Information

Privacy Notice for Online Ticket Sales

 

J.P. Međunarodni aerodrom Sarajevo d.o.o. Sarajevo (“we”, “our”, “us”) is committed to protecting your personal data when using our online ticket sales platform. This Privacy Notice explains how we collect, use, and protect your personal information during the ticket booking process. It applies to our online ticket sales operated through a joint arrangement with Thomalex Inc. and processed by Monri WSPay for payment transactions. Both Thomalex Inc. and Monri WSPay are fully compliant with GDPR regulations.

 

  1. Who We Are

We, J.P. Međunarodni aerodrom Sarajevo d.o.o. Sarajevo, together with Thomalex Inc., act as joint controllers in processing your personal data when you use our online booking platform. Thomalex Inc. also functions as a data processor, managing the booking system on our behalf.

We work with Monri WSPay, which processes payments securely on our behalf.

 

  1. What Data We Collect

During the ticket booking process, we collect the following categories of personal data:

  • Identity and contact data: Name, surname, date of birth, email address, phone number, and gender.
  • Travel details: Flight details (destination, dates), ticket information, loyalty program info, and preferences (meal preference)
  • Payment information: Credit card number, CVV, expiry date, and billing address (processed securely by Monri WSPay).
  • Technical information: IP address, device information, and cookies (as detailed in the cookie section below).

 

  1. Purpose and Legal Basis for Processing

We process your personal data for the following purposes:

  • To fulfill your booking: This includes issuing your ticket, processing payment, and providing customer support. The legal basis for this processing is contract performance (Article 6(1)(b) GDPR).
  • Compliance with legal obligations: In certain cases, we may be required to process your data to comply with applicable laws (e.g., fraud prevention, customs regulations). The legal basis here is legal obligation (Article 6(1)(c) GDPR).
  • Legitimate interests: We may process data for administrative or security purposes, such as ensuring the integrity of our systems or handling potential claims. The legal basis is legitimate interests (Article 6(1)(f) GDPR).

 

 

  1. Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this notice or as required by law. Based on industry practices, personal data related to ticket purchases is retained for 3 to 5 years for auditing and legal compliance purposes, unless a longer retention period is required due to legal obligations or disputes.

 

  1. Data Transfers to Third Countries

Your personal data may be processed on servers located in the United States by Thomalex Inc. The European Commission has not recognized the United States as providing an adequate level of data protection, and as such, we have implemented Standard Contractual Clauses (SCCs) to ensure appropriate safeguards for transferring your personal data in compliance with GDPR requirements. These clauses ensure that your data is treated with the highest standards of security and protection.

 

  1. Third Parties Involved

In the course of processing your booking, we may share your personal data with the following third parties:

  • Thomalex Inc.: Provides the booking platform and integrates with Amadeus GDS, enabling access to flight data.
  • Monri WSPay: Processes credit/debit card payments securely, using industry-standard encryption technologies to protect payment data.
  • Amadeus GDS: Provides access to flight information and related services as part of the booking platform.

We do not sell or share your data for marketing purposes.

 

  1. Security Measures

We take the security of your data seriously. For payment processing, Monri WSPay implements advanced encryption (e.g., SSL/TLS encryption) and PCI DSS compliance to protect your credit card information. In addition, Thomalex ensures compliance with Standard Contractual Clauses (SCCs), implementing measures like encryption, role-based access, and secure data centers as outlined in their Data Processing Addendum. Thomalex also maintains strict access controls, regular audits, and real-time monitoring of its systems.

 

  1. Cookies and Tracking Technologies

Our online booking platform uses cookies to enhance your experience:

  • NET_SessionId (necessary): Maintains your session and expires once the session ends.
  • RequestVerificationToken (necessary): Prevents cross-site request forgery and expires at the end of the session.
  • TrackingId (session-based): Tracks user actions during the booking process, for system functionality.

For more details on cookies, please see our Cookie Policy.

 

  1. Your Rights

As a data subject, you have the following rights under the GDPR:

  • Right to access: You may request access to your personal data.
  • Right to rectification: You can request that we correct any inaccuracies in your data.
  • Right to erasure (“right to be forgotten”): You may request that your data be deleted if it is no longer necessary for the purposes it was collected.
  • Right to restrict processing: In certain situations, you can ask us to restrict the processing of your data.
  • Right to data portability: You can request that your data be provided in a structured, machine-readable format.
  • Right to object: You may object to the processing of your data in certain circumstances.

To exercise any of these rights, you can contact our Data Protection Officer (DPO) via email at dpo@sarajevo-airport.ba or through our EU Representative, Rickert Rechtsanwaltsgesellschaft m.b.H., at info@rickert.law, Colmantstraße 15, 53115 Bonn, Germany, or by phone at +49(0)228 74 898 0.

 

  1. Changes to This Notice

We may update this Privacy Notice from time to time. We will inform you of any material changes by posting a notice on our website. We encourage you to review this notice periodically.

 

  1. Contact Information

For any questions or concerns regarding this Privacy Notice or how we handle your personal data, please contact us at:

Email: dpo@sarajevo-airport.ba

Postal Address:

J.P. Međunarodni aerodrom Sarajevo d.o.o. Sarajevo,

Kurta Schorka 36,

71210 Sarajevo,

Bosnia and Herzegovina.