Commitment to the privacy of your personal data
The principles outlined in this document shall not prevent the use of additional Information Security measures to protect personal data. SATA remains committed to protecting the privacy, confidentiality, and security of your personal data, and this obligation is extended to all employees and suppliers who handle such data.
Ultimately, we want what's best for all our users. If you have any questions or concerns about how we manage your personal data, you should contact our Data Protection Officer (see Contacts).
What is personal data?
Personal data means any information, of any nature and regardless of its support (including sound and image), concerning an identified or identifiable natural person (data subject).
Identifiable persons are those who can be recognized directly or indirectly, including name, contact details, travel plans, and purchase history. They may also include information about how you use our websites and mobile applications.
What kind of personal data do we collect?
To provide certain services/products, SATA requires some of your personal data. However, at all points where personal data is collected, the purpose for which it is intended shall be clearly and explicitly indicated, with a guarantee that this information shall not be processed for purposes other than those indicated. If you do not provide us with your personal data we may not be able to provide you with our services/products.
For the provision of services and/or subscription to features, products, and services we may notably collect the following personal data:
- Information provided by the data subject (includes contact information): information containing personal data that is submitted by you through our collection points. Examples include your name, telephone number, e-mail address, mailing address, citizen card number, passport number and details, billing details, user account details (e.g., account security information, date of birth, address, special preferences and likes), and so on;
- Information collected through our Contact Center or complaints, suggestions or compliments handling services, information requests (name, e-mail, bank details, tax identification number, citizen card number, flight and itinerary details);
- Financial information: information related to billing and purchases made on the websites (e.g., tax identification number);
- Academic-professional information: information related to recruitment (e.g., name of employer, current job, academic background, occupation, curriculum vitae);
- Device information: information related to the device with which you are accessing our services/products (e.g., operating system version, device manufacturer details, and model name); and
- Log information: information related to the use of certain functions and applications of the Websites (e.g., cookies and other anonymous identification technologies, IP addresses, network request information, temporary message history, logs, system pattern, crash information).
We may also receive your personal data through other parties, such as from our suppliers who provide services to you on our behalf, our partners, and from travel agents or other operators who book a flight for you.
To ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS), we do not collect or process your Personal Data or card when you perform transactions with your card.
- Special Categories of Personal Data
When we provide our services, we may need to collect information that is considered by European Union law as "special categories of data" and requires additional protection such as data relating to racial origin, ethnicity, religion, health, sexual orientation, and biometric data.
SATA seeks to limit the circumstances under which this type of information is collected and processed. However, there are situations in which such collection may occur, such as when you have a specific health condition that we need to be aware of or need special assistance during a flight (if, for example, you request a wheelchair or oxygen, this may reveal information on your health).
- Personal data of minors
We consider it the responsibility of parents or legal guardians to monitor their children's use of our services/products. It is not our policy to collect personal information from minors, beyond what is strictly necessary to book or purchase our services/products.
If a legal representative has reason to believe that a minor has provided us with Personal Data without his/her prior consent, he/she should contact us to ensure that the Personal Data is removed and the minor cancels any of the applicable services.
Who is responsible for the processing of your personal data?
If you have booked flights with SATA, but one or more flights are operated by other airlines, these airlines will also be considered individually "responsible" for data processing. You can access the privacy policies of other airlines through their respective websites.
Any service provider, such as a hotel or a car rental company, will also be considered individually "responsible" for the data processing. These providers offer you direct access to their privacy policies through their websites.
For what purposes do we use your personal data?
In short, the information collected is used to provide you with our services/products, as well as to ensure legal compliance with the laws and regulations applicable to SATA. By using the services/products available on the websites, you agree that we may process and disclose your personal data with external entities for the purposes indicated herein.
In this regard, we may use your personal data for the following purposes:
- To provide, process, maintain, improve and develop products/services through the websites, particularly concerning flight booking;
- To perform customer support activities;
- To process purchase orders or sales services;
- To provide useful information such as service/product updates, events, among others;
- To conduct marketing related activities, such as sending out promotional marketing materials and campaigns;
- To analyze and develop statistical information about the use of our services/products;
- To collect your feedback to help us improve our services, particularly concerning service satisfaction through satisfaction surveys;
- To store and maintain information necessary to respond to legal obligations to which we are subject, including the obligation to provide your personal data to customs and immigration authorities; and
- To process requests addressed by you to SATA.
When do we send marketing communications?
SATA only sends communications for the advertising and promotion of its goods and services with your prior and explicit consent.
For this purpose, we may use your name, phone number, and e-mail address. This personal data may also be used to provide you with a better user experience, and we may recommend services/products to you based on information about your purchase history, browsing history, date of birth, age, gender, and location.
If you do not wish to receive further commercial communications, you may, at any time, object to such communications as follows:
- Send an e-mail to email@example.com;
- Change your marketing preferences at any time in your Sata Imagine member area;
- Exercise your right by withdrawing the given consents;
Your personal data will never be shared with other companies for marketing purposes, except with your explicit prior consent.
What is the legal basis for us to process your personal data?
SATA shall only process your personal data in cases where it has a legal basis for doing so. The legal basis depends on the reason(s) why SATA collects your personal data and the purpose for which it is collected, namely:
- Based on the contractual relationship, to handle all matters related to your booking, your travel plans, and to be able to provide all services that have been requested from us.
- Based on compliance with our legal obligations, namely concerning immigration processes and/or entry or exit from a State, ensuring your safety and complying with all legal obligations to which SATA, as an airline, is bound. Likewise, in certain cases, we are obliged or are required to communicate your contact information to local or international health authorities.
- Based on SATA’s legitimate interest, for example, to prevent fraud and ensure the security of our network and services. Whenever this is the legal basis under which the data of the Data Subject is processed, for SATA to be able to provide services tailored to your needs and provide you with more personalized treatment, we shall assess our commercial interests to ensure that they do not conflict with your rights.
- To protect your vital interests or those of another person.
- Because you have authorized SATA to use your information for a specific purpose.
How long do we keep personal data?
Your Personal Data will be kept as long as necessary to fulfill the purpose for which it was collected unless there is a specific legal requirement. As soon as the purpose for which it is held is no longer valid, the data will be deleted or anonymized so that you cannot be identified.
What are your rights as a personal data subject?
Under the applicable legislation, the data subject may at any time request access to personal data concerning him or her, as well as their rectification, erasure or limitation, and the portability of his or her data, or oppose their processing (except data strictly necessary for the provision of the service), as well as not being subject to automated individual decisions.
To exercise any of these rights, you shall use the form available here, sending it duly filled out to SATA's Data Protection Officer at the following e-mail address firstname.lastname@example.org and shall be attended to after confirmation of the holder's identity.
Without prejudice to any other administrative or judicial remedy, the data subject shall be entitled to submit a complaint to the National Data Protection Commission (CNPD) or another competent supervisory authority under the terms of the law, should they consider that their data is not being legitimately processed by SATA, under the terms of the applicable legislation.
Under what circumstances is there communication of data to other entities (third parties and subcontractors)?
Your personal data may be shared with companies in the SATA Group, which includes SATA Air Açores, SATA Internacional - Azores Airlines, and SATA Gestão de Aeródromos.
The sharing of information with these companies is limited to the strict extent of the services you are contracting with SATA.
We may also communicate your personal data to third parties for the following purposes:
- To third parties, when part of the itinerary involves a flight operated by another carrier, or when we consider such data communications to be necessary or appropriate under applicable law, in compliance with legal obligations/judicial orders, or to respond to requests from public or governmental authorities.
- To subcontractors with whom SATA enters into specific agreements to ensure the processing of personal data, where the following obligations, among others, are imposed: that any subcontracting entity shall process your data in our name, on our behalf, and with the strict obligation to follow our instructions. The same subcontractors shall provide sufficient guarantees to implement technical and organizational measures so that the data processing will meet the requirements of the applicable law and ensure the security and protection of the rights of the data subjects under the terms of the established subcontracting agreement.
- Partners that assist with transportation activities, such as handling and ground handling agents, to better serve you.
- To credit and debit card companies, credit reporting agencies, and fraud control service providers.
- Third parties such as courts, police agencies, and regulatory authorities.
SATA does not provide personal information to third parties and only allows third parties to send you marketing information if the company has your consent to do so.
To which countries outside the European Union is your personal data sent?
The provision of certain services by SATA may involve the transfer of your personal data to third countries outside the European Union or the European Economic Area. In such situations, SATA shall take the necessary and appropriate measures, following the applicable law, to ensure the protection of all personal data subject to such international transfers.
All airlines are legally required to provide the customs and immigration authorities of certain countries with all data concerning passengers and the flights they take on routes to the USA, Canada, the UK, Russia, and Brazil. This data will be used for security purposes only.
Whenever you make a booking to a destination/country that requires the transmission of your data, SATA shall inform you at the time of booking.
What security measures do we use?
SATA is committed to ensuring the protection of the personal data made available to it and has approved and implemented strict rules in this regard. Compliance with these rules is an obligation of all those authorized to access them. To prevent unauthorized access, disclosure, or other similar threats, we have implemented physical, electronic, and managerial procedures to protect the personal data we collect.
To ensure all levels of security, your Personal Data is classified based on importance and sensitivity to ensure that it has the most appropriate level of security. We also ensure that our employees and third parties who may access your Personal Data are subject to strict contractual confidentiality obligations and may be held liable if they fail to meet such obligations. We also ensure special access controls for the storage of Personal Data located in cloud services.
We are committed to regularly reviewing our personal data collection, storage, and processing practices, including physical security measures, to protect any unauthorized access and use of our resources and your Personal Data.
Although we take all possible steps to protect your Personal Data, Internet usage is by default not completely secure and, for this reason, we cannot guarantee the security or integrity of any information that is transferred from users or to users over the Internet.
- Responsibility of Use
In addition to the correct functioning of our security mechanisms, we also need your help, and it is your responsibility to safeguard your personal data, adopting an attitude of minimum exposure to the risk of loss or theft of information.
Therefore, we recommend that you do not divulge your login password or account information to anyone unless such individual is duly authorized by you. Whenever you log in to one of SATA's websites, especially on another person's computer or public Internet terminals, you should log out at the end of your session. We shall not be held liable for security lapses caused by third-party access to your Personal Data originating from your carelessness.
Notwithstanding the above, you shall notify SATA immediately whenever any unauthorized use of your account by another user occurs or whenever any other breach of security or privacy is detected.
- Third-party services and websites
Cookies are small text fragments sent by websites that you visit. These fragments are stored on your computer by your browser and only retain information related to your preferences, and as such do not include your Personal Data.
Web Beacons or Pixel tag, as they are commonly known, are small graphic images that may be included in our web pages, services, applications, messages, and tools, which usually work in combination with cookies to identify our users and user behavior.
Cookies help our websites remember information about your visits, such as your preferred language and other settings, enabling faster and more efficient navigation by eliminating the need to repeatedly enter the same information. This can make your next visit easier and our websites more useful to you.
How can you contact us?
SATA – Information Security
Avenida Infante D. Henrique, no. 55 – 2nd floor
9500-528 Ponta Delgada