Privacy Notice
The Challenge Group (thereafter referred to as the “Group“, “Challenge Group”, “Company”, “We” or the “Organization”) is committed to protecting your personal data in accordance with the General Data Protection Regulation EU 2016/679 (“GDPR” or “Regulation”) and any other applicable data protection laws, which may be amended from time to time.
This privacy policy (the “Privacy Policy” or the “Policy”) applies to users or visitors (together “you”) of this website (the “Website” or the “Site”) and explains how we collect and process your personal data through the Site, including also what your rights are, who are the third parties we share your data with, and how long we keep your data.
By accessing or using the Website, you expressly acknowledge and agree to the terms of this Privacy Policy and that we will collect, process and share your personal data with third parties in accordance with the provisions of this Privacy Policy.
1. Data Controller
This Privacy Policy is issued on behalf of Challenge Group its subsidiaries and operating affiliates, with central offices located at SkyParks Business Centre, Level 5, Malta International Airport, Luqa LQA 4000 – Malta, which is the controller (“Controller”).
We have appointed a Data Protection Officer. If you have any questions regarding the processing of your personal data or any complaint you can contact the Data Protection Officer at any time using the following contact: dpo@challenge-group.com
2. What is Personal Data?
“Personal Data” means any information that specifically identifies an individual such as a name, address, telephone number, mobile number, or e-mail address, or information about an individual that could be directly linked to such identifying information.
3. How your data is collected
Your data might be collected from you directly, when you access and use our website, when you request our services and when you contact us.
4. What Personal Data we collect, why we collect it, and what is the legal basis
| Activity | Personal Data | Purposes and lawful basis of the processing |
|---|---|---|
| When you access our Website |
|
We collect and use your data to access the website, for purposes of (network) security, to help diagnose problems with our server, to administer this web site, to see where the web site traffic is coming from.
Lawful Basis: art. 6 (1) (f) of GDPR, the process is necessary to fulfil our legitimate interests. |
| When you contact us through the “Contact us” form to request a quote or additional information on our services |
|
We collect your data for the purpose of processing your request, to communicate with you, to provide you with the information you require, to respond to your questions, to provide support and assistance.
Lawful Basis:
|
| When you file a claim or when you use our “tracking and trace” service |
|
We collect your data to process and respond to your claim and to process your request.
Lawful Basis:
|
| When you contact us for media enquiries or request to be included in our press distribution list |
|
We collect your data to respond to your media enquiries, send press releases and relevant updates, to manage and update our media contacts database.
Lawful Basis:
|
If you are a journalist and will be receiving information related to press releases or relevant updates about Challenge Group, we may have obtained your personal data from a third party, Meltwater, for outreach, trusting that your data was obtained lawfully. An agreement is in place with Meltwater which acts as a data controller. You can contact Meltwater via dpo@challenge-group.com for any complaints or requests for information. As a separate controller, Challenge Group will also take the required steps to address any of your requests. When we process your data for such purposes, we rely on our legitimate interest to inform the media about newsworthy events and updates about our Group as part of our regular business practice.
We may process your data also for our legitimate interest of ensuring the security and protection of rights. More specifically, to protect our business and our Website; to prevent and detect fraud, unauthorized activities and access, and/or other misuse; where we believe it is necessary to investigate, prevent or take actions regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms of services and other agreements.
We may also process your data when it is necessary to comply with legal and regulatory obligations.
In addition, we may process your data to operate our business, in case of mergers, acquisitions, reorganizations, bankruptcy and other business transactions, to administer and/or plan our accounting, auditing, compliance, recordkeeping activities and legal functions, to exercise or defend legal claims and to pursue any legal remedy available.
Where we process your Personal Data in reliance on Article 6(1)(f) GDPR, we ensure that our legitimate interest does not override your interests or fundamental rights and freedoms.
If you provide Personal Data to CHALLENGE AIRLINES IL (“Challenge IL”) you should be aware that you are not legally bound to provide any Personal Data to Challenge IL and that your Personal Data is provided of your own free will. By providing the Personal Data to Challenge IL and/or using Challenge IL services, you shall be deemed to have consented to this Policy, and you expressly acknowledge and agree to its terms. You also acknowledge and agree that Challenge IL will collect, use, process, and share your Personal Data with third parties in accordance with the provisions of this Policy.
If you share with us any Personal Data relating to other people, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.
5. If you fail to provide your Personal Data
If you fail to provide the Personal Data requested, we might not be able to provide you with our services.
6. Security
We have implemented appropriate technical, organizational and security measures designed to reduce the risk of accidental destruction or loss, or unauthorized disclosure or access to such Personal Data, according to the nature and context of the type of data and processing carried out. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. However, please be aware that despite our efforts, security risks might still exist especially when information is transmitted through internet, therefore we cannot guarantee that such information will be completely protected from wrongdoing, malfunctions, or unlawful interception. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us.
7. How we share your Personal Data
We may share your personal data with the following categories of third parties, only to the extent required for the specific purpose(s) outlined in this Policy:
- Service providers that perform services on our behalf, such as companies that host or operate the Website and the related services, mailing houses, IT service providers.
- Legal advisers and other professionals, accountants, data analysis providers, marketing services providers, auditors, etc.
- With regulators and authorities to comply with any legal obligation and/or request from governmental authorities, including in case of investigations, inspections and court orders; to verify or enforce our Terms of Service, to protect our rights, properties, safety and security, including also other users of the Website.
- Within the Group, we may also disclose your Personal Data to our affiliated entities, according to our internal processing agreements.
- When allowed or imposed by applicable law and in compliance with legal and regulatory requirements, in the event that we are acquired by or merged with a third-party entity, we reserve the right to disclose and/or transfer to such entities your Personal Data and any other information that we have collected through the Website, including the performance of a due diligence exercise. In the event of bankruptcy or a comparable event initiated by or against us, all such information may be deemed an asset of ours, thereby subject to potential sale or transfer to third parties.
8. Automated Decision Making
In principle, we do not use any automated decision-making (including profiling) within the meaning of Article 22 GDPR in connection with operation of our Website.
9. Transfer Extra EU
To fulfil the objectives outlined in this Policy it may be necessary for us to transfer, store, or process your personal data in countries that may not provide the same level of protection as mandated by the GDPR and where the European Commission has not issued an adequacy decision (Art. 45 GDPR). In such instances, we ensure that the transfer of data is conducted with appropriate safeguards in place, such as the use of EU standard contractual clauses (SCC). For information on EU standard contractual clauses, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
Where we receive requests for Personal Data from law enforcement or regulators we carefully validate these requests before any Personal Data is disclosed.
10. Your Rights
According to GDPR, you have the following rights:
- Request access to your personal information. This enables you to receive a copy of the personal information We hold about you and to check that We are lawfully processing it;
- Request rectification of Personal Data that we hold about you.
- Request erasure of your Personal Data (where applicable). This enables you to ask the Organization to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to the processing of your Personal Data (where applicable) where we are relying on a legitimate interest (or those of a third party) and if there is something about your particular situation which makes You want to object to processing on this ground. If Personal Data that relates to you is processed for direct marketing or profiling purposes, you have the right to object at any time to the processing of Your Personal Data for such purposes.
- Request that we provide you with any Personal Data that you may have provided us, in a structured, commonly used and machine-readable format; Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Request the restriction of processing of your personal information.
- Request that We transmit your Personal Data directly to you or to another controller indicated by you.
You have also the right to withdraw your consent any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
Please note that there may be circumstances in which we are entitled to continue processing your data, in particular if the processing is required to meet our legal and regulatory obligations.
The above rights are not absolute and can be subject to specific legal requirements or exemptions and therefore may not always be applicable.
If you wish to exercise your rights or if you have any questions, you can directly contact us at dpo@challenge-group.com.
We respond to legitimate requests within timeframe set by law. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
There is no charge for the provision of this information except in circumstances where the request is manifestly unfounded or excessive.
Following your request, we may retain your personal data in accordance with applicable laws and regulations for record-keeping purposes. Should you request the deletion or modification of your personal data, we will securely maintain records to document such actions as required by law or our legitimate interest to comply with the Regulation and the accountability principle.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
11. Right to Complain
You have a right to lodge a complaint with your local data protection Supervisory Authority at any time. Please be aware that the identified Lead Supervisory Authority is the Information and Data Protection Commissioner Office (IDPC) (https://idpc.org.mt/). We would, however, appreciate the chance to deal with your concerns before you approach the IDPC so please contact us at dpo@challenge-group.com in the first instance.
12. Retention of Your Personal Data
We will only retain your personal data for as long as necessary to fulfil the purposes for which data has been collected. To determine the appropriate retention period for personal data, we take into consideration several factors and criteria, which includes but is not limited to any retention period set out by legal or regulatory requirements, the time periods established by law, regulations and directives to exercise legal actions and to defend any rights. Thereafter, personal data shall be immediately and irrevocably erased.
We might retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation and record keeping duties, in case of legal proceeding/audit or inspection from authorities or when we are obliged to do so by laws.
For further details on data retention periods, please contact us at dpo@challenge-group.com.
13. Third party technologies and Cookies
We use website tracking technologies, such as cookies, which are used by site owners or third parties to collect information about you as well as your device for different purposes, in order to enhance your navigation on our services, improve our services’ performance and customise your experience on our services. We also use this information to collect statistics about the usage of our services. For further information on what cookies are, which cookies we use, how and why we use cookies and how you can control cookies, please read our Cookie Policy.
14. Social networks and other plugins
We may also use in our website the so-called plug-ins from social networks, such as LinkedIn. etc. This is visible to you typically via corresponding icons. If you activate them (by clicking on them), the operators of the social network might collect and process your data. In these instances please note that we have no control over such operator’s privacy and cookie policy or the manner in which they collect and process your Personal Data. The processing of your personal data is then under the responsibility of the related operator so please refer to the privacy and cookie policy of the respective social networks.
15. Links to Third Parties Services
Links to other websites, services, and applications that are not operated or controlled by us (“Third-Party Services”) may be contained on the Website. This Privacy Policy does not apply to the Third-Party Services. Please review the applicable privacy statements of any Third-Party Services before providing any information to or through them.
16. Changes to Policy
We may update this Privacy Policy from time to time. We will provide notice of such changes by updating the effective date listed on this Privacy Policy. Please check this Policy frequently for the latest information on our privacy practices.
17. Contact Us
If you have any questions, concerns or complaints regarding our compliance with this Policy and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us at dpo@challenge-group.com.
Last Updated: 13/03/2025
