Privacy Policy

​​PLEASE CAREFULLY READ THE FOLLOWING NOTICE TO ENSURE YOU COMPLY WITH IT.

IT CONTAINS IMPORTANT INFORMATION ABOUT HOW WE PROCESS AND KEEP YOUR PERSONAL INFORMATION AND YOUR RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION 2016/679 (GDPR) AND THE DATA PROTECTION ACT 2018.

INTRODUCTION

  1. Thank you for using our website. As you will be providing us with personal information about you (hereafter referred to as “Personal Data”) we need to ensure that you are aware how and why your Personal Data will be treated and how long it will usually be retained for.

  2. This Privacy Policy (hereafter referred to as ‘’This Policy’’) outlines the manner in which MHC Aviation SIA (hereafter referred to as ‘’we’’ or ‘’us’’) shall handle the information and Personal Data which you have provided to us to be able to effectively manage the relationship which you have with us.

  3. This Policy will help all of us comply with our legal obligations by establishing how we will process and keep Personal Data that we collect or receive about individuals and third parties thus ensuring confidence in the manner we handle all data accordingly.

DEFINITIONS

  1. There may be certain data protection terminology in This Policy which you are unfamiliar with, and which has a specific meaning under Data Protection Laws. The most used terms are defined below:

    • Data Subject is a living, identified (or identifiable) individual we hold Personal Data about.

    • Personal Data is data we hold about a data subject. What makes it Personal Data is the fact that the data subject can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal Data can be factual (e.g., a name, address, or date of birth) or it can be an opinion about the data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic (e.g., DNA or RNA), mental, economic, cultural, or social status of that individual.

    • Processing is a term used to describe what we do with the Personal Data. It applies to most activities that might be undertaken in respect of the data, such as: collecting, recording, organizing, structuring, storing, adapting, or altering, retrieving, consulting, disclosing by transmission, dissemination or otherwise making it available, aligning or combining, restricting its use, erasing, or destroying it. Processing also includes transferring (or disclosing) Personal Data to third parties.

    • Data Controller is a term used to describe the natural or legal person(s) who, or organisations which, determine how and why Personal Data is processed. We are the data controller of all Personal Data held by us.

    • Data Users are those persons whose work involves processing Personal Data. Data users must protect the data they handle in accordance with this policy and any applicable data security procedures.

    • Data Processors means any natural or legal person that processes Personal Data on our behalf and on our instruction. Employees of data controllers are excluded from this definition, but it could include suppliers who handle Personal Data on our behalf.

    • Special Categories of Personal Data is a term used to describe sensitive data , such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, genetic data and bio metric data (where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings). Special categories of Personal Data can only be processed under strict conditions.

    • Data Protection Laws refers to the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (‘GDPR’), as well as well as other national laws on the same subject matter.

PERSONAL DATA

  1. According to the GDPR we are the “Data Controller”. This means, as described above, that we are responsible for deciding how we treat and process personal information about you.

  2. Our company and contact details are available at the end of This Policy.

  3. This Policy applies to all Data Controller’s Websites:https://www.mhcaviation.com; https://www.airbornepersonnel.info/; https://www.first2resource.com/; https://www.direct2work.com/and any service provided by the Company that is provided by the Data Controller, including the website support, regardless of the devices used by the customer of the Data Controller and/or the visitor to the website to visit the website or use the Services provided by the Data Controller.

  4. The Terms and Conditions of This Policy apply to you every time you access the content and/or the service we provide, regardless of which device (computer, cell phone, tablet, TV, etc.) you are using. This Policy does not apply to other entities provided on the Website, unless otherwise above mentioned. With that said we recommend that you read the Personal Data processing rules applied on such websites.

RESPONSIBILITY FOR DATA PROTECTION

  1. For the purposes of the provision of services by the Data Controller on the websites: https://www.mhcaviation.com; https://www.airbornepersonnel.info/; https://www.first2resource.com/; https://www.direct2work.com/ we are responsible for establishing practices and policies in line with the Data Protection Laws. It is important that we do more than just say that we are complying with Data Protection Laws; we must also demonstrate compliance.

  2. Data Controller will do this by:

    • Implementing processes and policies that enable us to comply with Data Protection Laws, such as not collecting more Personal Data than we need, providing comprehensive, clear, and transparent privacy notices, and creating and improving security features.

    • Undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects.

    • Introducing new technical measures (such as new software, hardware, or processes) where appropriate.

    • Undertaking periodic internal audits of Personal Data held by us; and

    • Training staff on our policies and procedures.

HOW SHOULD PERSONAL DATA BE PROCESSED

Lawfulness, fairness, and transparency

  1. The GDPR is not intended to prevent the processing of Personal Data, but to ensure that it is done lawfully and transparently, minimizing any adverse effect on the rights of the data subject. Hence, the Data Controller will comply with Data Protection Law and principles, and your Personal Data will be:

    • Processed lawfully, fairly and in a transparent way.

    • Collected only for specified and legitimate purposes that we have clearly explained to you and not processed in any way that is incompatible with those purposes.

    • Relevant and limited to what is necessary for the legitimate purpose(s) for which it is collected/processed.

    • Accurate and kept up to date, ensuring, where reasonably possible, that inaccurate Personal Data is erased or rectified without delay.

    • Kept as long as necessary solely to fulfil the purpose(s) for which it was collected.

    • Processed in a way that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or

      organisational measures.

  2. We will only process your Personal Data as set out in This Policy if you have given us consent to do so by checking the appropriate section of our consent form, provided that such consent is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. If you wish to withdraw your consent to our processing of your Personal Data, please contact us by using the details set out at the end of this Privacy Notice.

  3. For Personal Data to be processed lawfully, it must meet at least one of several conditions specified by legislation. The processing of data shall only take place where necessary, this includes but is not limited to the :

    •  Performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering a contract; or

    • Compliance with a legal obligation to which we are subject; or

    • In the pursuit of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

  4. In addition to satisfying one of the above conditions for processing Personal Data, the processing of Special Categories of Personal Data shall only be permitted if:

    • The Data Subject has given explicit consent to the processing of that data for one or more specified purposes; or

    • The processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective agreement; or

    • The processing is necessary for the purposes of preventive or occupational medicine, or for the assessment of the working capacity of an employee; or

    • The processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or

    • The processing relates to Personal Data which has been made public by the data subject; or

    • The processing is necessary for establishing or defending legal claims.

    • The processing is necessary for reasons of substantial public interest on the bases of European Law.

    • The processing is necessary for reasons of public interest in the area of public health.

INFORMATION HOW WE PROCESS DATA

 A. From candidate:

  1. In connection with your employment-related applications, we will collect, store, and process any information you have provided to us as part of your application for positions advertised on this site including your name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications etc.

  2. Where you have given, us consent to do so (by checking the appropriate section of our consent form) we may also collect, store, and process the following “special categories” of more sensitive personal information:

    1. Information about criminal convictions and offences.

    2. Information about your race or ethnicity, religious beliefs, sexual orientation, and political opinions.

    3. Information about your health, including any medical condition, health, and sickness records.

  3.  We collect personal information about candidates from the following sources:

    • You, the candidate, when you enter your identity and contact details to register an account with us and/or when you upload your CV or add other details to your account.

    • Disclosure and Barring Service (or other equivalent body providing the same service) in respect of criminal convictions.

    • Referees, both work and personal, relating to your suitability for employment or for obtaining appropriate security clearances.

    • By concluding both electronic (Term and Conditions) and paper service or other contracts.

    • By email when contacting at our general email address: info@mhcaviation.com,

    • When you contact by email any of our employees.

    • When you agree to provide your data, for example by subscribing to a newsletter.

    • When you access your account through third party accounts (Facebook, LinkedIn, Google).

    • When you agree to the installation of cookies on your device.

    • Or otherwise, when you provide to us, or when we obtain information from third parties with your consent.

  4. We will process the personal information we collect about you to:

    • Assess your skills, qualifications, and suitability for the role you have applied for.

    • Carry out background reference or security checks (5 years employment history references), where applicable.

    • Communicate with you about the recruitment process.

    • Keep records related to our hiring processes.

    • Comply with legal or regulatory requirements.

    • If successful, to enter a contract of employment with you.

  5. Having received your application, we will process that information through our Partners’ Companies to the Client to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role you have applied for. If we decide to offer you the role, we will then take up references and/or carry out a criminal record check before confirming your appointment.

  6. If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

  7. We will use your particularly sensitive personal information in the following ways:

    •  We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made.

    • We will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting

  8. It is necessary to collect information about your criminal convictions history because we are legally required to do so due to the nature of the role you have applied for

  9. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

  10. Your Personal Data may only be accessed to a limited number of our employees and to our company's IT, legal, personnel service providers, and only to the extent necessary for the proper processing of your Personal Data, and subject to strict confidentiality requirements.

B.  From Clients

  1. We generally need to have only the contact details, or the details of individual contacts at your organisation (such as their names, telephone numbers and email addresses), to enable us to ensure that our relationship runs smoothly. If we need any additional Personal Data for any reason, we will contact you.

  2. We collect information from Client from the following sources:

    • When you access our website, we collect your data automatically via cookies, in line with cookie settings in your browser. (Please see the section on how we use your Personal Data.). We collect client Personal Data in three ways:

    • Personal Data we receive directly from you:

    • Where you contact us, usually by phone or email.

    • Where we contact you by either phone or email as part of a business development

    • Personal Data we receive from other sources:

    • By analysing your online media presence.

    • From third parties such as

    • Personal Data we collect via our website:

    • We may collect data about the extent to which you access ours

C. From Referees & Emergency Contacts

  1. Referees shall confirm what already provided/known about the candidate or prospective member of staff, to secure the job they really want. Emergency contact details give us somebody to call on in an emergency. To ask for a reference the following is needed: contact details (such as name, email address and telephone number). The same details are needed for the emergency contact so that we can contact the person in the event of an accident or an emergency.

TRANSFERRING PERSONAL DATA TO THIRD PARTIES

  1. To achieve the purposes set out in this Privacy Policy, we may transfer or grant access to your data to the following data recipients/processors:

    •  For the provision of our services, data is transferred to our Partners’ Companies, which belongs to: https://mhcaviation.com/partner/

    • With the airlines for whom you have applied to work. Their use of Personal Data is subject to a separate agreement between us and them regulating their use of such information. We require all airlines to respect the security of your personal information and treat it in accordance with the law.

    • Entities eligible to receive information in accordance with legal requirements (i.e., courts, state, and municipal authorities, etc.) only to the extent necessary for the proper performance of the requirements of the legislation in force.

    • Specific technical data in your visits on the website (IP address, cookies, technical information of your browser, other information related to the browser's activity and browsing the site) may be transmitted or be available for statistics, analysis, and related purposes both for entities operating in the EU and outside the EU (i.e., when we use Google Analytics service).

TRANSFERRING PERSONAL DATA OUTSIDE THE EEA

  1. In non-EEA states, Personal Data may be subject to less protection than within the European Economic Area (“EEA”), nevertheless we may transfer any Personal Data we hold to the above-mentioned entities, provided that one of the following conditions applies:

    •  The data subject has given their explicit consent to the proposed transfer, after we have informed them of any possible risk associated with such transfers (e.g., the absence in that country of equivalent safeguards).

    • The transfer is necessary for the performance of a contract to which the data subject is a party, or which is in the interest of the data subject, or to take steps at the request of the data subject prior to entering a contract.

    • The transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

    • The transfer is necessary for the establishment or defence of a legal claim.

    • The transfer is necessary for important reasons of public interest.

  2. For each transfer of data outside the EEA, we will record which of the conditions we are relying on.

  3. In the event that Personal Data is transferred outside of the EEA, within The Company or to any of The Company’s business partners, We ensure to implement all appropriate safeguards to ensure that the same protection is afforded and the same standards are applied as would be within the EEA

DATA RETENTION POLICY

  1. We will retain your Personal Data for as long as necessary to achieve and fulfil the purposes set out in This Policy, taking into account the nature of the services provided to you and the contracts you enter into, unless longer storage of Personal Data and related documents is required by applicable laws and regulations and is necessary (e.g. mandatory time limits for accounting and others, etc.) or is required for the defence of the Data Controller's legitimate interests in judicial or other public institutions.

  2. We ensure and take all necessary measures to avoid storing outdated or unnecessary information about you and to keep your data up-to-date and accurate.

  3. We will retain and use your data for direct marketing purposes for 3 years after your last active step. We consider your active steps as showing that our Services are relevant to you. We consider the following to be the last active step: giving a consent, ordering, purchasing, requesting a product or a service, logging in to an account on a website.

MARKETING

  1. We may periodically send you information that is relevant to your relationship with us. Additionally, we may wish to use your data for the purposes listed below:

    • To enable us to develop and market other products and services.

    • To market our full range of recruitment and training services to you.

    • To use testimonials from you on our website (but only where we have obtained your express consent to do so).

    • If you are not happy about any of these, you may opt out by writing to gdpr@mhcaviation.com

CENTRAL DATA RECORD

  1. We maintain a central record of what Personal Data we collect and why we collect it. We will only process Personal Data for the specific purposes set out in central record or for any other purposes specifically permitted by the GDPR. We will notify those purposes to the data Subject when we first collect the data from them or as soon as possible thereafter.

  2. We will only process Personal Data to the extent required for the purposes notified to the data subject.  This means that we should not ask for, or record on our systems, more Personal Data than we need. We will use appropriate technical and organisational measures to ensure that Personal Data that we no longer need is erased/destroyed.

  3. We will do our best to ensure that any Personal Data we hold is accurate and kept up to date.  We aim to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. It is therefore important that you keep us up to date with any changes to your own personal details that we hold on you as an employee.

  4. We will take all reasonable steps to erase/destroy or amend inaccurate or out-of-date data without undue delay, and in any event within one month of the data subject’s request (or two months where there are specific reasons why that is not possible).

DATA SECURITY

  1. When we process Personal Data, we will do our best to ensure that it remains secure and is protected against unauthorized or unlawful processing and accidental loss, destruction, or damage.

  2. We will do this by:

    • Encrypting Personal Data where appropriate/possible.

    • Ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Personal Data.

    • Ensuring the restoration of access to Personal Data in a timely manner in the event of a physical or technical incident; and

    • Facilitating regular testing, assessment, and evaluation of the effectiveness of technical and organisational measures for ensuring data security.

  3. In assessing the appropriate level of security, we shall consider the risks associated with the processing, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that we process.

  4. Desks and cupboards should be kept locked if they hold Personal Data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show Personal Data or confidential information to passers-by and that they log off from or lock their computer/tablet when it is left unattended.

  5. Whenever we transfer Personal Data or confidential information outside our own systems or offices (for example when information is taken off site by employees to visit customers or for home working) there is a risk that the Personal Data or confidential information may be lost, misappropriated, or accidentally released.

  6. Steps will be taken to minimize the risk of theft, loss, destruction, damage or unauthorized use of Personal Data or other confidential information when data is transferred. Such steps could include:

    • Taking the necessary Personal Data required, ensuring its anonymity and keeping it secure.

    • Ensuring that bags or cases containing paper records are not left visible or unattended for longer than is necessary. If it is unavoidable to leave paper records in a vehicle (e.g., whilst refuelling) the data must be locked in a secure compartment or boot of the vehicle.

    • Ensuring that paper records are not carried ‘loosely’ but instead kept in a file or folder so that they are not visible to onlookers.

  7. Permission shall be granted from the manager before taking Personal Data off site. It must also be brought back and securely stored at the earliest opportunity.

DATA SAFETY

  1. It is very important that we are aware of the risks of Personal Data Breaches, and that we react quickly to an apparent breach.

  2. A Personal Data Breach may not be evident straightaway. However, there may be indicators of a Personal Data Breach, system compromise, unauthorized activity, or signs of misuse. A Personal Data breach can happen in many ways, including:

    • Loss of a mobile device or hard copy file which contains Personal Data (e.g., leaving it on a train).

    • Theft of a mobile device or hard copy file which contains Personal Data (e.g., stolen from a vehicle or home).

    • Human error (e.g., a member of staff sending an email containing Personal Data to an unintended recipient, or accidentally altering or deleting Personal Data).

    • Cyber-attack (e.g., opening an attachment to an email from an unknown third party which contains ransomware or other malware).

    • Allowing unauthorized use/access (e.g., permitting an unauthorized third party to access secure areas of the office or our systems).

    • Unusual log-in and/or excessive system activity, from any active user accounts.

    • Unusual remote access activity.

    • The presence of any spoof wireless (Wi-Fi) networks visible or accessible from our working environment.

    • Equipment failure.

    • Hardware or software key-loggers found connected to or installed on our systems.

    • Unforeseen circumstances such as a fire or flood; or

    • ‘Blagging’ offences where information is obtained from us by a third party through deception.

  3. As soon as you become aware of any Personal Data Breach or have any reason to suspect a Personal Data Breach has or is about to occur (for whatever reason), you should contact our data protection contact immediately or, if they are not available, your line manager.

DATA MANAGEMENT

  1. Paper records that contain Personal Data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing Personal Data must not be disposed of in any other way.

  2. For electronically stored data, there is a significant difference between deleting Personal Data irretrievably, archiving it in a structured, retrievable manner, or moving it as unordered data to an electronic wastebasket. Personal Data that is archived, for example, is subject to the same data protection rules as ‘live’ Personal Data.

  3. When deleting electronic data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, all reasonable steps should be taken to ensure that it is deleted to the fullest extent possible.

  4. The IT Team will be responsible for destroying electronic equipment that contains Personal Data (e.g., laptops and desktops) securely.

RIGHTS OF DATA SUBJECTS

  1. Under certain circumstances, by law if we process Personal Data, the data subject will have the right to:

    • Request information about the Personal Data we hold about them.

    • Request access to personal information (This enables the data subject to receive a copy of the personal information we hold and to check that we are lawfully processing it.

    • Have any inaccurate Personal Data about them corrected and incomplete Personal Data completed, subject to us satisfying ourselves that the data is in fact inaccurate or incomplete.

    • Ask us to destroy Personal Data about them. We can refuse this request if the Personal Data is still necessary in relation to the purposes for which it is being processed, and there is a legitimate basis for us to continue processing.

    • Ask us to restrict the processing of their Personal Data to merely storing it. This can only be requested if: the accuracy of Personal Data has been contested and remains unverified, if we no longer require the Personal Data but the data subject needs it to establish or defend a legal claim, if the data subject has objected to the processing of Personal Data and we are deciding whether our legitimate interests override theirs, or if our processing is unlawful.

    • Request the transfer of their personal information to another party.

  2. If a data subject exercises these rights and we have disclosed the Personal Data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.

SUBJECT ACCESS REQUESTS

  1. Data subjects who wish to request information about the Personal Data we hold about them must do so in writing.If you receive such a request (whether in paper form or in an email or other electronic format) you should forward it to our DPO contact immediately.

  2. If you want to review, verify, correct, or request erasure of your personal information, object to the processing of your Personal Data, or request that we transfer a copy of your personal information to another party, please contact our DPO in writing using the contact details at the end of This Policy

  3. When you apply for a position on this you will be asked to provide your consent to us processing your personal information for the purposes of the recruitment process.

  4. You have the right to withdraw your consent for processing for that purpose at any time. To withdraw your consent, please contact our DPO using the contact details at the end of this Privacy Notice. Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your Personal Data securely.

PERSONAL DATA BREACH RESPONSE PLAN

  1. In the event of a Personal Data breach, we must take quick action to minimize the impact of the breach and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, if you become aware of any Personal Data breach or are unsure if a Personal Data breach has occurred, whether by you or someone else, you should contact our data protection contact immediately or, if they are not available, notify your line manager (see 13.3 above).

  2. Once a Personal Data breach or a potential Personal Data breach has been reported, our data protection contact will be responsible for responding to the data breach. In most cases this will involve:

    • Investigating the breach to determine the nature and the cause of it, and the extent of the damage or harm that may result.

    • Implementing the necessary steps to stop the breach from continuing or recurring and limiting the harm to data subjects associated with the breach.

    • Assessing whether there is an obligation to notify other parties, in specific, the Information Commissioner’s Office (“ICO”) and the affected data subjects and, if so, making those notifications. If there is an obligation to make a notification to the ICO, this will normally need to be done within 72 hours of us becoming aware of the breach and therefore it is essential that any suspected or actual breaches are reported immediately.

    • Recording information about the Personal Data breach and the steps taken in response to it.

  3. The DPO oversees compliance with This Policy. If you have any questions about This Policy or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Data State Inspectorate of the Republic of Latvia, supervisory authority for data protection issues. You may contact the IDPC as follows:

CHANGES TO THIS PRIVACY POLICY

This policy does not form part of your contract of employment, and we keep it under regular review, and we apply updates as per changes in regulation or legislation. Updates to This Policy will be posted on this page – please check back from time to time. We may also inform you of any changes where we hold an appropriate email address for you. This privacy policy was last updated on MAY 2021.

DPO full details

    • Company Name: MHC Aviation, SIA

    • Registered Address: Vienibas gatve 109, Riga, Latvia, LV-1058

    • Company Number: 40203254052

    • ​Telephone: +371 6735 1000

    • Name of DPO: Sintija Sinicka

    • Email: sintija@mhcaviation.com