Data Protection Policy

Data Protection Policy

This Data Protection Policy outlines the commitment of Air Traffic World Aviation Training services (ATWATS), an aviation training company based in Dubai, UAE, to protect personal data. This policy is established to ensure compliance with the UAE Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) and the UK General Data Protection Regulation (UK GDPR), particularly considering the requirements for Continuous Professional Development (CPD) certification and international data transfers.



1. Scope and Applicability

This policy applies to all personal data processed by ATWATS, including data relating to:

  1. Trainees, students, and applicants.
  2. Employees, contractors, and job applicants.
  3. Suppliers, vendors, and business contacts.
  4. Any individual whose personal data ATWATS processes in its operations.

The processing includes collecting, recording, storing, using, disclosing, transferring, or deleting personal data in both manual and electronic formats.



2. Key Data Protection Principles

ATWATS adheres to the following core data protection principles, consistent with both UAE PDPL and UK GDPR:

Principle Description
Lawfulness, Fairness, and Transparency Personal data is processed lawfully, fairly, and transparently, with a clear legal basis (e.g., consent, contractual necessity, legal obligation).
Purpose Limitation Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy Personal data is accurate and, where necessary, kept up to date. Every reasonable step is taken to ensure inaccurate data is erased or rectified without delay.
Storage Limitation Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed (Data Retention Policy applies).
Integrity and Confidentiality (Security) Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.
Accountability ATWATS, as the Data Controller, is responsible for and must be able to demonstrate compliance with these principles. This includes maintaining detailed records of processing activities.


3. Lawful Basis for Processing

ATWATS will only process personal data when it has a valid lawful basis, which may include:

  1. Consent: The data subject has given clear, unambiguous, and informed consent for processing their personal data for one or more specific purposes (e.g., marketing communication).
  2. Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party (e.g., enrolment in a training course) or to take steps at the request of the data subject prior to entering into a contract.
  3. Legal Obligation: Processing is necessary for compliance with a legal obligation to which ATWA is subject (e.g., GCAA or international aviation regulatory reporting).
  4. Legitimate Interests: Processing is necessary for the legitimate interests pursued by ATWA or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.


4. Individual Rights (Data Subject Rights)

ATWATS respects the rights of individuals concerning their personal data and has processes in place to handle requests in line with both UAE PDPL and UK GDPR requirements. These rights include, but are not limited to:

  1. Right to Information: The right to be informed about the collection and use of their personal data.
  2. Right of Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data (Subject Access Request - SAR).
  3. Right to Rectification: The right to have inaccurate personal data corrected without undue delay.
  4. Right to Erasure (Right to be Forgotten): The right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  5. Right to Restrict or Stop Processing: The right to block or suppress processing of personal data in certain circumstances.
  6. Right to Data Portability: The right to obtain and reuse their personal data for their own purposes across different services.
  7. Right to Object: The right to object to processing based on legitimate interests or direct marketing.
  8. Rights related to Automated Decision Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects.

All formal requests to exercise these rights must be submitted in writing to ATWATS.



5. Cross-Border Data Transfer Requirements

As a UAE company interacting with UK CPD requirements, ATWATS must handle international transfers carefully.

  1. Transfers from the UAE: Personal data may only be transferred outside the UAE if the recipient country ensures an adequate level of protection (as determined by the UAE Data Office) or if one of the specified exceptions applies (e.g., explicit data subject consent, necessary for a contract, public interest). Appropriate safeguards must be implemented.
  2. Transfers to the UK/EEA: Transfers from the UAE to the UK/EEA are subject to the above requirements.
  3. Transfers from the UK/EEA: If personal data is transferred from the UK/EEA (e.g., from a UK CPD body or a UK student) to ATWATS in the UAE, ATWA must ensure that the transfer mechanism is compliant with UK GDPR (e.g., an adequacy decision, Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA)).


6. Security and Technical/Organisational Measures

ATWATS commits to implementing and maintaining appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

  1. Confidentiality: Access to personal data is strictly controlled and limited to ATWATS staff who require it for their duties.
  2. Encryption and Pseudonymisation: Sensitive data, such as health or financial information (Special Category Data under UK GDPR, Sensitive Personal Data under PDPL), is secured using encryption.
  3. Access Control: Distribution List, Strong password policies, Multi-Factor Authentication (MFA), and role-based access controls are mandatory.
  4. Physical Security: Hard copy records are secured in locked cabinets within secure, access-controlled premises (as applicable in the Dubai office).
  5. Business Continuity: Regular data backups and a comprehensive Disaster Recovery Plan are maintained.


7. Data Breach Management and Notification

In the event of a personal data breach (accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data):

  1. ATWATS' Data Protection Officer (DPO): must be notified immediately.
  2. Investigation and Mitigation: ATWATS will investigate the breach promptly and take necessary steps to contain and mitigate the risk.
  3. Notification to Regulatory Authorities: Where required by law (UAE PDPL or UK GDPR, depending on where the data subject is located), ATWATS will notify the relevant supervisory authority of a breach without undue delay (typically within 72 hours of becoming aware).
  4. Notification to Data Subjects: ATWATS will notify the affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.


8. Data Protection Officer (DPO)

ATWATS has appointed a Data Protection Officer (DPO) to oversee compliance with this policy and relevant data protection laws.

Role Contact Details

Email cco@atw-aviation.com


  1. Monitoring compliance and informing/advising ATWATS management and employees.
  2. Acting as a contact point for supervisory authorities and data subjects.
  3. Maintaining the Record of Processing.


9. Training and Awareness

All ATWATS personnel who process personal data will receive mandatory data protection training as part of their Continuing Professional Development (CPD) requirements, covering both UAE and UK/international data protection obligations. Training will be refreshed annually.



10. Policy Review

This policy will be reviewed and updated at least annually, or more frequently if there are significant changes to applicable laws, regulations, or ATWATS's data processing activities.