Privacy Policy

We want to work with you, our customers, partners, service providers, suppliers in complete confidence, and this policy sets out what Eurocontrol does with individuals' personal data in its capacity as Data Controller.
This document tells you what personal data we collect and that you provide to us, why we collect it, when we disclose it to third parties, how we store it, how we protect it and how you can exercise your rights over your data. Contracts and documents relating to a service will, where appropriate, give you more details about the associated data processing.

Why do we collect and use personal data?

In relation to the personal information you provide to us via our website, we are committed to the following data protection principles:

  • The purpose principle: the data controller may only record and use information about individuals for a specific, lawful and legitimate purpose
  • The principle of proportionality and relevance: the information recorded must be relevant and strictly necessary for the purpose of the file
  • The principle of the limitation of the retention period: it is not possible to keep information on individuals in a file for an indefinite period. A precise retention period must be established, depending on the type of information recorded and the purpose of the file
  • Principle of security and confidentiality: the data controller must ensure the security and confidentiality of the information in his possession. In particular, he/she must ensure that only authorised persons have access to this information
  • The rights of individuals


What personal data do you provide or do we collect?

Within the framework of the processing of personal data, we collect and process the following categories of data:

  • Data identifying the data subjects, such as their title, name and surname, telephone number, e-mail and postal address
  • Data relating to the professional status of the data subject, such as his or her profession or professional data
  • Economic and financial data
  • Data relating to training courses carried out with our services, such as evaluation, authorisations and qualifications awarded
  • Login and registration data and your consent to the processing of this data
  • Content of exchanges with our teams

To fulfil a specific purpose, we may collect health data, especially in the context of analyses performed in our laboratories. Further details will be provided where appropriate.


Treatment Purpose   Legal basis   Duration
 Ensuring the execution of a contract and associated services
  • Follow-up of the contract and the business relationship
  • Preparation and implementation of the intervention and the service Quality control
  • Customer complaint
Necessary for the performance of a contract or the execution of pre-contractual measures taken at the customers' request 5 years from the end of the contractual relationship, except for legal exceptions or particularities linked to a service
 Training management
  • Educational and economic realisation of training
  • The issuing of diplomas and authorisations
  • Compliance with the legal and regulatory obligations applicable to professional training organisations.
  • Necessary for the execution of a contract taken at the customers' request
  • Legal and regulatory obligations
5 years unless an exception or legal specificity linked to a service is made.
 Security of our information systems
  • Monitoring access authorisation policy
  • Periodic analysis of the security logs of the various information systems
  • Supervision of access authorisations to premises and offices
  • Security incident and vulnerability management
Legitimate interest From a few months to several years depending on the purpose.
 Invoicing management
  • Invoicing
  • Accounting
  • Recovery
Necessary for the execution of a contract taken at the customers' request 10 years
 Service provider and partner management Monitoring of the contract and the business relationship
Necessary for the execution of a contract taken at the customers' request 5 years from the end of the contractual relationship
 External communication management
  • Communication linked to Eurocontrol
  • Service-linked communication
  • Conducting satisfaction surveys
Necessary for the execution of a contract taken at the customers' request Until the end of the contract
 Management of external communication for marketing purposes Commercial prospecting
Consent Until termination or expiry of the contract
 Navigation on our websites
  • Personalisation of services
  • Optimal functioning of the website
  • Security
  • Statistics
  • Legitimate interest
  • Consent
Duration defined according to the cookie
  • Receipt of applications
  • Management of the recruitment process
  • Consent
  • Legitimate interest
2 years from application 


When do we disclose your personal data to third parties?

We only pass on your personal data to third parties in the following cases:

  • To the internal services of Eurocontrol or, depending on the service, to the Apave group in charge of the implementation of the purposes
  • For external processing purposes: we transmit this data to trusted persons who process it on our behalf, in accordance with our instructions, in compliance with the GDPR and in compliance with any other appropriate security and confidentiality measures. In particular, we use service providers to provide data storage and hosting
  • For legal or regulatory reasons: we may share personal data to comply with legal, regulatory and administrative obligations, to detect, prevent or address fraudulent activities, security breaches or technical problems, or for external assessments and audits by authorities (or their representatives)

We ensure that only authorised persons have access to this data. Eurocontrol applies a strict security policy which ensures that the data it processes is only passed on to persons authorised to access it.


How do we store and protect your personal data?

We implement necessary and appropriate organisational and technical security measures against unauthorised access, modification, disclosure or destruction of the data we store. The Information System Security Policy can be provided to you for further details of the measures. 
These measures include the following:

  • Collect only the data necessary for the stated, explicit and legitimate purposes.
  • Employees, subcontractors, service providers who need access to personal data to carry out their functions and responsibilities:

         - are authorised and have access strictly reserved for them

         - are aware of and/or trained in their roles and responsibilities

        - have signed a confidentiality agreement and have been informed of the risks and penalties in case of non-compliance with this obligation

  • We carry out internal audits and audits of our suppliers who process personal data on behalf of Apave

Where we outsource specific processing activities, we ensure that these subcontractors comply with the same obligations and provide sufficient guarantees that appropriate technical and organisational measures have been implemented to ensure that the processing of personal data complies with the requirements of the applicable regulations. An agreement on the outsourcing of personal data will then be formally concluded.
We retain personal data for the duration of the business relationship and then archive or delete it. In some cases, we reserve the right to retain personal data for a longer period, in particular to avoid potential litigation and to meet our legal and regulatory obligations. 
In the case of data processed in the context of consent-based processing, we delete them as soon as consent is withdrawn.
We do not transfer personal data outside the European Union. If we do so for contractual purposes, we undertake to put in place appropriate safeguards and to obtain prior consent for the transfer. In any event, we remain responsible for our obligations with respect to such personal data.


How to exercise your rights regarding personal data

In accordance with Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data (LOPD) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation (GDPR), you have rights that we are obliged to respect:

  • The right to information about the processing of their data in a clear, fair and transparent manner
  • Right of access to your personal data: you have the right to obtain confirmation from us as to whether or not your data is being processed, the purposes for which it is being processed, the recipient of the data, the possible transfer of the data and a copy of the data
  • Right to rectify inaccurate or incomplete data: you can obtain from us the rectification of your data if it turns out to be incorrect or inaccurate
  • A right to object to certain processing operations, in particular those intended for commercial prospecting
  • The right to withdraw consent to the processing of data, without the effects of such withdrawal being retroactive
  • Right to erasure of your data that has been unlawfully processed: you only have the right to be forgotten if the processing of your data does not relate to the performance of the contract and you have terminated the contract
  • A right of portability that allows you to receive in a usable format your provided data in order to transmit it to another provider. Data portability only applies to data you have provided to us about yourself and only if the processing is based on consent or a contract
  • Right to restrict processing
  • The right to instruct on the retention, deletion and disclosure of their data after their death.

The rights may be exercised by writing to Eurocontrol, SA, Dpto. de Protección de Datos, C/ Cronos 20, 2ª planta, 28037, Madrid, or by sending an e-mail to info@eurocontrol.com, with reliable proof of the identity of the petitioner. There is also the possibility of lodging a complaint with a Data Protection Control Authority, in Spain the AEPD.


How do we handle personal data breaches?

We take personal data breaches very seriously.
In the event of a breach of your personal data that may pose a risk to your rights and freedoms, Eurocontrol's Data Protection Officer shall notify the AEPD of the breach as soon as possible, and if possible within 72 hours of becoming aware of it.  Eurocontrol shall also inform the data subject as soon as possible in accordance with Article 34 of the GDPR.


Review and update of our data protection policy

We undertake to process personal data in accordance with the applicable legal provisions.
This policy will be revised in accordance with changes in current legislation. You will be informed of this update periodically at .