STP Airways – Transportes Aéreos de São Tomé e Príncipe, S.A., Lisbon branch (hereinafter referred as STP‐LIS) respects individual privacy and is committed to protect your personal data (hereinafter referred as DP’s), valuing the trust of our users, clients and partners.

STP‐LIS is obliged to comply with this STP Airways Data Protection and Privacy Policy (hereinafter referred as “STP Airways Privacy Policy” or “Policy”), in accordance with General Data Protection Regulation (hereinafter referred as “GDPR”), approved by Regulation (EU) 2016/679 from European Parliament and Council, dated April 27th, 2016, on the protection of natural persons processing their personal data and on the free movement of such data as well as other applicable regulations on data protection.

So, we are committed to be transparent and clear regarding to DP’s we collect and how we process them, and we assure they will be processed lawfully, fairly and in a transparent manner and to make our best efforts to assure safety and privacy of our users, clients and partners DP’s. In this Policy we will share the types of DP´s we collect and process, how they are collected and kept as well as the purposes of the processing and the recipient’s categories to whom we transfer DP’s.

This Privacy Policy applies to DP’s collected and processed by STP‐LIS as “Controller” in the terms and definition in GDPR Article 4th (7), in particular DP’s from our clients and users who visit STP‐LIS website.

In data processing operations, STP‐LIS, as Controller, determines the purposes and means of the processing of personal data.

When we refer to “personal data”, DP’s, we mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, following pari passu GDPR definition, Article 4th (1). The natural person identified or identifiable is called “Data Subject”.

As DP’s example: name, electronic mail address, birth date, contact data, payment data.

We collect your DP’s, for example, when you use our services to make a flight reservation, when you use our website or when you contact us.

STP‐LIS may process, namely, following categories of DP’s:

• Data to make and manage your flight reservation or to provide a service you have requested, such as: name;
• electronic address, birth date, telephone contacts, passport number, credit/debt card data or other methods of payment;
• Data on your flight travel history, including information related to your flights;
• Data on your medical health, in the case your condition requires special medical care or meals (please see more under Special categories of personal data);
• Your online registration data to assure we interact with you in a correct way, as you have register in our website;
• On the communications between you and us or sent thru mail letter, e‐mail, phoner calls and social network.

Special categories of personal data

DP’s like your physical or mental health are deemed as data of special categories (sensitive data) under GDPR terms and other legislation on personal data protection. We will restrict processing of such data to the cases strictly referred by law, namely if you have expressed your consent or if you have made public such data.

STP‐LIS will process you DP’s in a lawful way and if at least one of the following conditions apply:

• You have expressed your consent to the processing of your DP’s to one or more lawful purposes;
• The processing is needed to prepare and execute a contract in which you are part;
• The processing is needed to fulfill legal obligations by STP‐LIS;
• The processing is needed to protect your vital interests or from another natural person;
• The processing is needed to protect, in the terms of the law, STP‐LIS or third parties legitimate interests.

In the cases where processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We process you DP’s, namely, for the following purposes:

• Manage your reservations and providing services
  When flying with us, we use your DP´s to provide the relevant services related to the flight, for example, to issue the ticket, to check in, to issue boarding pass, to receive you on board and carry you safely to your destination. DP’s are also used to change reservations at your request.
• To communicate and manage our relationship with you
  We contact you in the event of a change in flight schedule or a cancellation, as well as about requested services and changes on those services. Those communications are not made for marketing purposes and you cannot choose not to receive them.
• To improve our service providing and fulfill our goals
  The business goals for which we use your DP’s include accounting, invoicing and audit, credit card checking, fraud investigation, security, protection and juridic matters.
• To fulfill our legal obligations
  For example our obligation to provide your DP’s to customs and immigration authorities, in tax matters and other legal or regulatory obligation.

In some cases, the communication of your DPs may constitute a legal or contractual obligation of yours, or a necessary requirement to conclude the contract between you and STP‐LIS. In such cases, failure to comply with the obligation to communicate your DP’s to STP‐LIS may result in the impossibility of concluding the contract or, in the case of a contract already concluded, serve as a basis for its termination by STP‐LIS.

In accordance with legal and regulatory requirements regarding the protection of PD’s, the data subject has a set of rights regarding the processing operations of his PD’s.

STP‐LIS guarantees you the possibility to exercise, under the legally established terms, your rights in this area, namely:

a) Revoke your consent regarding the processing of personal data;

b) Oppose the further processing of personal data;

c) Request the person responsible for the processing of personal data to access them, as well as their rectification or erasure, including the exercise of the “right to be forgotten”;

d) Be informed, upon request, about the purposes of the processing, the categories of data involved, the identity of the recipients to whom they have been disclosed and the period of storage of my personal data;

e) Be informed about the personal data being processed and any information available on the origin of such data, electronically, if not this document;

f) The right to consult and update your personal data held by STP‐LIS.

If you have any questions about your rights or how you can exercise them as a DP holder, you can contact the STP‐LIS

Data Protection Officer via email or a written request sent to:

• dpo.lis@stpairways.st
• Data Protection Officer (DPO)

STP Airways, sucursal de Lisboa, Avenida João XXI Loja 11D, 1000‐298 Lisboa, Portugal
Without prejudice to any other administrative or judicial remedy, you also have the right to file a complaint with the National Data Protection Commission (CNPD) or another competent supervisory authority under the Law, if you consider that your data is not to be subject to legitimate processing by STP‐LIS, under the terms of applicable legislation
and this Privacy Policy.

CNPD Contacts:

• Website: https://www.cnpd.pt/
• E‐mail: geral@cnpd.pt

With the grounds and for the pursuit of the aforementioned purposes, your DP’s may be transmitted to other entities, in accordance with the legal and contractual provisions in force.

In this sense, STP‐LIS, having as its highest priority the security in the processing of its DP’s, ensures that the processing operations carried out by other entities are, in the applicable cases, contractually regulated, delimiting the obligations in terms of DP’s, the specific purpose or the purposes for which the data is processed.

Furthermore, and in the applicable cases, STP‐LIS checks, beforehand and subsequently, on a regular basis, that the entities to which it transmits its DP’s are reliable and that they have sufficient and adequate protection guarantees in terms of data protection.

Your data may be transmitted, for the purposes described in this Privacy Policy or based on the legal grounds established by the Law, namely to the following recipients/categories of recipients:

• Government authorities, police forces, regulators and airports on the customer’s itinerary or where the customer’s flight may be heading in accordance with applicable legal requirements;
• Travel agents or other companies through which you book your STP‐LIS flights;
• Trusted agents of the Global Distribution System (GDS), through which you book your STP‐LIS flight;
• Partner airlines whose provision of services is necessary for the customer.
• Suppliers who provide services to us in order to help us run our business and improve our services and your customer experience. For example, we may transmit your DP’s to companies that provide ground services at the airports where we operate. At STP‐LIS, we select the providers who handle your PD’s on our behalf very carefully, and we require them to meet high security standards for the protection of your PD’s, and ask for consent if necessary.
• Credit and debit card companies
  STP‐LIS transmits some of its DP’s, which include information about your payment method and flight reservation, to the credit or debit card companies that issued the card you used to make your reservation, in order to guarantee the security of your your transactions and prevent or detect fraudulent transactions.
• Sectoral authorities, including the National Civil Aviation Authority to ensure compliance with applicable regulatory provisions.
• STP‐LIS service providers and representatives, namely tax consultants, auditors, lawyers, enforcement agents or other entities to which functions related to the monitoring or management of their contract have been assigned;
• Judicial entities or other entities that have legal legitimacy to process the data in question

STP‐LIS does business in different jurisdictions, some of which are outside the European Economic Area (EEA), such as São Tomé and Príncipe and Guinea Bissau. In some cases, non‐EEA countries do not always have robust data protection laws (confirmed by European Commission decisions).

However, and in accordance with the law, namely when this is necessary to execute the contract between you and STP‐LIS or when standardized methods are used within the scope of European legislation, the international transfer may lawfully take place.

STP‐LIS guarantees that it requires, in applicable cases, that all service providers treat their customers’ PD’s in accordance with security levels comparable to those contained in Portuguese and European legislation on data protection.

We keep your DP’s for the period essential to satisfy the purposes on which the processing is based, so the data may be kept after the end of the contractual relationship for the fulfillment of legal obligations imposed on STP‐LIS or for the defense of a right of STP‐LIS in court proceedings.

In the context of minimizing the processing of your PD’s, we guarantee that the data collected and processed are only strictly necessary and, moreover, that the appropriate technical and organizational measures are adopted to protect your PD’s against accidental loss, misuse or incorrect use, unauthorized access or exposure.

In this sense, we use a range of data security controls, defined according to the needs inherent to our activity and with security policies, we monitor these controls to detect failures or violations, including the review of access authorizations to DP’s, own or from third parties, by holders of PD’s and STP‐LIS employees.

We are committed to ensuring that our team has adequate knowledge of data protection legislation and practices, and the entire team has had the opportunity to participate in awareness training in this area, in order to be able to anticipate and identify any data protection issues. that may arise, in order to guarantee your rights, freedoms and guarantees as a holder of PD’s.

In the event of a breach of security, STP‐LIS ensures compliance with all legal obligations specifically applicable in this area.

STP‐LIS Privacy Policy is a dynamic tool and we will update it when there is a change in the way we process your data.

We may update this Privacy Policy as necessary to ensure that the information we provide is up to date and in compliance with relevant data protection laws. Any new version of this Policy will be posted on our website.

All your questions, comments and requests related to this privacy policy or your DP’s are welcome and can be sent to:

• STP-LIS Data Protection Officer contact:dpo.lis@stpairways.st

• STP Airways, sucursal de Lisboa,
  Avenida João XXI Loja 11D,
  1000-298 Lisboa, Portugal