1. AEGEAN Group
  2. Corporate Governance
  3. Personal Data Protection
  4. Data breach policy

Data breach policy

1. Policy


This Policy is governed by the company’s privacy policy.

The company is committed to managing personal information in accordance with the European Regulation 679/2016.

This document sets out the processes to be followed by the staff in the event that the company experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

The European Regulation requires organizations to notify any individuals likely to be at risk of serious harm by a data breach. The Hellenic Data Protection Authority must also be notified.

Accordingly, the company needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm.

Adherence to this Procedure and Response Plan will ensure that the company can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.

2. Purpose


The purpose of this policy is to set the principles and rules for the proper use of information systems and critical technologies by all employees, third parties and contractors. If usage policy is not in place, personnel may use the systems and critical technologies in violation of company policy, thereby allowing malicious individuals to gain access to critical systems.

3. Alert


Where a privacy data breach is known to have occurred (or is suspected) any member of staff who becomes aware of this must, within 24 hours, alert the Data Protection Officer in the first instance.

The Information that should be provided (if known) at this point includes:
  • When the breach occurred (time and date),
  • Description of the breach (type of personal information involved),
  • Cause of the breach (if known) otherwise how it was discovered,
  • Which system(s) if any, are affected?
  • Which department / directorate is involved?
  • Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach).

4. Assess and determine the potential impact


Once notified of the information above, the DPO must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgment as to its severity.

Criteria for determining whether a privacy data breach has occurred:
  • Is personal information involved?
  • Is the personal information of a sensitive nature?
  • Has there been unauthorized access to personal information, or unauthorized disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
Criteria for determining severity:
  • The type and extent of personal information involved,
  • Whether multiple individuals have been affected,
  • Whether the information is protected by any security measures (password protection or encryption),
  • The person or kinds of people who now have access,
  • Whether there is (or could there be) a real risk of serious harm to the affected individuals,
  • Whether there could be media or stakeholder attention as a result of the breach or suspect breach.

5. DPO to issue pre-emptive instructions


On receipt of the communication by the relevant member of the DPO, the later will take a preliminary view as to the breach.

The DPO instructs that the data breach is to be managed and the relevant Manager must:
  • Ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system); and
  • Submit a report at the DPO within 24 hours of receiving instructions. The report must contain the following:
    • Description of breach or suspected breach,
    • Action taken,
    • Outcome of action,
    • Processes that have been implemented to prevent a repeat of the situation,
    • Recommendation that no further action is necessary.
The DPO will sign-off that no further action is required, and the report will be logged by the DPO.

6. Role of the Privacy team


There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action.

The following steps may be undertaken by the privacy team:
  • Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorized access, shutting down or isolating the affected system.
  • Evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach.
  • Call upon the expertise of, or consult with, relevant staff in the particular circumstances.
  • Engage an independent cyber security or forensic expert if necessary.
  • Assess whether serious harm is likely.
  • Notifying the relevant authority through the DPO.
  • Consider developing a communication or media strategy including the timing, content and method of any announcements to staff or the media.
  • The Privacy Team must undertake its assessment within 48 hours of being convened.
  • The DPO will provide periodic updates to the Managing Director as deemed appropriate.

7. Notification


If the authority has to be informed, the DPO must prepare a prescribed statement and provide a copy to it, within 72 hours (after becoming aware of the breach).

If practicable, the company must also notify each individual to whom the relevant personal information relates. Where impracticable, the company must take reasonable steps to publicise the statement (including publishing on the website).

8. Updates to the Policy and Procedure


This policy and procedure is scheduled for review, every five years or more frequently if necessary.

9. Contact details


Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:

dpo@aegeanair.com

privacy@aegeanair.com

T: +30 210 6261651

P: 31 Viltanioti str, Kifisia 14564, Athens, Greece

Aegean App

Get the best out of your travel experience with the Aegean App.

Get the App Not now