Last updated – July 2022
Crisa is committed to protecting the privacy of individuals and to complying with applicable personal data protection laws and regulations. We want you to feel comfortable about how we collect, process, secure and share your personal data. This Privacy Notice details the types of personal data we collect, how we use your personal data, who we share it with and how you can control its use.
This Privacy Notice applies to the main personal data processing Crisa performs. Information relating to specific processing or tools may be detailed in a dedicated privacy notice.
What is personal data?
Personal data is information that can be used to identify a person either directly or indirectly. It includes information such as name, contact details, identification numbers, financial data, location data or online identifiers.
What personal data do we use?
Depending on the nature of your relationship with Crisa, we collect, use and process the following categories of personal data:
- Identification data such as name(s), family name(s), contact details (postal address, email, telephone number(s)), signature, citizenship/nationality, age, gender, date of birth, place of birth, ID number, passport number, social security number, picture/image, voice, videos, CCTV images, audio recordings, car registration and/or driver’s license.
- Professional data such as CV, whether you are an employee of Crisa, Airbus or one of its subsidiaries or a shareholder
- Economic and financial data such as bank details and credit card details.
- IT data such as IP address, user account, company personal identifier(s)/corporate IDs, security pass number, smartcards, Cookie identifiers and other tracking technologies, radio frequency identification tags, activity logs (from tools and protocols, apps, security building access control, etc.), passwords for access to IT systems and/or websites.
We may collect this personal data:
- directly from you when you complete a form and you provide us such information, and/or
- indirectly through the organisation you are working for if needed for a purpose listed below or information made publicly available.
What are the purposes of the processing of your personal data?
Crisa may process your personal data for the following purposes:
- Website Browsers / Administration
- We may use your personal data for administrative purposes, including to help us better understand how our customers, suppliers, third party access and use our websites; to provide reports to prospective partners, service providers, regulators, and others; to implement and maintain security, anti-piracy, fraud prevention, and other services designed to protect our customers, partners and us; and to enforce our policies, directives and processes.
- Under the conditions permitted by law and when relevant, we may use your personal data for prospecting and marketing purposes, including communications through email or equivalent electronic means. For example, we may use your personal data, such as your email address, to send news and newsletters or to otherwise contact you about services or information on Crisa products we think will interest you.
- We may use your personal data to communicate with you, including responding to requests for assistance. We can communicate with you in a variety of ways, including email and via your social media accounts if you have agreed, and/or text message.
- We may use your personal data for our internal and external communication media, internal social network or public social media but also for event management (conferences, fairs, seminars and airshows)
- We may collect your personal information in order to inform Crisa, its financial results, its products and other interested Crisa related matters. Information includes regular updates on major events like publication of financial results, our newsletter to shareholders, investors and financial markets, invitations for events, surveys, dedicated campaigns and other elements related to Crisa business, securities and performance
- We may use your personal data to ensure that we recruit and select appropriate individuals to work at Crisa.
- Performance of Crisa business activities and Customer services
- We may use your personal data for Crisa sales and customer services activities, including customer relationship management, for technical support or other similar purposes and to establish and maintain customer accounts.
- We may process your personal data in the course of Crisa procurement activities such as new products or services contracts and supplier management.
- We may process your personal data in the course of Crisa public affairs management and/or Intellectual Property rights management, guest travel management.
- Research and development
- We may use your personal data for research and development purposes, including public funding submission requests, improving our websites, applications, services, and customer experience and for other research and analytical purposes dedicated to improving our products, services, businesses, operations and processes.
- Security and Health & Safety
- We may use your personal data for user access right management and monitoring in Crisa websites, IT security management, access badge management, site admission, visitor booking security video surveillance (CCTV), first response units, security clearance and/or health & safety procedures.
- To comply with legal obligations
- We may use your personal data to comply with applicable legal obligations, including responding to an authority or court order or discovery requests, and to comply with export control and sanctions requirements.
- To protect us and others
- Where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of policies, terms, and other policies.
We will use your personal data for the above purposes only, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose (for preserving particular evidence or in the context of legal statutes of limitation for example). If we need to use your personal data for an unrelated purpose, we will notify you prior to this further personal data processing and provide you with the relevant privacy information notice.
What is the legal basis for the processing of your personal data?
Subject to the applicable law, we process your personal data under the following legal basis:
- To comply with contractual obligations. When you subscribe to a particular service through a website, the purposes of processing your personal data are primarily determined by that service and we will process your information so that we can provide that service to you.
- As a result of your consent. When you have consented to the processing of your personal data by us for certain services, you can withdraw consent at any time by following the instructions provided in the application process or by contacting us at email@example.com. For further information on the right of withdrawal, please see below Section “How to exercise your rights?”
- Within the scope of a legitimate interest. On occasion taking into account the minimum privacy impact for you, the processing of your personal data might be necessary:
- For the administration and management and performance of our business relationship including accounting, auditing, performance of the contract.
- For the analysis and optimisation of our websites.
- For ensuring IT security (to detect security threats, frauds or other malicious or criminal activities) and the IT operation of Airbus and Crisa.
- For ensuring security of Crisa facilities and individuals.
- For prevention and investigation of criminal acts.
- For communication purposes to keep you up-to-date on the latest information about our services, solution and/or business activities, events, marketing campaigns, market analysis or other promotional activities and for analysis and improving the quality of our services and communication with you.
- For monitoring the compliance with our policies and standards.
- On the basis of Crisa’ legal obligations or in the public interest. Crisa, as any other company, is subject to legal obligations and regulations. In some cases the processing of your personal data will be necessary for Crisa in order to fulfil these legal obligations.
Who will receive your personal data?
Subject to the applicable law, we may disclose your personal data to the following recipient(s) on a need to know basis:
- Airbus and its Affiliates;
- Authorised persons working for or on behalf of Crisa, including our agents, service providers and advisers providing the variety of products and services we need (including IT, procurement, communication, compliance, security and training services);
- Crisa business partners in connection with Crisa activities (including educational institutions for recruitment, law firms, auditors, consultants, insurance company, flight schools);
- Crisa customers;
- Other authorised third parties in connection with any merger, reorganisation, sale of Crisa assets, or a financing or acquisition of our business by another company;
- Law enforcement or authorities where necessary to comply with applicable law.
Is any of your personal data transferred overseas?
Except for Airbus Affiliates operating outside the European Economic Area or the UK, your personal data will generally be processed in the European Economic Area and the UK. On occasion personal data might be transferred to a third country.
We may share your personal data within Airbus. Any transfers within Airbus for Airbus and Crisa daily business activity and internal organisation are covered by an intra-group agreement (see Binding Corporate Rules). The Binding Corporate Rules includes contractual protections to ensure that your personal data receives an adequate level of protection wherever it is transferred to within Airbus.
In addition, we may share some personal data to third parties located outside the European Economic Area and the UK. We always take steps to ensure that any transfer of information is carefully managed to protect your privacy rights:
- We will only transfer personal data to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that arrangements are in place to protect your privacy rights,
- transfers to service providers and other third parties will be protected by contractual commitments (such as the European Commission-approved Standard Contractual Clauses) or other legally acceptable mechanisms that ensure an adequate level of protection, and
- any requests for personal data information we receive from law enforcement or regulators will be carefully checked before personal data is disclosed.
We may also collect and process personal data in third countries; in line with local personal data protection laws and regulations and detailed in a dedicated privacy notice.
If you have any questions regarding transfers, please contact us (firstname.lastname@example.org) for further details.
How long will your personal data be retained?
We retain your personal data as long as is reasonably necessary for the purposes for which it was collected. In some circumstances we may retain your personal information for longer periods of time than is needed for those purposes, such as where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.
What about the security of your personal data?
We use technical and organizational security measures in order to protect the personal data we control against accidental or intentional manipulation, loss, destruction and against access by unauthorized persons. Our security procedures are continually enhanced as new technology becomes available.
What are your rights?
At any time you may exercise your personal data protection rights as listed below by contacting us at email@example.com:
- Right to access/obtain a report detailing the information held about you: You have the right to obtain confirmation as to whether or not your personal data is being processed by Airbus and if so, what specific personal data is being processed.
- Right to correct personal data: You have the right to change any inaccurate personal data concerning you.
- Right to be forgotten: In some cases, for instance, when the personal data is no longer necessary in relation to the Purposes for which they were collected, you have the right for your personal data to be erased.
- Right to restrict the processing of your personal data: You have the right to restrict the processing of your personal data by Airbus and Crisa, for instance when the processing is unlawful and you oppose the erasure of your personal data. In such cases, your personal data will only be processed with your consent or for the exercise or defence of legal claims.
- Right to data portability: Under some circumstances provided by law, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and/or transmit those personal data to another data controller.
- Right to object: In some cases defined in law, you may ask us to stop processing your personal data.
- Right to withdraw consent: Where your consent is required, you may at any time withdraw such consent. However, please note that if you withdraw your consent, you may not be able to access and use certain information, features or services.
How to exercise your rights?
If you want to exercise your rights, if you are unhappy with the way in which your personal data has been processed, or you have questions regarding the processing of your personal data, please contact the Crisa personal data Protection Officer at the following email address: firstname.lastname@example.org.
In case of doubt of your identity, we may ask you to justify it by enclosing a copy of any identity document.
Do we use automated decision-making?
As a matter of principle, we do not use fully automated decision-making processes such as profiling. If this were to change, you would be informed.
How to ask for assistance from the competent authorities?
If you remain unsatisfied, then you have the right to apply directly to a Data Protection Supervisory Authority. Listed below are the main countries where Airbus operates and the relevant Supervisory Authority.
GERMANY: Each federal state has its own Data Protection Authority that can be found under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
for California residents
Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”): We do not sell your personal information to third parties and we will not sell your personal information to third parties unless provided otherwise by a specific privacy notice. We do not discriminate against California residents who exercise their CCPA privacy rights. To exercise your California privacy rights please refer to the section “How to exercise your rights”.
for Chinese residents
We may provide and transfer your personal information to other entities in and outside of China in accordance with this privacy notice or for other legitimate reasons. We will comply with the applicable obligations and requirements under PIPL in relation to sharing and cross-border transfers of personal information.
Cookies and similar technologies
Refer to Cookies Policy
Modification of the Privacy Notice
Crisa will regularly update this Privacy Notice to reflect any changes in our practices and services. We will inform you of any substantial modification in how we process your personal data.