Most recent edit: 30th March 2023
Please, read this privacy policy thoroughly. In it you will find important information about the processing of your personal details and your rights in accordance with the relevant legislation currently in force.
We reserve the right to update our privacy policy at any time in line with operational decisions, as well as to comply with any possible changes in legislation or jurisprudence. Should you have any doubts or queries, or you require any clarification with respect to our Privacy Policy or your rights, you may contact us using any of the channels indicated below.
Should you be providing us with the data of third parties, you undertake to obtain the full, prior consent of those concerned, and to inform them of the contents of this policy.
In general, the fields of our forms marked as mandatory must, of necessity, be completed for us to be able to deal with your requests.
1. Who controls the processing of your personal data? Unless specifically indicated otherwise, the data controller for the processing of data obtained from this website are:
WORLD 2 FLY, S.L.U., with registered office at Calle General Riera 154, 07010 Palma (Balearic Islands), Spain, CIF B16668451, in the event that the flight origin or destination is Spain.
WORLD 2 FLY, PORTUGAL S.A., with registered office at Rua General Firmino Miguel, 3, 2B Torre 2, São Domingos de Benfica, 1600-100 Lisbon. CIF. 516147447 in the event that the flight origin or destination is Portugal.
Hereinafter, both companies identified separately or jointly as W2FLY,with registered offices at Calle General Riera 154, 07010 Palma (Illes Balears), Spain. W2FLY is part of the World2Meet tourism group. + More info about the group here.
For more information about the processing of your data or to exercise your rights under current legislation on the subject, please send an email to [email protected] or contact the Data Protection Officer of the W2M Group at [email protected].
2. What personal data do we collect?
The data that we process is that obtained:
• Directly from you, for example when you provide us with your personal details to make a reservation, request a service, or make an enquiry or a complaint.
• From those persons, tour operators, travel agencies, or global reservation systems that make reservations or requests in your name.
The types of data that we process generally consist of:
• Contact details and details that can identify an individual: Name, address, email address, details of your ID card/passport (its number, expiry date, and country of issue).
• Details of personal characteristics: nationality, date and place of birth, gender.
• Financial data and those of transactions made, including the details of credit and /or debit cards or other methods of payment.
• Details concerning the flights (dates, routes, ticketing information, contact details, the agency through which the flight was booked, method of payment used, the seat number, and information about the luggage), and the reservation of services.
• Health details in the case of special needs.
• Data related to your browsing on our website, for example, the IP address from which you have accessed the site, weblogs, the pages visited, or actions performed on the website. For this we use cookies and similar technologies that may involve the tracking of your browsing. There is more information available in our Cookie Policy.
3. What do we process your data for and what is the legal basis for this?
To deal with enquiries and complaints: The details provided in the contact form, or in the course of the enquiries or complaints that you may send us, will be processed to enable us to deal with these requests or possible complaints. Such processing is necessary both for the implementation of a contract and for the application of precontractual measures to a request for the former.
Should your complaint be about services provided by third party suppliers, it will be passed on to the suppliers or providers concerned. This can involve the international transfer of your data when the recipients of this information are outside the European Economic Area. The transfer of your data to those countries where the suppliers or providers involved are located has its legal basis in article 49.1. e) of the General Data Protection Regulation (GDPR), as it is necessary for the formulation, exercise, or defence of complaints.
Likewise, depending on the nature of your complaint, the recipients of the data included in it, may be, among others, public administrations or entities, official organisms, solicitors, judges and courts, or insurance companies.
The processing of any health details that you have provided as part of your complaint has its legal basis in article 9.2. f) of the GDPR, as such processing is necessary for the formulation, exercise, or defence of complaints.
Management of reservations and the provision of requested services: The data provided in the forms to make reservations or to request services, in addition to those you may have given to tour operators or travel agencies for them to manage your booking, will be processed for the management of said booking and the provision of the services requested.
Data relating to requested services shall, of necessity, be communicated to the providers of such services, for example to airport operators and ground services operators (handling) at the airports of departure and arrival. The data to be communicated will consist of details for purposes of identification, details of the flight and any requested service, in addition to data regarding special needs should special medical assistance have been requested.
Bear in mind that when the services requested are to be provided outside the European Economic Area, the communication of such data may involve its transfer to countries that do not offer the same level of protection as the EU as far as personal data is concerned.
All such processing is required for the implementation of the contract, the provision of the services requested, and for the application of precontractual measures at the request of the data subject.
Any health details that were provided at the time of requesting special medical assistance, for example, a wheelchair or oxygen, or a special diet, will be processed so that your request may be attended to. You may cancel your consent at any moment, although, if this happens, it will not be possible to provide you with the requested service.
Financial data and those concerning transactions of goods and services shall be processed for purposes of accounting and administrative management, and to enable compliance with our legal obligations in accounting and fiscal areas.
Operation of flights: The data obtained from reservations, requests for services, and at the moment of check-in, will be processed for the operation of the flight and compliance with the safety and security regulations applicable to flights and airports.
If you made your reservation through an agency, the telephone number and/or the email address you gave them when requesting the booking will be processed to enable us to contact you to inform you of any issues affecting the operation of the flight. This processing has its legal basis in the consent that the tour operator or travel agent asked you to give in accordance with IATA Resolution 830 d).
Regulations with respect to the control of borders and security of the EU and of the countries of destination, stopovers, or, in some cases, overflight, require the communication to customs or immigration authorities of passport information (API, or Advance Passenger Information, details) and the set of data corresponding to the journey of a passenger, reserved by him/her or in his/her name, which includes the information necessary for the management of the reservation (Passenger Name Record, or PNR, data). W2Fly cannot carry passengers without collecting this type of data and passing it on to the authorities. The data that the API and PNR consists of, and which will be given to the corresponding authorities, varies in accordance with the different routes.
For more information about the data communicated and the recipient authorities, see the section “Who do we pass your data on to?” in this policy statement.
Statistical, and quality management, purposes: In order to evaluate and manage the quality of our products and services, we compile statistics from collated data obtained from the details of transactions made, and of browsing patterns on our website, e.g., IP address, weblogs, pages visited, and actions taken. (For more information, see our Cookies policy.)
Similarly, we compile anonymous statistics from data collated from bookings to measure the performance of our routes and services.
Such processing has its legal basis in our legitimate interest in evaluating and managing the quality of our services and products. When weighing up this interest in comparison with your rights and liberties, it was decided that this processing had a limited impact on the privacy of the data subjects, was in line with their reasonable expectations, and did not pose a significant threat.
Consolidation of data for internal administrative purposes of the W2M group. Personal data, economic data, reservations and, in general, data on transactions of goods and services generated by the businesses developed by the companies of the group are consolidated in centralised databases for internal administrative purposes of the group. Below is a general description of these processing operations. For more information, in particular to know the companies that make up the group, you can consult the PRIVACY POLICY APPLICABLE TO THE CONSOLIDATION OF PERSONAL DATA FOR INTERNAL ADMINISTRATIVE PURPOSES OF THE W2M GROUP.
W2M SERVICIOS CORPORATIVOS, S.L.U., with registered office at C/ General Riera 154, 07010 Palma (Illes Balears), Spain (hereinafter W2M) is responsible for the administration and security of the consolidated databases; each of the companies in the group is responsible for the data communications it makes to W2M for consolidation and for the use it makes of the consolidated data of the group. These processing operations are based on the legitimate interest of the W2M group to transmit personal data within the corporate group for internal administrative purposes and to have a consolidated view of its business for business decision-making.
Creation of a master of persons at group level: The identification and contact data you have provided together with information regarding your identity document (type and number); your gender and language, will be consolidated in a unified database at group level. The purpose is to have a single record of persons to optimise operational processes common to the group companies where it is necessary to identify a person, e.g., for payments or invoicing of services or for integration with reservation systems. This unified database will be synchronised with the systems of the group companies with which you have a current relationship.
Management control and analysis of business data: We also process the information obtained from the consolidation of economic data, reservations and, in general, the data of transactions of goods and services generated by the businesses developed by the companies of the group to generate reports and analyse business data for business intelligence and management control purposes. These analyses and reports provide results in the form of aggregated data and are used to produce statistics and forecasts to facilitate business decision-making, optimise processes, measure the performance of the tourism products offered by the group and establish commercial strategies.
Consolidation of data for marketing and profiling purposes. Data of customers and potential customers of the W2M Group are consolidated in a commercial database for direct marketing and profiling purposes. An overview of these processing operations can be found below. For further information, please refer to the PRIVACY POLICY APPLICABLE TO THE COMMERCIAL EXPLOITATION OF CUSTOMER AND POTENTIAL CUSTOMER DATA BY THE W2M GROUP.
The party responsible for the processing of the data included in the commercial database of the W2M Group is W2M SERVICIOS CORPORATIVOS, S.L.U., with registered office at C/ General Riera 154, 07010 Palma (Illes Balears), Spain (hereinafter W2M).
Your inclusion in this database is based on the consent you have been asked for. Not giving your consent or withdrawing it does not condition the execution of the bookings or the provision of the services you have contracted. The scope of the data relating to you that will be consolidated in the W2M database and the specific use that will be made of it will depend on the consent you have given at the time of providing your data. You may at any time revoke this consent or modify your preferences according to the mechanisms described in the section "What are your rights?" of the privacy policy applicable to the commercial exploitation of customer and prospect data.
Sending of non-personalised commercial communications and management of distribution lists (segmentation): W2M processes the identification and contact data you have provided together with the data relating to your customer status, language and market/origin of the data, for the sending, by any means, of non-personalised commercial communications relating to the tourism products and services offered under the brands operated by the group. + More information on the W2M Group brands here.
To manage our distribution lists, we segment the recipients of our communications according to the origin of the data, market and language. This processing consists of a simple classification according to objective criteria and is not intended for commercial profiling, prediction or behavioural analysis.
The service we use to send our commercial communications is located outside the European Economic Area. The service has been configured so that data is stored in a data centre located in the EU. As a supplementary measure, the contractual conditions applicable to this service include standard clauses approved by the European Commission to ensure an adequate level of protection for personal data transferred to this data processor.
Commercial profiling for the personalisation of the group's commercial communications and services: The data consolidated in the group's commercial database is used for behavioural analysis and predictive modelling in order to understand and predict our customers' wants and needs, the actions related to the purchase of our products and services and the factors that condition them. If you have authorised the personalisation of the group's services and communications, W2M will access the data generated by your bookings in order to include them in your commercial profile. This profile will be enriched with the information generated from your interactions with the group's companies and digital media, e.g your requests for information or quotes or the data generated by your browsing on our websites. + More information about the data we include in our commercial profiles and their sources can be found in section 2 of the privacy policy applicable to the commercial exploitation of customer and potential customer data.
Your profile will allow us to determine when to send you a commercial communication and to personalise our offers according to the type of product you are likely to be interested in based on the results of behavioural analysis and the application of predictive models.
We will also use the data included in your profile to personalise the treatment and services provided by the companies of the group with which you interact, for example, to wish you a happy birthday or to consider the preferences you have expressed at the time of making your reservations or during your use or enjoyment of the tourism products contracted. For this purpose, the companies of the group with which you interact in the future will have access to your profile.
+ More information about the logic of our commercial profiles and what personalisation of our services implies in section 3. b) of the privacy policy applicable to the commercial use of customer and potential customer data.
You may at any time request to unsubscribe from the processing of your data for commercial purposes by activating the link provided for this purpose in our communications or by sending an email to: [email protected]
4. Who do we pass your data on to? In general, your data will be communicated to third parties by legal obligation, with their consent or when necessary for the processing of the booking, or the provision of the requested services.
In compliance with EU border control and security regulations, as well as those of the destination countries, including stopovers and overflown territories when applicable, we shall communicate passport information (Passenger Advance Information or API data) and passenger name records (PNR data) to the authorities that require it in the destination or overflown countries. Such communications are made in compliance with legal obligations with the aims of the prevention, detection, investigation, and prosecution of serious crimes, such as terrorism, and for purposes of immigration control. Bear in mind that these countries might not offer the same level of protection of personal data as the EU. The international transfer of your data to the corresponding foreign authorities is necessary for the contract of air transport to be implemented. For more information about the processing of your data by these authorities and the rights which, in your case, are recognised as yours by the legislation applicable in each country, you will have to contact the competent authorities directly.
Flights to/from Spain: We forward the PNR data required by Article 5 of Organic Law 1/2020 to the Passenger Information Unit of Spain’s Counter-terrorism and Organised Crime National Intelligence Centre, under the authority of the Ministry of the Interior’s Secretary of State for Security, in the case of flights, both within the EU and elsewhere, with departure from, or arrival in, Spanish territory, or with a stopover there, as well as, exceptionally, for domestic routes or flights as may be determined by the country’s Council of Ministers. (For further details see the Spanish State Gazette at:
https://www.boe.es/diario_boe/txt.php?id=BOE-A-2020-10776)
In accordance with the provisions of Organic Law 1/2020, you may address the Data Protection Officer of the Passenger Information Unit for all issues concerning the processing of your PNR data.
Flights to/from the USA and those that overfly its territory: For passenger flights between the EU and the USA, those with departures or arrivals in the United States, or those that overfly its territory, we communicate to the United States Department of Homeland Security (DHS) the PNR data, as indicated in the Annexe to the agreement between the USA and the EU concerning the use and transfer of passenger name records to the DHS, together with the following passport information (API): Passport number, issuing country, expiry date, name (as it appears in the passport), surname, gender, date of birth and nationality, in addition to the Alien Registration Number and/or the Permanent Resident Card (Green Card) for passengers whose residence is in this country.
For more information about the processing of your data by the US authorities and your rights under the agreement concerning the use and transfer of passenger name records to the US Department of Homeland Security, please go to:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:22012A0811(01)&rid=9
Flights to/from Cuba: We communicate the following passenger passport information (API) and PNR to General Customs of the Republic of Cuba: Flight number, country of origin of the flight, date of the flight; first surname; first name; second, or middle, name (not obligatory); gender; date of birth; nationality; country of residence (not obligatory); address of accommodation in Cuba for passengers who are not resident there (not obligatory); number of items of luggage (not obligatory); seat number (not obligatory); luggage ticket number (not obligatory); whether you are a passenger or a crew member; type of document (passport); the number of this document; expiry date of this document; issuing country of the document; departure airport, arrival airport (whether immigration clearance is to be carried out in Cuba or in a foreign country), PNR booking code (for passengers only and obligatory wherever booking systems are used)
For more information about the processing of your data by the Cuban authorities in resolution no. 393/2016 of the Ministry of Transport (MITRANS), which details the regulations concerning advance information about passengers and crew (API) on flights to Cuba, go to:
(https://www.gacetaoficial.gob.cu/sites/default/files/goc-2016-ex27.pdf )
Flights to/from Mexico: We communicate passenger passport information (API) to the National Immigration Institute of the United Mexican States and this country’s other competent authorities. The information passed to them includes: the passport number, issuing country, expiry date, name (as it appears on the passport), surname, gender, date of birth and nationality. This is in addition to the visa or immigration document that demonstrates the nature of your stay, the corresponding means of air transport, its origin and destination together with its time of arrival and of departure.
For more information about the processing of your data by the authorities in the United Mexican States’ as indicated in the Migration Act, dated May 25th, 2011, and amended on January 7th, 2021, go to: http://www.diputados.gob.mx/LeyesBiblio/pdf/LMigra_070121.pdf
Flights to/from the Dominican Republic: We will communicate passengers’ passport data (API) to the General Directorate of Migration (National Investigations Department – DNI), the General Directorate for Customs, the Ministry of Public Health, and this country’s other competent authorities. The information passed on includes: Locator of the passenger’s record (PNR); date of booking; full itinerary of the journey; name and surname, as given in the PNR, of each person carried; information about methods of payment; invoicing address; invoice order; contact telephone numbers; information about loyalty programmes (air miles flown, and address or addresses); travel agency; travel agent; information about a split/divided PNR; information about ticketing; ticket number; a passenger’s no show history; last minute passenger without a booking (go-show); information about waiting lists; luggage label number; and seat number.
For more information about the processing of your data by the Dominican authorities, see Civil Aviation Law no. 491-06; General Migration Law no. 285-04; General Directorate of Migration resolution no. DGC-02-2018; Chicago Convention of 1944 and the ICAO Passenger List Message (PAXLST) implementation guide for API.
With regard to the rest of the destination/origin countries of our flights, we will be subject to whatever the authorities establish at any time.
5. How long will we keep your data? In general, we will store your data during the life of the relationship you have with us and, in all cases, for the times laid down in the relevant statutory requirements, for example for accounting and fiscal questions, and for the time required to respond to any possible liability claims arising from this processing. We shall erase your data when it is no longer necessary or relevant for the purposes for which it was collected.
Customer data consolidated for intra-group administrative purposes will be retained in accordance with the criteria set out in the PRIVACY POLICY APPLICABLE TO THE CONSOLIDATION OF DATA FOR INTERNAL ADMINISTRATIVE PURPOSES OF THE W2M GROUP.
The data processed by W2M for commercial purposes, including commercial profiles, will be kept for as long as you do not object to the processing or request your deletion, applying the retention criteria indicated in the PRIVACY POLICY APPLICABLE TO THE COMMERCIAL EXPLOITATION OF CUSTOMER AND POTENTIAL CUSTOMER DATA BY THE W2M GROUP.
6. What are your rights? You have the right to seek confirmation as to whether your personal data is being processed or not, and if so, access it. Likewise, you may request that the data be rectified if it is inaccurate, or completed if it is incomplete. You may also ask for the data to be erased, when among other reasons, the data is no longer required for the purposes it was originally collected for. In certain circumstances, you may request the restriction of the processing of your personal data. In such a case, we will only process the data affected for the establishment, the exercise, or the defense of legal claims or in the interests of protecting the rights of other people. Under certain circumstances, and for reasons related to your particular situation, you may also object to the processing of your data. In this case, we shall cease to process the data, unless there are compelling legitimate grounds that prevail over your interests, rights, or liberties, or for the establishment, exercise, or defense of legal claims. Furthermore, and in certain situations, you may request portability of your data so that it be transmitted to another data controller.
You may withdraw the consent you had given for certain purposes, without this affecting the legality of the processing based on consent given prior to its withdrawal.
You may at any time revoke your consent to the processing of your data for commercial purposes, including commercial profiling, or modify your preferences in this regard according to the mechanisms described in the section "What are your rights?" of the PRIVACY POLICY APPLICABLE TO THE COMMERCIAL EXPLOITATION OF CUSTOMER AND POTENTIAL CUSTOMER DATA BY THE W2M GROUP.
To request your cancellation as a client or to exercise your data protection rights, you can send a request by post or e-mail indicating the right(s) you wish to exercise to: W2M Group - Attn. Responsible for the attention of RGPD rights, C/General Riera 154, 07010 Palma (Illes Balears), Spain. Email: [email protected].
You can obtain more information about your rights and how to exercise them on the W2M Group's privacy portal, on the website of the Spanish Data Protection Agency, on the website of the Portuguese National Data Protection Commission www.cnpd.pt, or by contacting the W2M Group's Data Protection Officer at [email protected].
Equally, you have the right to file a claim with a data protection authority. You may consult the list and the contact details of the European National Data Protection Agencies on the European Commission website at
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 .
To request that your data no longer be used for commercial purposes, you may send an email to the following email address: [email protected]
To exercise your rights, you have to send us a request to this effect by post or by email to the addresses given in the section: “Who controls the processing of your personal data?”
You may obtain more information about your rights, and how to exercise them, at the website of the Spanish Data Protection Agency http://www.aepd.es, at the website of the Portuguese National Data Protection Commission www.cnpd.pt , or at the website of the data protection authority of your country.