provisions, thereby taking regard to the nature of the personal data that was communicated and the risks presented by its processing, in order to preserve its security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion or unauthorised access to this data.

Specific procedures and resources are in place to manage security incidents in the best possible conditions.

Specific procedures are also set up to assess the possible breach of your personal data, notify the competent authority within the time limit provided for by the regulations and inform you when this breach is likely to generate a significant risk for you and affect your privacy. Exercises are carried out periodically to check the functioning of the security installations and the adequacy of the procedures and systems deployed.

4. RIGHTS

You can exercise the following rights by contacting Norse Atlantic.

When submitting a request, you may be asked to provide certain additional information (including your names, PNR of flown flights, copy of your ID card and/or samples of communications that you complaint about, etc.) so that your identity can be validated in order to avoid unlawful processing of relevant personal data on behalf of an illegitimate person. In the context of this validation, the received data is processed for the purpose of the request and kept for as long as it serves its purpose.

When submitting a data request, you can exercise the following rights within the conditions laid down in the applicable Data Protection Legislation.

Your rights in detail are:

Right of access to or a copy of any personal data which Norse Atlantic holds about you (right of information);
Right to rectification of your personal data, if you consider that it is inaccurate;
Right to erasure if you consider that Norse Atlantic does not have the right to hold your personal data ("right to be forgotten");
Right to restriction of processing;
Right to data portability (moving some of your personal data elsewhere);
Right to object; and
Right not to be subject to a decision based on automated processing and to have safeguards put in place if you are being profiled based on your personal data.

With regard to the right of objection, the following applies: You have the right to object to any processing based on Norse Atlantic's legitimate interest. However, we will continue the processing of your personal data if Norse Atlantic can demonstrate that it has compelling legitimate grounds for processing which overrides your right of objection or the processing is necessary for the establishment, exercise or defence of legal claims.

You have the right to object to any processing for direct marketing.

You have the right to withdraw your consent for the processing of personal data to the extent that the processing of your personal data was initially based upon your consent.

You also have the right to lodge a complaint with the supervisory authority in the country or jurisdiction of your habitual residence, place of work or of the alleged infringement of Data Protection Legislation.

If you live in Norway, the Norwegian supervisory authority for Norse Atlantic can be contacted through the following details:

Datatilsynet
PO Box 458 Sentrum 0105 Oslo,
Norway
https://www.datatilsynet.no

If you live in the UK, the British supervisory authority for Norse Atlantic can be contacted through the following details:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 SAF
https://ico.org.uk/concerns

5. SHARING OF PERSONAL DATA WITH THIRD PARTIES

Your personal data is not passed on to third parties unless a valid legal basis to do so exists.

For instance your personal data may be transferred to:

Affiliated businesses for the same purposes and legal grounds as Norse Atlantic;
Commercial partners, such as hotel bookings, insurance services, car rentals, ground handlers, etc., acting as controllers on their own right (their processing is based on legal grounds defined by themselves);
Companies that process personal data in our name and on our behalf for the same purposes as we do (known as 'processors'), such as:
- Service providers in the field of transport, marketing (including market research, commercial communication, loyalty program management, ecommerce development and partnership, campaign management), customer feedback, IT maintenance and support and development, payment services and credit reference agencies, cloud and server hosting providers;
- Platforms for sending commercial communication and transactional notifications;
- Operators of live help chats and call centres;
Government authorities and agencies, e.g., based on immigration regulations or police activities and investigations.

Personal data in the form of a passenger list are also shared with the crew of outsourced, contracted and leased airlines.

6. TRANSFER OF PERSONAL DATA OUTSIDE THE UK AND EEA

There exists a legal obligation to transmit certain personal data to specific foreign authorities for various purposes.

If you have booked a flight to a country where a legal obligation exists to transfer your passenger name record (PNR) or Advanced Passenger Information (API) data to the competent authorities for flights (e.g. Canada, USA, United Kingdom), this will be adhered to.

Norse Atlantic can also be obliged to disclose your personal data to various national criminal prosecution, judicial or administrative authorities if they require such disclosure in order to prevent or prosecute crimes, misdemeanours or administrative misconduct or if they need it to fulfil their administrative duties.

Health authorities may receive passenger data for the purpose of combatting a pandemic.

Data transfers to authorities are based on intergovernmental agreements or national laws. Usually, such data are required by the authorities of the country of departure and/or arrival.

Besides these aforementioned transfers, your personal data is also disclosed to countries outside the UK or European Economic Area as some of the affiliates, commercial partners or processors, who support us in delivering our products and services are established outside the EEA.

If these transfers are necessary to offer you the services and in particular to ensure the performance of the contract of carriage, Norse Atlantic undertakes to guarantee the same level of protection of your personal data, in accordance with the requirements of Data Protection Legislation on the basis of:

adequacy decisions published by the Information Commissioner's Office ("ICO") or European Commission ("EC"), as appropriate;
by signing, on a case-by-case basis, standard contractual clauses as defined by the EC or the ICO, as appropriate; or
any other mechanism as described in Data Protection Legislation.

7. AUTOMATED DECISION-MAKING AND PROFILING

We do not carry out automated decision-making or profiling in relation to your personal data.

8. PERIOD OF RETENTION OF DATA

Your personal data is retained until you ask for its deletion (e.g. by deleting the account that you have set up), object to their storage, or as long as it is needed for justifiable and specified purposes related to the processing and/or if it is obliged by law to store them for the retention limitation periods set out by applicable Data Protection Legislation and authorities.

The retention period may therefore vary for each processing purpose.

If your data are applicable for establishment, exercise and/or defense of legal claims, it may be stored until the statutory limitation periods have expired.

After the retention limitation period (set out either by law or the business purpose of Norse Atlantic's processing) expires, the relevant data is securely deleted or anonymized.