Privacy Notice
for Customers

Introduction

This privacy notice (referred to as the “Notice”) outlines how Challenge Group, with central offices located at SkyParks Business Centre, Level 5, Malta International Airport, Luqa LQA 4000 – Malta, and all its subsidiaries, operating affiliates and branch offices from time to time (referred to as the “Group”, “Company” “Organisation”, “we” or “us”), collect and process personal data relating to our customers or potential customers, who may be individuals as well as representatives, employees, or contact persons of legal entities.

We take data privacy seriously and we are committed to processing your personal data in compliance with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”), and any other applicable data protection and privacy laws which may be amended from time to time.

Controller Details

The Data Controller of your Personal data is the relevant entity in Challenge Group you have a business relation with. Updated contact details and other information on the Group can be found at https://www.challenge-group.com/.

The Organization has appointed a Group Data Protection Officer (“DPO”). If you have any queries relating to this Notice, including any requests to exercise your rights, please contact the DPO at dpo@challenge-group.com.

Definitions

The definition of “Personal Data”, “Automated Decision”, “Data Controller”, “Profiling”, “Processing”, and “Special Category of Data” have the same meaning of GDPR.

Personal Data collected and purpose of the processing

We obtain your Personal Data either directly from you when you contact us, when we enter into a contract with you, when you ask for a quote of our products and services, when you register as a customer on our platforms, or indirectly through the organizations for whom you work.

Personal Data we collect might include: name, surname, email, telephone number, residential address, passport or identification document and/or number, financial details including Iban and Vat number.

If you provide personal data to CHALLENGE AIRLINES IL (“Challenge IL”), you should be aware that you are not legally bound to provide any personal data to Challenge IL and that your personal information is provided on your own free will. By providing the personal data, you expressly acknowledge and agree to the terms of this Notice and that we will collect, use and share your Personal Data with third parties in accordance with the provisions of this Notice.

Please note that failure to provide the personal data requested might hinder the possibility to provide you with our products and/or services.

We Process your data for the purpose of:

  • following up on your request for a quotation and/or terms of service;
  • customer on boarding and registration;
  • to enter into a contract and provide our services to you including aircraft inspection and maintenance, cargo and transportation airfreight handling, ground handling;
  • to resolve the technical issues you might have;
  • to manage the relationship with you for bookings, quotations, pricing, claims management, tracking of cargo
  • for the purposes of managing Company’s business activity and complying with Company’s policies and internal procedures;
  • general administration purposes, archiving and record keeping;
  • compliance with our regulatory and legal obligation, auditing and reporting duties;
  • conducting legal proceedings;
  • for the defence of rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in connection with the services offered.

Legal Basis

The Organization’s legal basis for processing your personal data are the following:

  • Art. 6 (1) (a) of GDPR. If you have given explicit consent to the processing of your personal data
  • Art. 6 (1) (b) of GDPR. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract when, for instance, we receive your request of quotation or when we provide you with Our services.
  • Art. 6 (1) (c) of GDPR. Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Art. 6 (1) (f) of GDPR. Processing is necessary for our legitimate interests in conducting an existing or new business relationship, ensuring the security of our network and systems, performing our business activities and to establish, exercise or defend legal claims and to pursue any remedies available (including debt recovery). Where we process your Personal Data in reliance on article 6(1)(f) GDPR, we ensure that our legitimate interest does not override your interests or fundamental rights and freedoms which require protection of Personal Data.
  • Any other applicable legal basis according to the law of the jurisdiction where the entity you have a business relationship with, is located.

Sharing of data

We may share your Personal Data as follows:

  • Internally, limiting access to what is required or needed by individuals to perform their role.
  • Entities, subsidiaries and affiliates forming part of the Group on an “intra-group” basis.
  • Professional advisors, third party service providers, including clouds, software and database providers, ERP providers, agents, or independent contractors providing services to the Company.
  • Authorities, law enforcement bodies, courts, where such disclosures are permitted or required pursuant to applicable law.
  • Business partners or potential business partners, inter alia within reorganization, transfer and/or sale and/or assignment and/or acquisition of the Company and/or its assets and/or any part thereof, for consideration or without consideration, to third parties, including but not limited to a case of merger of the Company and/or its activity with third parties, in cases of full or partial change of control of the company and for examining the feasibility of the events mentioned above.

Automated Decision-Making and Profiling

We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including profiling. Should this position change in the future (and only if legally permitted to do so), you will be notified accordingly.

Transfer of data to third countries

We may need to transfer, store or process your Personal Data outside the State of Israel and the EU/EEA, either on an “intra group” basis or to third parties for the purposes described in this Notice. If your personal data are transferred in a jurisdiction outside of the EU that has not received an adequacy decision issued by the European Commission (Art. 45 GDPR), the transmission of data shall be subject to appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 which might include the Standard Contractual Clauses (SCCs). You can obtain a copy of the Standard Contractual Clauses (SCCs) by contacting us at dpo@challenge-group.com.

Security

The Organization has put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to authorised personnel on a need-to-know basis. They will only process your Personal Data on the Organization’s strict instructions or where the task or job at hand demands such access in order to be able to carry out a certain function or perform a certain job.

Data Retention

We will only retain Personal Data relating to you for as long as is necessary (taking into consideration the purpose for which it was originally obtained). We establish the retention period taking into account several factors and criteria, which includes but is not limited to any retention period set out by legal or regulatory requirements. We also take into consideration the time periods established by law, regulations and directives to exercise legal actions, to defend rights, to carry out procedural actions. Thereafter, Personal Data shall be immediately and irrevocably erased.

Different retention periods may apply according to the law of the country where the entity with whom you established the business relationship is located. For further details on data retention periods, please contact us at dpo@challenge-group.com.

We might retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation, in case of a legal proceeding/audit or inspection form Authorities.

Data Subject Rights

Under GDPR you have the following rights:

  1. Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  2. Request rectification of Personal Data that we hold about You.
  3. Request erasure of your Personal Data (where applicable). This enables you to ask the Company to delete or remove personal information where there is no good reason for us continuing to process it.
  4. Object to the processing of your Personal Data (where applicable) where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes You want to object to processing on this ground.
  5. Request that we provide you with any Personal Data that you may have provided us, in a structured, commonly used and machine-readable format;
  6. Request the restriction of processing of your personal information.
  7. Request that we transmit Your Personal Data directly to You or to another controller indicated by You.
  8. Right to be informed of the source – where the Personal Data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your Personal Data originates.

The above rights are not absolute and can be subject to specific legal requirements or exemptions and therefore may not always be applicable.

There is no charge for the provision of the related information, following your request, except in circumstances where the request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. The Company may withhold certain information which is exempt from the right of Subject Access in accordance with applicable Law.

We may need to request specific information from you to help us confirm your identity and ensure the exercise of your rights. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Although all reasonable efforts will be made to keep your information updated, you are requested to inform us of any change referring to the Personal Data we hold about you. In any case, if you consider that certain information about you is inaccurate, you may request rectification of such data, as explained above.

To exercise any of your rights, file a complaint relating to your privacy or if you have any other questions about our use of your Personal Data, please email the Data Protection Officer (DPO) via dpo@challenge-group.com.

You have also the right to lodge a complaint with the competent Supervisory Authority. The Leading Supervisory Authority is the Office of the Information and the Data Protection Commissioner in Malta (IDPC) (www.idpc.gov.mt).

Further processing

Where we need to further process your Personal Data for a purpose other than that for which your Personal Data has been collected, we will provide you, prior to the commencement of the further processing, with any relevant information.

Updates

We may update this Notice at our sole discretion including as a result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.

Last Updated Date 03/03/2025