1.  Summary

1.1.      Definitions

VATSIM - Virtual Air Traffic Simulation Network is a nonprofit organization that manages a dedicated, worldwide, virtual air traffic network that provides the software needed to fly software flight simulators in virtual airspace[1] . Information about the organization is available at https://vatsim.net/  

VATEUR - VATSIM Europe Region - the VATSIM organizational unit of the European region. Additional information can be found at https://vatsim.eu/

VATEUD - VATSIM European Division - the continental European division of VATEUR. Additional information can be found at https://vateud.net/

Polish VACC - Polish Virtual Area Control Center - also known as PL-VACC, is a constituted member of the VATEUD division responsible for the virtual space of FIR Warsaw (EPWW) in the VATSIM network. Additional information can be found at https://plvacc.pl/

PL-VACC Board of Directors - supervisors within the meaning of §2 and §3 of the PL-VACC Constitution of October 10, 2019.

Communication channels - the ways in which Polish VACC members communicate with those responsible for processing your personal data at PL-VACC. The specified communication channels of Polish VACC are:

    e-mail - e-mail communication with all addresses from the domain pl-vacc.org.pl,

    forum - the forum available at forum.pl-vacc.org.pl,

    Discord - the official channel of PL-VACC on the Discord platform,

    communication platforms - all interactive forms available on the sites of the pl-vacc.org.pl website.

Authorized PL-VACC member - a person who has been granted access to the data protected by this document

The understanding of the key words in this document should be interpreted as follows:

    MUST means that this behavior (a certain rule, requirement) is an absolute requirement, alternatively: REQUIRES, SHOULD

    MUST NOT means that a certain behavior is absolutely forbidden, alternatively: MUST NOT

    SHOULD means that a certain behavior is recommended, so only under strictly defined circumstances, if there are specific reasons, a certain behavior can be omitted, alternatively: RECOMMENDED,

    SHOULD NOT means that it is recommended not to perform a certain behavior, so the behavior is acceptable only under certain circumstances, alternatively: RECOMMENDED, NOT RECOMMENDED,

    MAY means that the specified behavior is optional, so the consequences of this implementation or omission of the specified behavior are completely neutral, alternatively: OPTIONAL

Developed based on the RFC-2119 requirements specification.

2.  Introduction

2.1.      Purpose of establishing a privacy policy

The privacy policy and the definition of data protection are aimed at:

    comply with the law set forth in the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and the Law of December 14, 2018. on the protection of personal data processed in connection with the prevention and combating of crime (Journal of Laws of 2019, item 125),

    comply with the obligation set forth by the VATSIM Data Protection and Data Handling Policy dated May 25, 2018, as amended on June 9, 2020 and thereafter,

    maintain good data protection practices for members and the board of directors and all others who use Polish VACC services

2.2.      Type of data

Polish VACC collects the personal information of its members both directly and through the use of third-party data transfers.

2.3.      Type of data collected directly

When you use our services, additional data is collected about you. This allows us to ensure the smooth operation of our services and provide the desired user experience. This data includes:

    saving and archiving of posts, statements, saved settings and completed forms, surveys and votes posted on Polish VACC communication channels,

    IP address information used in Polish VACC communication channels,

    Records of progress in training trainings conducted by the Polish VACC,

    history of disciplinary proceedings,

    communication between members, including those outside the board.

Communication channels, including our forum, have the function of collecting any data in the form of any text. Any personal data voluntarily sent in this way by individuals (e.g., personal information such as phone numbers or addresses) will be stored, even if hidden from public access. This data is then available only to a limited number of authorized individuals.

2.4.      Type of data collected by third parties

When a member uses Polish VACC's services or when they request to join Polish VACC's VATEUD division, data is transferred from VATSIM or other third parties through internal communication channels to Polish VACC in order to ensure the smooth operation of our services and to ensure the highest standards of service delivery. This data includes:

    full name,

    VATSIM network identification number,

    email address,

    The virtual ATC controller rank and/or the virtual Pilot rank assigned in the VATSIM network,

    occupied positions in the VATSIM network structures, with assigned responsibilities,

    data on the timeframe and duration of logins, along with the call signs used when connecting to the VATSIM network.

 

When using the official Discord messenger server, Polish VACC collects the following data:

    A unique ID number and username assigned to a Discord messenger account,

 

2.5.      Provisions of the policy

Polish VACC commits to:

    to comply with the purposes listed in Section 2.1 and good practices arising from the processing of personal data,

    respect the rights of the individual, including:

    Right of access to information,

    The right to rectification,

    The right to object,

    right to forget,

    maintain a transparent privacy policy,

    Provide instructions for those responsible for data processing to conduct activities in accordance with this policy,

    informing data subjects of any possibility or suspicion of unlawful disclosure of their personal data,

3.  Responsibility

3.1.      VACC Board of Directors

The overall responsibility for the protection of personal data and the compliance of the relevant standards of services conducted by PL-VACC with this privacy policy rests with the PL-VACC Board of Directors. The current composition of the Board of Directors can be found at: https://plvacc.pl/newvacc/aboutus.php

3.2.      Internal Data Protection Inspector

An Internal Data Protection Officer (Data Protection Officer) is designated as the person responsible for ensuring compliance with this privacy policy. The current Internal Data Protection Officer is indicated at:

https://plvacc.pl/newvacc/aboutus.php

3.3.      Directors of each department

Individual members of the Board of Directors, responsible for the following branches of PL-VACC's activities, have a special duty to supervise others who access personal data collected by VATSIM:

    ACCPL2 Controller School Director - virtual controller training data archive

    Director of Internet Services ACCPL5 - access and control to stored data

Other members of the Board of Directors may from time to time be assigned duties related to data control and storage.

3.4.      Management assistants and others seconded

The Board of Directors appoints Board Assistants in accordance with §3(7) of the PL-VACC Constitution, and sometimes delegates their work to other PL-VACC members on a volunteer basis. All concerned are required to read, understand and agree to all policies and procedures relating to the processing of personal information that they may handle in the course of their work within PL-VACC, as detailed in this policy. PL-VACC expects the highest standard of trustworthiness among everyone working with it. Unauthorized persons may not access data unless there is a valid network-related reason for such access.

4.  Security

4.1.      Scope of security policy

This section applies to all Polish VACC services and servers owned by or transferred to Polish VACC, including: personal data servers, statistical data servers or web servers.

4.2.      Steps taken

Polish VACC takes standard data security steps such as TLS encryption when accessing data using a web browser. Additional security settings are used to allow only authorized users to access the server. Passwords (excluding the VATSIM network password, which is never transmitted to Polish VACC) are stored as encrypted strings, preventing them from being displayed in plain text.

4.3.      Threats

Three primary sources of security threats to the data stored by PL-VACC have been identified. These are:

    Phishing attacks, i.e. the intentional forcing of unauthorized access to data stored on the server,

    unauthorized access of malware infected systems used by authorized PL-VACC members,

    software bugs, allowing unauthorized (even accidental) access to data stored on the server,

    access by unauthorized PL-VACC members.

The elimination of the first two threats involves:

    to check all individuals with knowledge of this privacy policy before granting access,

    encouraging authorized members to follow good security practices in their personal systems.

The third risk is mitigated by the appropriate phase of the tests carried out on the introduced software.

The latter risk is mitigated by logging access and undoing changes made by those who misuse previously granted access.

5.  Recording and storing data

5.1.      Scope of stored data

Most of the data used by PL-VACC is transmitted directly through VATSIM internal communication channels. The data indicated in sections 2.3 and 2.4 of this policy are stored only in case of a legitimate need, as specified in sec. 9.

5.2.      Update stored data

Personal data stored by PL-VACC is synchronized through SSO (Single Sign-On) internal personal data exchange channels. Data updating is therefore not done directly on PL-VACC servers, it is received from third-party servers. An interested PL-VACC member should direct requests for data updates to the relevant VATSIM authorities.

5.3.      Stored data

Data is stored in standard file systems and databases. Access to these systems is controlled by secure, direct access to control applications or via a secure web interface. Access is then controlled and protected from unauthorized access by standard means, such as access control based on limiting the access privileges of individual access accounts.

5.4.      Data retention period

Polish VACC is required to store data in accordance with the Data Protection Policy and its processing of the VATSIM network. Deletion requests may be processed by Polish VACC in accordance with para. 9, however, the deletion of some processed data may require the intervention of VATEUD, VATEUR or VATSIM directly, as the request may be outside the authority of the persons responsible for Polish VACC.

5.5.      Archiving

Archiving of data by Polish VACC does not include data stored on servers other than those owned by Polish VACC. Data on these servers is stored for a specific period of time and then archived in accordance with Section 2.3 or deleted completely.

6.  Transparency of data protection

Polish VACC makes every effort to ensure that all members know what data and for what purpose their personal information is collected.

As specified in this document, data is collected to ensure the smooth operation of the Polish VACC so that members can collectively enjoy the functionality of the VATSIM network.

7.  Right of access to information

7.1.      PL-VACC responsibility

Requests for information on processed personal data are within the competence and responsibility of the designated Internal Data Protection Supervisor.

This inspector must comply with the demands in accordance with the sent request within one month of receiving such request.

The Internal Data Protection Supervisor shall acknowledge receipt of the request by responding immediately upon receipt to the stakeholder, or to the person forwarding the request on behalf of the stakeholder, about the initiated processing of the stakeholder's request. Based on the feedback to the stakeholder about the started process, the date from which the one-month commitment period for processing the request begins can be determined.

If, not specified herein, circumstances prevent the Internal Data Protection Supervisor from processing a request, the period for fulfilling requests may be extended by one month at a time, provided that the stakeholder is informed of the situation, the exact period of extension is indicated, and the reasons for extending the period for fulfilling requests are given.

The application may be rejected by the Internal Data Protection Supervisor if:

    the request comes from a person to whom the data does not apply (e.g., a request for data that is not his/her own),

    there is an inability to verify the identity of the person making the request,

    does not apply to the data stored by PL-VACC as defined herein,

    refers to data deleted in accordance with para. 5.5 of this policy.

7.2.      Request procedure

Requests for information on processed personal data in the form of a request should be addressed to the e-mail address: staff@plvacc.pl.

If any member or responsible person receives anything that may be considered a request for data, he or she should immediately inform the Internal Data Protection Supervisor.

7.3.      Identity verification

If you send a request for personal data, you must confirm your identity in order to begin processing the request.

The Internal Data Protection Supervisor, before starting the processing of a request, is required to verify the identity of the person referring the request. However, this inspector may not, in the course of confirming the identity, allow himself to store further data identifying and being personal data (e.g., he may not request a photocopy of an identity document, but may request its presentation, including in digital form)

An exception to formal confirmation is the fact of personal knowledge of the person making the request by the Supervisor.

Correctness of identity verification is the responsibility of the Supervisor, however, the way to formalize identity confirmation lies with the stakeholder.

7.4.      Charges

Polish VACC does not charge any fees for processing or sharing of data based on requests for access to information of personal data processed.

8.  The right to erasure (to be forgotten)

Acting on the basis of the applicable law listed in para. 2.1, Polish VACC undertakes to delete data at the request of the interested party. A request for deletion shall be processed on the same basis as the right to obtain information described in Section 7. The procedure for making the request, verifying identity and determining the fees associated with the procedure are set forth in Section 7 of this policy.

Requests requesting deletion of data should be addressed to staff@plvacc.pl

9.  Legal basis

Polish VACC asserts that it has a legitimate interest in collecting and storing the personal information described above. The reasons for this claim are as follows:

    Polish VACC is a voluntary community, being an active member of VATEUD, VATEUR and VATSIM, promoting flight simulation and virtual air traffic control, and all members who wish to join have an obvious interest in such activities.

    The data collected is the minimum required to enable the smooth and optimal operation of the VACC, purely for the enjoyment of its members.

    The data is necessary to enable VATSIM personnel in Poland to properly manage the VACC, both in day-to-day operations and in circumstances where the member(s) may act in a manner contrary to the rules and regulations governing the VACC.

10.      Changes to the policy

Responsibility for the compliance of this document in accordance with applicable law rests with the Internal Data Protection Supervisor.

10.1.   Change procedure

In the event that changes to this document are necessary, the following procedure is designated:

    Any changes to this policy require a vote of the PL-VACC Board of Directors with voting rights in accordance with §3(6) of the PL-VACC Constitution,

    An amendment is considered voted on when it receives a relative majority of the votes cast,

    the entry into force of the amendments may not take place earlier than 5 days after the end of voting,

    The entry of amendments may be determined earlier than 5 days, but not less than 24 hours after the end of voting, in the case of glaring deficiencies in this document that require immediate changes. Such amendments require a qualified absolute majority of the votes cast to be considered voted upon.

Information on the mode of processing must be made public at the consultation stage, no later than the day of the announcement of the vote, but no later than the start of voting.

The draft amendments should be submitted to the Board of Directors, which will put it to a vote, by the Internal Data Protection Supervisor, or, in the absence of an appointment, by the current ACCPL1 (PLVACC Director).



[1] Source: https://pl.wikipedia.org/wiki/VATSIM