VATSIM Spain Logo Light

LOPD

At VATSIM Spain we take data protection seriously.



Data Protection Policy

   This policy has been implemented to comply with current legislation, particularly the European Union's General Data Protection Regulation (GDPR). Additionally, it aims to ensure good practices in data protection, safeguard the privacy of members, staff, and other individuals, and protect the organization's interests.

Index.

1. Introduction:

1.1. Types of data.

1.2. Data we collect.

1.3. Data we receive from third parties.

  • 1.3.1. VATSIM CERT.

  • 1.3.2. VATSIM Stats.

  • 1.3.3. Moodle.

1.4. Policy statement.

2. Responsibilities:

2.1. The staff.

2.2. Specific department heads.

2.3. Staff and volunteers

2.4. Enforcement

3. Security:

3.1. Scope

3.2. Security measures.

3.3. Backups.

3.4. Specific risks.

4. Data registration and storage:

4.1. Accuracy

4.2. Updating

4.3. Storage

4.4. Retention periods

4.5 Archiving

5. Transparency:

5.1. Commitment

5.2. Responsibility

6. Right of access

6.1. Responsibility

6.2. Procedure to make a request

6.3. Provision to verify identity

6.4. Charges

7. Right to rectification

7.1. Responsibility

7.2. Request procedure

7.3. Provision to verify identity

7.4. Charges

7.5. Rectification procedure

8. Right to erasure

8.1. Responsibility

8.2. Request procedure.

8.3. Provision to verify identity.

8.4. Charges.

8.5. Erasure procedure.

9.1. Underlying principles

9.2. Members under 16

9.3. Opting out

9.4. Opt-out time frame

10. Policy changes

10.1. Responsibility.

10.2. Procedure.

10.3. Time frame.

1. Introduction:

1.1. Types of data

   VATSIM Spain collects data from its members and third parties. All data collection is done with the member's explicit consent, obtained electronically before accessing our services.

&nbsp

1.2. Data we collect

     During the use of our services, VATSIM Spain collects data about users to facilitate the operation of our systems and provide a better user experience. This data includes:
  • Connection information, including IP addresses and login times
  • Login information
  • User messages
  • User images

1.3. Data we receive from third parties

   To efficiently provide our services and have all the necessary data for virtual air traffic, controller training, and community management, we may need to receive data from third parties. This data includes:
    • 1.4.1. VATSIM CERT
    • VATSIM ID number (CID)
    • Full name
    • Email address
    • Air Traffic Control and/or pilot qualifications obtained through VATSIM network training
    • 1.4.2 VATSIM STATS
    • Callsign
    • Air Traffic Control Position
    • Full name
    • VATSIM connection time
    • Duration of VATSIM connection
    • 1.4.3. Moodle
    • Email address
    • Full name

1.4. Policy statement

     VATSIM Spain is unequivocally committed to compliance with the law, good practices, and respect for individuals' rights, including:

  • The right of access.

  • The right to be informed.

  • The right to rectification.

  • The right to data portability.

  • The right to object.

  • The right to restrict processing.

  • The right to erasure.

  • Being open and honest with individuals whose data is stored.

  • Providing training and support to staff handling personal data so that they can act confidently and consistently.

  • Voluntarily notifying relevant data protection authorities of any relevant data, even if it is not required.

2. Responsibilities:

2.1. The staff.

     Overall responsibility for ensuring data protection and compliance with relevant laws and regulations collectively rests with VATSIM Spain's Staff.
 

2.2. Specific department heads:

     The staff members responsible for different departments must oversee the collection, processing, and storage of personal data within their specific departments. All staff members are listed on the VATSIM Spain website and can be contacted via the email addresses provided there.
 

2.3. Staff and volunteers:

     All staff members are required to read, understand, and comply with any policies and procedures related to personal data they may handle in the course of their duties within VATSIM Spain, as outlined in this policy. VATSIM Spain expects the highest level of integrity from all staff at all levels. Data should not be accessed unless there is a valid network-related reason for such access.
 

2.4. Enforcement:

     VATSIM Spain has a zero-tolerance policy towards the improper access of data stored on its systems. Any such access will result in the individual being banned from further access for a minimum of 10 years. This may also prevent the member in question from holding positions of responsibility within the vACC, and the incident may be reported to VATSIM's Staff.

3. Security.

3.1. Scope:

      VATSIM Spain's security policy applies to all systems under its control and to all systems used by VATSIM Spain to process the personal data of its members, staff, or staff assistants.
 

3.2. Security measures

     VATSIM Spain employs standard encryption methods to safeguard personal data and monitors all systems to detect potential abuses or unauthorized access.
 

3.3. Backups:

     To ensure continuous access to services, VATSIM Spain may back up personal data within relevant systems to maintain the integrity, security, and continuous service of the data.
 

3.4. Specific risks:

Key specific risks to personal data security include:

  • Phishing attacks to gain system access.
  • Access via trojans or keyloggers on members’ systems.
  • Misuse by disgruntled members granted data access.
     Mitigation of the first two risks involves encouraging members with higher levels of access to adhere to good security practices on their personal systems. The final risk is mitigated through access logging and reversing changes made by those who misuse personal data access.

4. Data registration and storage

4.1. Accuracy:

     Since most of our data is received from third parties such as VATSIM, we assume this data is accurate. If it is found not to be, we facilitate its rectification, in accordance with section 7 of this policy.
 

4.2. Updating:

      A member may request an update to their personal data by contacting any staff member or requesting rectification under section 7 of this policy.
 

4.3. Storage:

     Data is stored in standard databases and file systems. Access to these systems is controlled and provided only to those who need it to perform their duties. VATSIM Spain will make every effort to protect all data from unauthorized access.
 

4.4. Retention periods:

       VATSIM Spain is subject to VATSIM's retention periods as established in their Data Protection and Handling Policy. Due to technical limitations of VATSIM systems, personal data is not automatically deleted, and any member wishing for erasure may submit a request under the right to erasure, as described in section 8 of this policy.
 

4.5. Archiving

     VATSIM Spain does not archive data in long-term storage. All data is kept within the production environment and is either backed up or deleted entirely.

5. Transparency.

5.1. Commitment:

     VATSIM Spain is committed to ensuring the security of all personal data and will take all necessary precautions to prevent unauthorized access to personal data. If unauthorized access is detected, we will inform all affected members and the relevant authorities promptly. VATSIM Spain may transfer data to affiliated and associated organizations to improve or expand our services. When necessary, user consent will be sought before personal data is transferred to third parties.
 

5.2. Responsibility:

      All VATSIM Spain staff and assistants are always responsible for the data they access and must take all necessary precautions to avoid exposing personal data to unauthorized individuals. When possible, VATSIM Spain staff and assistants will use anonymized or pseudonymized aggregated data to reduce the risk of unauthorized data disclosure.

6. Right of Access.

6.1. Responsibility:

     The responsibility for processing Right of Access requests lies with VATSIM Spain's Staff. Requests must be fulfilled within one month of receiving the request. If circumstances prevent this, VATSIM Spain may extend the deadline by an additional two months, provided that the member making the request is informed of this before the original one-month deadline expires.
 

6.2. Procedure to make a request

        Right of access requests can be addressed to the Staff by email at [email protected] or through any other means.
 

6.3. Provision to verify identity

        When the person managing the procedure does not personally know the individual, the individual’s identity will be verified before providing any information.
 

6.4. Charges

      VATSIM Spain will not charge any fees for processing or providing data for requests under the right of access.

6.5. Procedure to grant access

      After the individual’s identity has been reliably verified in accordance with this policy, they may be granted access to their personal data. Any personal data concerning other individuals will be removed.

7. Right to Rectification.

7.1. Responsibility:

      The responsibility for processing Right to Rectification requests lies with VATSIM Spain's Staff. Requests must be fulfilled within one month of receiving the request. If circumstances prevent this, VATSIM Spain may extend the deadline by an additional two months, provided that the member making the request is informed of this before the original one-month deadline expires.
 

7.2. Request procedure

    Requests for rectification under the Right to Rectification can be addressed to the Staff by email at [email protected] or through any other means.
 

7.3. Provision to verify identity

       When the person managing the procedure does not personally know the individual, the individual’s identity will be verified before rectifying any data.
 

7.4. Charges

        VATSIM Spain will not charge any fees for processing data under the Right to Rectification.
 

7.5. Rectification procedure

     Once the individual’s identity has been reliably verified in accordance with this policy, their personal data may be rectified.

8. Right to Erasure.

8.1. Responsibility

     The responsibility for processing Right to Erasure requests lies with VATSIM Spain's Staff. Requests must be fulfilled within one month of receiving the request. If circumstances prevent this, VATSIM Spain may extend the deadline by an additional two months, provided that the member making the request is informed of this before the original one-month deadline expires.
 

8.2. Request procedure

       When the person managing the procedure does not personally know the individual, the individual’s identity will be verified before erasing any data.
 

8.3. Provision to verify identity:

       When the person managing the procedure does not personally know the individual, the individual’s identity will be verified before erasing any data.
 

8.4. Charges

        VATSIM Spain will not charge any fees for processing data under the Right to Rectification.
 

8.5. Erasure procedure

      Once the individual’s identity has been reliably verified in accordance with this policy, their personal data may be erased. VATSIM Spain reserves the right to retain any data if it believes it is in its legitimate interest to do so or if it is necessary to establish, exercise, or defend any legal claims.

9.1 Underlying principles:

      VATSIM Spain asserts that it has a legitimate interest in collecting, processing, and storing data as described in this policy. All personal data collected by us is strictly for use in the development or execution of our services, such as the training of virtual air traffic controllers. VATSIM Spain periodically audits its data collection measures and the scope of data collection to minimize the personal data collected.
 

9.2. Members under 16

    VATSIM Spain relies on VATSIM and its VATSIM Minor Protection Policy to ensure parental consent is obtained for users who cannot consent under the European Union's General Data Protection Regulation (GDPR).
 

9.3. Opting out

    Without prejudice to VATSIM Spain's legitimate interest statement, members may, at their discretion, object to this statement and/or request that VATSIM Spain cease processing a member’s personal data. These two rights are known as the Right to Object and the Right to Restrict Processing.
 
      Members should be aware that if they choose to exercise either of these rights, VATSIM Spain is required to block their accounts to comply with their wishes.
 

9.4. Opt-out time frame.

      While a notification of an objection to VATSPA’s legitimate interest statement or a request to suspend processing can be made at any time, such claims cannot be made retroactively.

10. Review.

10.1. Responsibility:

        The responsibility for reviewing this policy lies with VATSIM Spain's Staff.
 

10.2. Procedure

      As a minimum, this review will include:
 
  • Consultation with VATSIM Spain’s Staff.
  • Consultation with VATSIM Spain’s Web Services Department.
  • Consultation with VATSIM Spain’s Training Department.
  • Review of any data breaches during the current policy’s validity period.
  • Review of all data access audits during the current policy’s validity period.

10.3. Time frame

      To ensure the required review is completed by the required date (e.g., May 24, 2025), such consultation must begin no later than November 24, 2024, i.e., six months in advance.