WH/Date of Last Revision: 31 May 2016
1.1 What if data is transmitted internationally?
International visitors may want to know whether their personal information will be transferred out of their country of origin. Please be aware that when registering or requesting a transaction on Jeppesen Sites, Jeppesen reserves the right to transfer the international visitor’s personal data to computers in the United States or any other country where Jeppesen or its affiliates, subsidiaries or service providers maintain facilities. The data protection laws in these countries may be different from, and less stringent than the international visitor’s country of residence. By using the Sites or by providing any personal or other information to Jeppesen, express consent is given to Jeppesen to conduct such transfers and processing. Jeppesen takes steps to ensure that the data collected under this Policy is processed according to the provisions of this Policy and the requirements of applicable law wherever the data is located.
2. Application of Generally Accepted Privacy Principles (GAPP)
Jeppesen is committed to providing reasonable protection from loss, inappropriate use, or inappropriate disclosure of the Personal Information that is entrusted to the company. In an effort to provide protection that is as consistent as possible for all individuals who provide Personal Information to the company, Jeppesen has established a privacy program that is based on the Generally Accepted Privacy Principles (GAPP) identified by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) and the Assurance Services Development Board (ASDB) of the Canadian Institute of Chartered Accountants (CICA). These ten principles (covering Management, Notice, Choice and Consent, Collection, Use and Retention, Access, Disclosure to Third Parties, Security for Privacy, Quality, Monitoring and Enforcement) were developed to serve as a universal framework of privacy best practices that companies can use to evaluate their programs and develop sound policies and practices.
Accountability for Data Privacy at Jeppesen has been assigned to the Data Privacy Office (DPO). Responsibilities of the DPO include:
- Ensuring that processes have been implemented for the appropriate collection, use, disclosure and retention of personal information in accordance with applicable law and the Generally Accepted Privacy Principles (GAPP) .
- Ensuring that privacy plans in compliance with Data Privacy laws and regulations are documented in writing and implemented.
- Provision of guidance, consultation and training regarding privacy issues.
Compliance with privacy plans including:
- Performing monitoring and annual verifications for compliance with existing privacy plans. Verifications include ongoing monitoring and enforcement of privacy plans.
- Coordination and alignment with Boeing’s Global Privacy Office whenever appropriate
- Follow up on any deficiencies or opportunities for improvement. The DPO will maintain verification records and respond to any inquiries or complaints.
- Maintenance and assignment of data privacy training materials
- Assurance that reliable methods for dispute resolution and incident response are available and clearly communicated
- Providing support to business owners by assessing products and services to ensure compliance with applicable privacy laws
- Responsibility for the Enforcement principle of the Safe Harbor Program or the EU-US Privacy Shield agreement.
Jeppesen will notify individuals about the purposes for which they collect, use, disclose and retain information about them. Jeppesen will also provide information about how individuals can contact Jeppesen with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means Jeppesen offers for limiting its collection, use, disclosure and retention.
2.3 Choice and Consent
Jeppesen will give individuals the opportunity to choose (opt in) when their Personal Information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized.
Personal Information is collected only for the reasons provided in the Uses Permitted. This defined scope is included in the Product or Service privacy notice. If the scope requires redefinition, the privacy notice will be reissued and Data Collection will be subject to 2.3 Choice and Consent once again.
2.4.1 Special Notice Regarding Children
Jeppesen Sites are not designed for, nor is Personal Information knowingly collected from children under the age of 13. Children under 13 years of age should not provide Personal Information to Jeppesen or Affiliates. Users of the Services available on the Sites must be at least 18 years old and competent to enter into a contract. Children under the age of 18 may only use the Services with involvement of a parent or guardian.
2.4.2 Third Party Sites
2.4.3 Collection from Social Media sites
Personal Information may also be collected in connection with "liking", posting, commenting or otherwise contacting Jeppesen or its Affiliates via web pages or content that Jeppesen administers on third-party sites such as Facebook or YouTube.
Jeppesen advertises online in a variety of ways, including displaying ads across the Internet and on the Sites. Information is collected about which ads are displayed, which ads are clicked on, and on which web page the ad was displayed.
The Sites and some services and advertisements may contain "cookies." A cookie is a piece of data that is stored on an individual’s hard drive and records preferences and other data about a visit to the Sites. Like many websites, Jeppesen.com does not currently respond to “do not track” browser headers. Clear gifs (also known as web bugs or web beacons) may also be used on the Sites. E-mails sent may include a clear gif that tells whether an e-mail was received or opened, or if a link within the e-mail was clicked. Individuals may opt out of receiving marketing communications. Jeppesen or its Affiliates may also use a third party advertising company to display ads on the Sites.
NOTE: If cookies are blocked, some portions of the Sites may not function properly.
2.4.5 Collection and use of location data
When using Jeppesen sites, actual location information may be collected and processed. Various technologies are used to determine location, including IP address, GPS, and other sensors that may, for example, provide information on nearby devices, Wi-Fi access points and cell towers. Location data is used in accordance with the section ‘Uses Permitted', and disclosed in accordance with the section ‘Use, retention and disposal'.
2.5 Use, retention and disposal
Jeppesen will use an individual’s Personal Information only for Uses Permitted stated herein or in the Product or Service privacy notice and will only be provided to parties with a need to know. Reasonable attempts to use anonymized data will be made prior to disclosure.
When an account is terminated, Jeppesen will only be entitled to retain Personal Information pursuant to applicable information retention policies. Personal Information will be deleted at the conclusion of the applicable retention policy retention period.
Individuals may request access to Personal Information about them that Jeppesen holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. If an individual would like to have access to Personal Information Jeppesen holds about them, please e-mail firstname.lastname@example.org, or write to Jeppesen, Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112.
Customer California Privacy Rights - Under California law, Individuals who are California residents are entitled to annually request and obtain information about the Personal Information shared, if any, with other businesses for their own direct marketing. If applicable, the information would include the categories of Personal Information and the names and addresses of those businesses with which Personal Information was shared for the prior calendar year. To make such a request, please send an email to email@example.com. Written requests may be sent to Jeppesen, Attention: Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112-5498. Please note that not all information sharing is covered under the California law, and only information on covered sharing will be included in any response.
2.7 Disclosure to Third Parties
Prior to any transfer of Personal Information to third parties, Jeppesen will ensure that the third parties agree to European Union Standard Model Contracts or subscribe to the US Department of Commerce Safe Harbor (or EU-US Privacy Shield agreement) principles or are subject to adequate Data Privacy laws and regulations. As an alternative, Jeppesen can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by relevant principles (for example, European data privacy contract model clauses).
In some cases, an individual’s Personal Information may be disclosed by Jeppesen to recipients located in countries that may not offer a level of protection as high as the level of protection in the country where Jeppesen and its Affiliates are established.
2.8 Security for Privacy
Jeppesen will make reasonable efforts to ensure that Jeppesen, its Affiliates and Third Party Service Providers will implement reasonable and appropriate technical and organizational security measures to protect entrusted Personal Information from unauthorized or unlawful loss, unauthorized access, disclosure, alteration, and destruction.
2.9 Quality and Data integrity
Jeppesen will take reasonable steps to ensure that data is accurate, complete, and current for its intended use.
2.10 Monitoring and Enforcement
Jeppesen conducts periodic assessments to ensure compliance with its Data Privacy policies, including Safe Harbor. Any discrepancies will be corrected in a timely manner.
Jeppesen also provides (a) independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved, (b) assessments to ensure compliance with policies; and (c) commits to remedy problems arising out of a failure to comply with the principles.
With regard to complaints concerning verification, correction or deletion of any Personal Information collected, or to communicate any questions or concerns regarding this Policy or Jeppesen's treatment of Personal Information, please e-mail firstname.lastname@example.org, or by writing to Jeppesen, Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112.
Certain information may also be corrected by using the "Account" and "Profile" section of the Sites. Please note that in certain circumstances, Personal Information may not be able to be removed or changed.
Upon receipt of formal written complaints, it is Jeppesen's policy to contact the complainant regarding any concerns. If unable to reach a resolution, a third party independent recourse mechanism is used to investigate and resolve the dispute.
3. Employee Training
Jeppesen will train Employees who have access to Personal Information in the care, handling and protection of Personal Information.
4.1 Data Privacy Office (DPO): Refer to Section 2.1, Management for DPO responsibilities
4.2 Information Security (IS): IS will implement sufficient and reasonable technical, administrative and logical security controls to ensure the safety and protection of Personal Information. This also includes compliance with the Security principle of the Safe Harbor (or its successor agreement) program. In addition, IS will develop and maintain an effective information security breach notification process.
4.3 Jeppesen Human Resources Organizations: Human Resources will provide and maintain business processes which implement the Notice, Choice and Access principles for Employee Personal Information.
4.4 Jeppesen organizations administering contracts or agreements: Procurement organizations (such as Supplier Management and contracts organizations) will maintain business processes and contractual terms and conditions that implement the Onward Transfer principle of Safe Harbor or the EU-US Privacy Shield agreement.
4.5 All Jeppesen organizations using Personal Information: All organizations will maintain business processes that implement the Data Integrity principle of Safe Harbor or the EU-US Privacy Shield agreement.
5. Security Incidents
If Jeppesen or its Affiliates are made aware of any Security incidents, Jeppesen will review and investigate in accordance with company policies and procedures, as well as any applicable statutes and regulations. Once a Security Incident has been determined to have taken place, Jeppesen will conduct an investigation to determine root cause and implement reasonable solutions to ensure the safety and security of Personal Information in its custody. Affected individuals will be notified as reasonably practical after a Security Incident has been determined to have taken place unless Jeppesen or its Affiliate is subject to a legal or regulatory constraint.
Affiliate: A company not specifically part of Jeppesen (as defined at the top of this policy) but operationally reports into Jeppesen
Customer: A person or organization who receives products or services from Jeppesen
Disclosing Party: A party that discloses Personal Information to the other party
Disclosing Party Personal Data: Personal Information disclosed to Jeppesen
Employee: Someone who is employed by Jeppesen either as an Employee or a contract Employee
Personal Information: Information that specifically identifies an individual (such as an individual's name, address, e-mail address, telephone number or other identifier that permits the physical or online contacting of a specific individual) or that is associated with an identifiable person (such as demographic information or information about a person's activities when such information is linked to personally identifying information).
Processing: Any operation or set of operations performed upon Personal Information, whether automated or manually, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
Security Incident: An incident where the confidentiality of Personal Information within Jeppesen's custody has been materially compromised posing a reasonable possibility of harm.
Third Party Service Provider or Vendor: A third party reasonably selected by Jeppesen to provide services. Examples of Third Party Service Providers include technology service providers, business process outsourcing service providers and call center service providers.
Uses Permitted: Jeppesen's use of Personal Information includes:
- Undertaking activities related to Accounts for Products and Services with agreed to terms
- Managing an individual's relationship with Jeppesen
- Use within specific Jeppesen products and/or services
- Improving Jeppesen products, sites and services (by itself or in combination with data from other Jeppesen offerings or third parties)
- Risk assessment, information security management, statistical, trend analysis and planning purposes
- Monitoring and recording calls and electronic communications for quality, training, investigation and fraud prevention purposes
- Detection, prevention, investigation and prosecution of Employee crime
- Undertaking normal and reasonable business activities
- Administration and management of Employees (i.e. benefits, use of company assets, salary planning, etc.)
- Sharing Personal Information with The Boeing Company for workforce analysis, surveys and improvement purposes
Vendors: Third party entities hired by Jeppesen to perform fee-based services or provide goods for fee.
7. Dispute Resolution
Verification, correction or deletion of any Personal Information collected, or to communicate any questions or concerns regarding this Policy or Jeppesen's and its Affiliates’ treatment of Personal Information, please e-mail email@example.com, or by writing to Jeppesen, Data Privacy Office, 55 Inverness Drive East, Englewood, CO 80112, USA. Certain information may also be corrected by using the "Account" and "Profile" section of the Sites. Please note that in certain circumstances, Personal Information may not be able to be removed or changed. Upon receipt of formal written complaints, it is Jeppesen's policy to contact the complainant regarding any concerns. For Safe Harbor (or the EU-US Privacy Shield agreement) related concerns, if unable to reach a resolution, a third party independent recourse mechanism is used to investigate and resolve the dispute.
8. Right to Revise/ Amend
8. Right to Revise/ Amend