Personal data protection policy

Edito données personnelles header

Personal data

How we protect your personal data

 

AEROPORTS DE LYON is required, within the framework of its activities, to process Personal Data (as defined below) concerning its customers and prospective customers. AEROPORTS DE LYON is committed to protecting its customers’ personal data and ensures that such data is processed securely in accordance with the regulations in force.

AEROPORTS DE LYON undertakes to comply with the legal and regulatory provisions in force relating to Information Technology, Files and Civil Liberties, in particular with the amended Act No. 78‐17 of 6 January 1978 of the French Parliament and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data (hereinafter referred to as the “Regulations”).

The purpose of this policy is to inform the data subjects of the main data processing involving their personal data.

The following definitions are used in the Personal Data policy

  • Personal Data:

refers to all information that, directly or indirectly, identifies a natural person or makes a natural person identifiable, and, more specifically, the data specified below.
•    Data Subject:
refers to the natural person whose Personal Data is collected and processed by AEROPORTS DE LYON or a Data Processor.
•    Processing:
refers to any operation or set of operations carried out using automated or manual processes in electronic or paper format, such as the collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, or distribution of Personal Data.
•    Data Controller:
refers to the natural or legal person, public authority, service, or other body that, alone or jointly with others, defines the purposes and means of processing of the data.
•    Data Processor:
refers to any person outside of AEROPORTS DE LYON who performs any activity on behalf of AEROPORTS DE LYON resulting in any form of access to Personal Data.
•    Websites:
refers to the websites of AEROPORTS DE LYON with the following URL addresses:



PASSENGER CUSTOMERS

  • www.lyonaeroports.com: Corporate website of Aéroports de Lyon: practical information about the airport, flights and destinations.
  • store.lyonaeroports.com  :  Products and services provided by Aéroports de Lyon and its partners
  • https://www.skiairports.com :  Web portal for booking transport for Alpine ski resorts

BUSINESS CUSTOMERS PARTNERS AND SUPPLIERS
 
  • entreprises.lyonaeroports.com : Portal for Aéroports de Lyon partner sites
  • https://cargoport.lyonaeroports.com : Website dedicated to Cargo activities
  •  https://businessaviation.lyonaeroports.com : Website dedicated to business aviation activities
  •  https://immobilier.lyonaeroports.com : Website dedicated to real estate activities
  • https://cdm.lyonaeroports.com : Website for real-time flight data-sharing (controlled access)
  • https://compagnies.lyonaeroports.com : Website for airlines
  •  https://pro.lyonaeroports.com : Website for travel agencies
  • https://commerces.lyonaeroports.com :  Website for airport retailers
  •  https://publicite.lyonaeroports.com :  Website for airport advertisers 
  • https://achats.lyonaeroports.com : Website for suppliers applying for public procurement contracts with Aéroports de Lyon
  • https://transports.lyonaeroports.com  : Website dedicated to road passenger transport professionals 
GENERAL PUBLIC
  • www.satoemplois.com : Website for jobs at Aéroports de Lyon
    Aéroports de Lyon news website
  • https://developpementdurable.lyonaeroports.com : Website dedicated to sustainable development

AEROPORTS DE LYON regularly updates this personal data Protection Policy. Any changes shall be communicated by email to the Data Subjects, who may withdraw their consent at any time by notifying the AEROPORTS DE LYON Personal Data Protection Officer at the following email address: donnees‐personnelles@lyonaeroports.com. This policy was published on: d’AEROPORTS DE LYON à l’adresse courriel suivantedonnees-personnelles@lyonaeroports.com.
This policy was published on September 17, 2020



As a passenger customer

AEROPORTS DE LYON acts as Data Controller for the implemented data processing.
Please consult the Website’s Legal Notices for more information about AEROPORTS DE LYON.
For certain data processing, however, AEROPORTS DE LYON acts as data processor on behalf of airlines or the French State.

The following data processing operations are implemented for the purposes described and with the legal grounds specified in the lawful bases. The operations process the following data in line with the retention periods stated.
Some data processing is implemented via the websites stated under DEFINITIONS; other processing is implemented directly at Lyon‐Saint Exupéry Airport.

Consult the document

Only authorised persons of Aéroports de Lyon can access the personal data.
AEROPORTS DE LYON declares that it uses Data Processors for the hosting of Personal Data and for the fulfilment of the Processing Purposes.
Personal data may be transferred to third parties for business purposes, including to airlines, to certain service providers involved in data processing, and to certain State executive bodies

Consulter le document

AEROPORTS DE LYON is committed to implementing the following security measures:
(a)    physical security measures designed to prevent unauthorised access to Personal Data,
(b)    identity and access checks via an authentication system and a password policy,
(c)    an Authorisation Management System, and,
(d)    processes and systems for tracking all actions carried out on the AEROPORTS DE LYON information system and for reporting any incidents affecting Personal Data, in accordance with the Regulations.

AEROPORTS DE LYON also applies the following principles:

  • For new data processing operations: privacy by design/by default
  • For staff: awareness campaigns and training sessions on personal data protection
  • For data processors: framing of the data processing entrusted to data processors in a contractual appendix


AEROPORTS DE LYON shall notify the supervisory authority concerned, and the Data Subject if necessary, of any Personal Data breach within no more than 72 hours of having been informed of it, by sending an email to the email address provided. This notification shall be accompanied by any relevant documentation.

In accordance with the regulations in force, you have the right to access and rectify your personal data and request its deletion and portability. You can also oppose the processing of the data or request that this processing be limited.

If you have consented to the processing of your personal data, you can withdraw this consent at any time. You also have the right to define directives on the retention or deletion of your data after your death.

You should contact the Aéroports de Lyon Personal Data Protection Officer (DPO) for any request concerning the exercise of the aforementioned rights.

You can contact the Aéroports de Lyon Personal Data Protection Officer (DPO) by sending an email to: donnees‐personnelles@lyonaeroports.com with proof of your identity and specifying the right you wish to exercise.
 
If, after contacting us, you feel that your rights to your data are not being respected, you can submit a complaint to the CNIL (www.cnil.fr/en).

The MONA service is being offered by LYON AEROPORT as an experimental service at Lyon‐Saint Exupéry Airport for a period of 12 months, as from October 5, 2020. 
It is offered to adult passengers for certain eligible flights to Nantes, Gothenburg and Lisbon.
It has the following three purposes:
•    Fluidity of the passenger journey
•    Operational performance
•    Customer relations

It uses a facial recognition system to improve the passenger journey and enhance it with operational and commercial services.
It is divided into two phases for each flight: check-in and passage through checkpoints (Automatic bag drop, Security checkpoints, Lounge Access, Boarding).

The following data is processed at the check-in stage:
•    Flight information on the boarding pass
•    ID information
•    Photo taken (face)
A documentation check is carried out and a biometric template is generated.
This phase takes place using either the LYON AEROPORT mobile app or a MONA terminal at the airport. 
The biometric template that allows customers to be identified at each checkpoint is deleted once the flight is complete.
The photo and ID information are stored on the passenger’s phone in a secure zone for use at subsequent check-ins, which will be quicker as a result. 
No data is stored on the terminal.

The following data is processed at the checkpoint stages:
•    Photo taken (face)
•    Biometric template
The lawful bases for the processing of personal data are legal obligation and consent. 
The data is hosted extremely securely at Lyon-Saint Exupéry Airport.
The technical solution is implemented by the Lyon Aéroport teams, in collaboration with various data processors: IDEMIA as data processor for the facial recognition system; ATIPIK for the mobile app; and the companies ICM (automated bag drop), RESA (reading of boarding passes), VISEO and SALESFORCE (Customer Relationship Management (CRM) Tool).

No data is transferred outside of the European Union.
 
MONA is an optional service, meaning it is possible to revert to the classic passenger journey, without the use of facial recognition, without needing to unsubscribe from the service.
There is also an agent available at each stage of the service who can provide MONA passengers with any necessary assistance or information.

You can contact the Aéroports de Lyon Personal Data Protection Officer (DPO) to exercise your rights to your data by sending an email to: donnees‐personnelles@lyonaeroports.com with proof of your identity and specifying the right you wish to exercise.

If, after contacting us, you feel that your rights to your data are not being respected, you can submit a complaint to the CNIL (www.cnil.fr/en).



As a Business customer, partner or supplier

AEROPORTS DE LYON acts as Data Controller for the implemented data processing.
Please consult the Website’s Legal Notices for more information about AEROPORTS DE LYON.
For certain data processing, however, AEROPORTS DE LYON acts as data processor on behalf of airlines or the French State.

AEROPORTS DE LYON acts as Data Controller for the implemented data processing.
Please consult the Website’s Legal Notices for more information about AEROPORTS DE LYON.
For certain data processing, however, AEROPORTS DE LYON acts as data processor on behalf of airlines or the French State.
Consulter le document

Only authorised persons of Aéroports de Lyon can access the personal data.
AEROPORTS DE LYON declares that it uses Data Processors for the hosting of Personal Data and for the fulfilment of the Processing Purposes.
 
Personal data may be transferred to third parties for business purposes, including to airlines, to certain service providers involved in data processing, and to certain State executive bodies. The data processors used are as follows:

Consulter le document

AEROPORTS DE LYON is committed to implementing the following security measures:
(a)    physical security measures designed to prevent unauthorised access to Personal Data,
(b)    identity and access checks via an authentication system and a password policy,
(c)    an Authorisation Management System, and,
(d)    processes and systems for tracking all actions carried out on the AEROPORTS DE LYON information system and for reporting any incidents affecting Personal Data, in accordance with the Regulations.

AEROPORTS DE LYON also applies the following principles:

  • For new data processing operations: privacy by design/by default
  • For staff: awareness campaigns and training sessions on personal data protection
  • For data processors: framing of the data processing entrusted to data processors in a contractual appendix


AEROPORTS DE LYON shall notify the supervisory authority concerned, and the Data Subject if necessary, of any Personal Data breach within no more than 72 hours of having been informed of it, by sending an email to the email address provided. This notification shall be accompanied by any relevant documentation.

In accordance with the regulations in force, you have the right to access and rectify your personal data and request its deletion and portability. You can also oppose the processing of the data or request that this processing be limited.

If you have consented to the processing of your personal data, you can withdraw this consent at any time. You also have the right to define directives on the retention or deletion of your data after your death.

You should contact the Aéroports de Lyon Personal Data Protection Officer (DPO) for any request concerning the exercise of the aforementioned rights.

You can contact the Aéroports de Lyon Personal Data Protection Officer (DPO) by sending an email to: donnees‐personnelles@lyonaeroports.com with proof of your identity and specifying the right you wish to exercise.

If, after contacting us, you feel that your rights to your data are not being respected, you can submit a complaint to the CNIL (www.cnil.fr/en)



As an applicant for a job

AEROPORTS DE LYON acts as Data Controller for the implemented data processing.
Please consult the Website’s Legal Notices for more information about AEROPORTS DE LYON.

The following data processing operations are implemented for the purposes described and with the legal grounds specified in the lawful bases.
The operations process the following data in line with the retention periods stated.
Consulter le document

Only authorised persons of Aéroports de Lyon can access the personal data.
AEROPORTS DE LYON declares that it uses Data Processors for the hosting of Personal Data and for the fulfilment of the Processing Purposes. 
The data processors used are as follows:
Consulter le document

AEROPORTS DE LYON is committed to implementing the following security measures:
(a)    physical security measures designed to prevent unauthorised access to Personal Data,
(b)    identity and access checks via an authentication system and a password policy,
(c)    an Authorisation Management System, and,
(d)    processes and systems for tracking all actions carried out on the AEROPORTS DE LYON information system and for reporting any incidents affecting Personal Data, in accordance with the Regulations.

AEROPORTS DE LYON also applies the following principles:

  • For new data processing operations: privacy by design/by default
  • For staff: awareness campaigns and training sessions on personal data protection
  • For data processors: framing of the data processing entrusted to data processors in a contractual appendix


AEROPORTS DE LYON shall notify the supervisory authority concerned, and the Data Subject if necessary, of any Personal Data breach within no more than 72 hours of having been informed of it, by sending an email to the email address provided. This notification shall be accompanied by any relevant documentation

In accordance with the regulations in force, you have the right to access and rectify your personal data and request its deletion and portability. You can also oppose the processing of the data or request that this processing be limited.

If you have consented to the processing of your personal data, you can withdraw this consent at any time. You also have the right to define directives on the retention or deletion of your data after your death.

You should contact the Aéroports de Lyon Personal Data Protection Officer (DPO) for any request concerning the exercise of the aforementioned rights.

You can contact the Aéroports de Lyon Personal Data Protection Officer (DPO) by sending an email to: donnees‐personnelles@lyonaeroports.com with proof of your identity and specifying the right you wish to exercise.

If, after contacting us, you feel that your rights to your data are not being respected, you can submit a complaint to the CNIL (www.cnil.fr/en).

You use the Lyon Airport web application

How we protect your personal data

 

WHAT DATA PROCESSING ? WHAT ARE THE LAWFUL BASES ? USING WHAT DATA ?
The following data processing operations are implemented for the purposes described and with the legal grounds specified in the lawful bases. The operations process the following data in line with the retention periods stated.
Some data processing is implemented via the websites stated under DEFINITIONS; other processing is implemented directly at Lyon‐Saint Exupéry Airport.
 
Data processingGoalLawful basesDataStorage time
Customer account managementCustomer relationship managementContract executionCivility
Name/First name
e-mail address
Password		3 years after last trade exchange
Product and services purchasesCustomer relationship managementContract executionMandatory data
- Civility
- Name/First name
- e-mail address
- Password,
- Purchase history (Product/service purchased, dates),

Optional data
- License plate
- Information about flight/train (schedule, destination, terminal),
- Phone location
- Boarding pass (Through camera)		3 years after use

The processing does not involve an automated decision. No processing is carried out for other purposes.

WHO HAS ACCESS TO THE DATA? WHERE IS THE DATA STORED? 
Only authorised persons of Aéroports de Lyon can access the personal data.
AEROPORTS DE LYON declares that it uses Data Processors for the hosting of Personal Data and for the fulfilment of the Processing Purposes.
Personal data may be transferred to third parties for business purposes, including to airlines, to certain service providers involved in data processing, and to certain State executive bodies

The subcontractors used are the following:
ProcessingSubcontractorData hostingData recipientData transfer outside the EU
Passenger itinerary: Lyon Aéroport mobile applicationAtipikSwitzerland Switzerland

HOW IS THE DATA SECURED?

AEROPORTS DE LYON is committed to implementing the following security measures:
(a)    physical security measures designed to prevent unauthorised access to Personal Data,
(b)    identity and access checks via an authentication system and a password policy,
(c)    an Authorisation Management System, and,
(d)    processes and systems for tracking all actions carried out on the AEROPORTS DE LYON information system and for reporting any incidents affecting Personal Data, in accordance with the Regulations.
(e) secured communication protocols for sending data between systems.

AEROPORTS DE LYON also applies the following principles:

  • For new data processing operations: privacy by design/by default
  • For staff: awareness campaigns and training sessions on personal data protection
  • For data processors: framing of the data processing entrusted to data processors in a contractual appendix


AEROPORTS DE LYON shall notify the supervisory authority concerned, and the Data Subject if necessary, of any Personal Data breach within no more than 72 hours of having been informed of it, by sending an email to the email address provided. This notification shall be accompanied by any relevant documentation.
 

AS A MONA CUSTOMER


The MONA service, based on facial recognition authentication, is proposed by LYON AEROPORT as an experimental service at Lyon-Saint Exupéry airport for a 12-month period starting October 19, 2020.
This service is offered to adult passengers and voluntary passengers on certain eligible flights to Lisbon and Porto.
It pursues the following 3 objectives:
•    Fluidity and simplification of the passenger journey
•    Operational performance
•    Customer relationship

The legal bases attached to the processing of personal data are: legal obligation, consent and contract execution.

Thanks to facial recognition and a dedicated route within the airport, the Mona passenger passes through the various airport checkpoints (excluding border controls), from baggage drop-off to boarding, simply by showing his face.

In addition to providing real-time flight and travel information, Mona enable passengers to benefit from personalized services and experiences developed in partnership with airlines and airport businesses.

Processed data
1.    The enrolment phase processes the following personal data:
- Information contained on the boarding pass
- ID information
- Face photo

A documentation check is performed and a biometric template is generated.
This phase is carried out either from the LYON AEROPORT mobile application or on a MONA kiosk at the airport. 

The processing time for the biometric template is very short since it starts at the enrolment phase, which can only take place when the passenger is in possession of the boarding pass (generally 36 to 48 hours before the flight) and ends when one of the following events occurs:
- departure of the plane,
- flight cancellation, 
- upon passenger's request before the occurrence of one of the above-mentioned events.
The biometric template is then deleted.

The photo and ID information are stored on the passenger’s phone in a secure area to be used for  subsequent enrolments, which will be faster. 
No data is stored on the MONA kiosk.

2.   The following data is processed at the checkpoint stages:
•    Photo shooting (face)
•    Biometric template
The data is hosted at Lyon-Saint Exupéry Airport, in a secured way
The security measures put in place to ensure the confidentiality, integrity and availability of personal data (including the biometric template) are high.

Authorizations and specific consent
Device authorizations
This application requires certain permissions from users that allow it to access data on the user's device as described below.
By default, these permissions must be granted by the user before the respective information can be viewed. Once the authorization is given, it can be revoked by the user at any time. In order to revoke these authorizations, users can view the device settings. 
The exact procedure for checking application authorizations may depend on the device and the user's software. Please note that revoking these authorizations may affect the proper operation of the application.
If the user grants one of the authorizations listed below, the respective personal data can be processed (i.e. accessed, modified or deleted) by this application.
 
Which authorization?What does it consist of?For what purposes?
Camera accessUsed to access the camera and capture images and videos from the camera.Import the boarding pass into the application to allow the passenger to track his flight with or without the MONA service.
Location accessUsed to access the location of the user's device. This application can collect, use and share user location data to provide location-based services.Display of the user's location on a map in order to situate him in relation to the points of interest (infrastructures, shops, services...) of the airport.
Customization of the application's home screen according to the user's location. 
Within the framework of the MONA service, sending a notification to the user in order to open the travel companion that will guide him through the terminal. 
Storage accessUsed to access photos and multimedia elements of the device.Import the boarding pass into the application via a screenshot to allow the passenger to follow his flight with or without the MONA service.
NotificationUsed by the application to send information to the userPassenger guidance within the airport
Passenger route information

Specific consent requested from the user
This application requests the user's consent to capture, store and process personal data necessary for the proper functioning of the MONA service. 
These data are the following : 
- Photo of ID : French National Identity Card or passport ;
- Photo of the passenger's face
Within the framework of the MONA service, the user may give consent to the use of his facial recognition data and thus take advantage of the service with facial recognition or refuse consent and use the MONA service without facial recognition.

Data transfert and subcontractor 

The MONA technical solution implemented by LYON AEROPORT’s teams is based on a technological base composed of a biometric system (software developed by IDEMIA and integrated into kiosks produced by RESA), as well as a relationship marketing solution (developed by SALESFORCE and VISEO). The integration of MONA in the LYON AEROPORT’s mobile application is carried out by ATIPIK.

No data is transferred outside of the European Union.

MONA is an optional service for which it is possible to return to a classic passenger route, without the use of facial recognition, and without the need to unsubscribe to the service.
The MONA passenger is also accompanied at each step of the service by an agent who can help or inform him if necessary.

There is also an agent available at each stage of the service who can provide MONA passengers with any necessary assistance or information.

Exercise of rights
For information on the processing of your personal data within the framework of the Mona service or for the exercise of your rights, please consult the section « How can I exercise my personal data rights »

USER-GENERATED CONTENT


You posted content on a website or social network that may contain: 
-    a photograph or video taken by You, 
-    other identifying information associated with your post, such as your username, image, caption and hashtags and additional content you may choose to provide, such as your first name and surname and your email address (hereinafter referred to as “User Content”). 

AEROPORTS DE LYON posted a comment under Your post to obtain Your consent, containing a link to this AEROPORTS DE LYON Privacy Policy, in particular, this section on:
-    processing of the personal data contained in this User Content, including, in particular: your image (photograph or video), your first name and surname, and your email address. 
-    use of the User Content, implicating the terms of use of intellectual property rights for User Content defined below. 

By replying to the comment from AEROPORTS DE LYON with the hashtag #YESADL (the “consent Hashtag”), You or the organisation or person you represent unconditionally agree to be bound by the terms of the AEROPORTS DE LYON Privacy Policy, in particular, this section.

If You do not accept all the terms of this agreement, do not post the consent Hashtag. If You agree to this Policy on behalf of an organisation or an individual, You state that You have the authority to do so.


LEGAL BASIS FOR PROCESSING PERSONAL DATA

Processing of the personal data contained in Your User Content is based on Your consent, in accordance with Article 6 of the GDPR. 
By replying to the comment from AEROPORTS DE LYON with the hashtag #YESADL (the “consent Hashtag”), You or the organisation or person you represent consent to the processing of Your personal data contained in the User Content referred to above. 


INFORMATION AND RIGHTS RELATING TO PERSONAL DATA

Specific terms concerning access, hosting, security and the exercise of rights relating to personal data contained in User Content are available in this Privacy Policy, in the sections dedicated to each of these subjects. 

Thus, for example, to exercise your rights concerning personal data contained in User Content, You can refer to the section “How do I exercise my personal data rights?” in this Policy. 

By posting the consent Hashtag in your reply to the comment from AEROPORTS DE LYON, you consent to transfer of the information in the User Content to AEROPORTS DE LYON's third-party processors, in particular Adalong, as mentioned and described in the section “Who has access to the data?” in this Policy.

You acknowledge that you have read all the terms of this Policy and agree to them before giving your consent by replying to the comment from AEROPORTS DE LYON.


INTELLECTUAL PROPERTY

By replying to the comment from AEROPORTS DE LYON with the hashtag #YESADL, You grant AEROPORTS DE LYON a non-exclusive, worldwide patrimonial right free of charge for a 5-year period to use, reproduce, publish, display, adapt and disseminate the User Content in the context of marketing operations and promotion of the activities of AEROPORTS DE LYON in any way, on all currently-existing networks and media or those yet to be invented, including, without limitation, on the websites and digital communication channels of AEROPORTS DE LYON, for example in the stories created by AEROPORTS DE LYON, retailer websites, marketing emails and social networks, including in paid advertisements on social networks for which You will not be paid.


REPRESENTATIONS AND WARRANTIES

You retain all rights, titles and interests in and to the User Content, without prejudice to the rights granted above, and represent and warrant that (i) You own all the rights to Your User Content, or, if the User Content is subject to third-party proprietary rights, You have all necessary licences, rights, consents and authorisations to post the User Content that You submit and to grant the rights provided for and granted to AEROPORTS DE LYON under this Policy, as part of this programme and without financial consideration; (ii) You are 18 years of age or older, (iii) You are legally authorised to post the User Content, and the use of the proprietary rights of third parties contained in Your User Content, as described in this Policy, will not infringe, in particular without being limited to, registered trademark rights, privacy rights, publicity rights or other proprietary rights, of any third party or of any law, and (iv) Your User Content is not libellous, defamatory, obscene, pornographic, abusive, indecent, threatening, harassing, hateful or offensive.


DISCLAIMER

By replying to the comment from AEROPORTS DE LYON with the hashtag #YESADL, You discharge and agree to defend, indemnify and hold harmless AEROPORTS DE LYON from any liability, claims and expenses, including reasonable lawyers' fees, relating to any breach or alleged breach on Your part of any of the terms and conditions set out in this Policy, in particular, concerning the rights You warrant that You hold to the User Content.
l