Data protection notice: Cargolux Corporate Reporting

Cargolux Airlines International S.A., Luxembourg Airport, Luxembourg (hereinafter referred to as “Cargolux” or “We”) is committed to protecting the personal data of reporters (‘whistle-blowers’) willing to report potential violations of laws, regulations or internal policies to Cargolux (hereafter referred to as “You”). Cargolux processes your personal data in the scope of its Corporate Reporting process (hereinafter: Speak Up).

This Data Protection Notice explains how Cargolux processes your personal data in accordance with data protection legislation, especially the EU General Data Protection Regulation 2016/679 (known as “GDPR”), California Privacy Rights Act of 2020 (known as “CPRA”), the California Consumer Privacy Act of 2018 (known as “CCPA”), Personal Information Protection and Electronic Documents Act from Canada (“PIPEDA”), and the Brazilian General Data Protection law (“LGPD”).

Who is the controller of your personal data?

Cargolux, acting as Data Controller, is responsible for processing your personal data.

What personal data will Cargolux process and why do we process it?

As Speak Up is a system allowing for anonymous reporting, We do not require or collect any personal data in the scope of the Speak Up reporting process. Should You wish to optionally disclose personal data, the processing will be limited exclusively to the said data.

How do we collect your personal data?

We may collect and process personal data that You provide directly to us by means of the Speak Up reporting process.

What are the purposes and the legal basis for Cargolux's processing activities?

The processing of Your personal data is necessary for the compliance with a legal obligation as established by applicable laws implementing Directive (EU) 2019/1937. We may also process Your personal data on the basis of legitimate interest, in order to ensure compliance with internal policies. This may entail:

  • Providing You with the possibility of reporting concerns or suspicions on events that could be in breach of applicable legislation or internal policies;
  • Acknowledging the receipt of the report and updating You on the results of the process; 
  • Assessing the merits of the case, setting appropriate safeguards to guarantee independent investigations, and implementing corrective or remedial measures (including antiretaliation measures);
  • Carrying out investigations and providing reports to appropriate internal or external stakeholders involved in the process, including upper management, on the basis of anonymous or anonymized reports obtained through the Speak Up process, unless the report is submitted in a way in which the reporter voluntarily discloses their identity.

Who do we share your personal data with?

We may disclose Your personal data:

  • To internal employees on a strict need-to-know basis;
  • To law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law;
  • To certain regulated professionals such as lawyers or auditors mandated by Cargolux.

How do we protect your personal data?

The processing of your personal data is carried out through IT, automated and manual tools strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organizational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorized loss or access to your data.

Where do we transfer your data to?

Your personal data are processed within the European Union. In case of international transfers originating from the EU/EEA to a country outside the EU/EEA, the transfer of your personal data may occur where the European Commission has determined that the country outside the EU/EEA ensures an adequate level of data protection. For transfers to countries outside the EU/EEA for which the level of protection has not been recognized as adequate by the European Commission, Cargolux will implement appropriate safeguards provided for by current data protection law (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations.

For how long do we keep your data?

Unless a longer retention period is required (e.g., as necessary to defend our rights in the scope of investigations, disputes or legal claims) or permitted by law, your personal data will only be stored for 1 calendar year from the closure of the investigation pertaining to the submitted report.

Once this time limit has been exceeded, remaining personal data will be anonymized from Cargolux’s system, and the aggregated information will be kept for up to 3 calendar years.

 

What are your rights?

In accordance with the applicable data protection laws (and subject to conditions and restrictions set forth therein), You may exercise at any time the following rights in relation to your personal data:

  • Right to Know/to be Informed: You have a right to know what personal data we collect about You, including: the categories of (sensitive) personal data, the categories of sources from which the personal data is collected, the business purpose for such collection, sharing or selling, the categories of third parties to whom the personal data is disclosed to, and your rights specific to personal data processing;
  • Right to Access: You have the right to question us about any data we have regarding You, and to request access to it. Examples of information that You have access to include the purpose of the processing, and the categories of the data collected;
  • Right to Rectification: If you believe that any of your personal data is incorrect or inaccurate, You have a right to ask that we correct it;
  • Right to Deletion: You have a right to request us to erase any personal data concerning You. Please keep in mind that this is not an absolute right, as we may be required to process certain personal data by law;
  • Right to not to be subject to Discrimination: You have a right to not be subject to discrimination because You exercised any of the rights under the CCPA, CPRA or LGPD.
  • Objecting to Processing: You have a right to object to the processing of certain types of your personal data collected by us.
  • Right to limit the use and disclosure of Sensitive personal data / information: Under CPRA, You have a right to request not to sell or share your personal data / information with a third party;
  • Right to lodge a Complaint: You have the right to file a complaint with your relevant country’s Data Protection Authority in case You are dissatisfied with the handling of a request or a complaint;
  • Right to Anonymization, Blocking or Deletion: Under the LGPD, You have the right to anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of LGPD.

If You have provided your consent to the processing of your personal data, You can withdraw such consent at any time.

To exercise any of these rights, You may contact us by email [email protected] or by postal mail:

Cargolux Airlines International S.A.
Compliance Department
Luxembourg Airport
L-2990 Luxembourg
Luxembourg

 

You have the right to lodge a formal complaint with the relevant Data Protection Authority (in Luxembourg, Commission Nationale pour la Protection des Données “CNPD”; in California, California Privacy Protection Agency through this form; in Canada, Office of the Privacy Commissioner of Canada; in Brazil, Autoridade Nacional de Proteção de Dados).”

This Data Protection Notice may be modified to reflect changes on the Website or on our processing activities, to comply with legal amendments, or to integrate best practices. Updates of the Data Protection Notice will be published on our Website.