Privacy Policy

1. Personal Data We Collect

We collect and process various categories of personal data, depending on your relationship with us (e.g. student, job applicant, vendor).

Category of Data Examples of Data Collected
Identity Data Name, date of birth, gender, nationality, passport/Emirates ID details, photograph.
Contact Data Residential address, email address, telephone numbers.
Training & Aviation Data Unique Candidate/Learner Number (UCN/ULN), professional licences, flight hours, examination results, attendance records, course history, CPD records.
Financial Data Payment details (bank account/card details) for course fees, invoicing, and refund processing.
Employment Data Job title, employer details, training contract details, CV/Resume for job applicants.
Sensitive Personal Data (Special Category Data) Medical information or health data (e.g., medical fitness certificates, dietary requirements, disability status) were explicitly required for safety, reasonable accommodation, or regulatory compliance. We only process this data with your explicit consent or a clear legal basis.


2. How and Why We Use Your Personal Data (Purposes and Legal Basis)

We will only use your personal data when the law allows us to (on a 'lawful basis'). The primary purposes for processing your data and the corresponding legal bases are:

Purpose of Processing Type of Data Used Lawful Basis (UAE PDPL & UK GDPR)
Course Enrolment & Delivery Identity, Contact, Training & Aviation, Financial Contractual Necessity: To perform the training contract with you.
Certification and CPD Reporting Identity, Training & Aviation Legal Obligation/Legitimate Interest: To issue certificates and report attendance/results to civil aviation authorities (GCAA, CAA, EASA, etc.) and CPD certification bodies.
Billing and Payments Identity, Financial, Contact Contractual Necessity/Legal Obligation: To process payments, fees, and comply with tax laws.
Safety and Health Requirements Sensitive Personal Data (Health) Explicit Consent/Legal Obligation: For aviation safety and to provide necessary accommodations and services.
Customer Service & Inquiries Identity, Contact, Training & Aviation Legitimate Interest: To respond to your requests and manage our relationship efficiently.
Marketing (Courses & News) Identity, Contact Consent: Where you have explicitly opted-in to receive promotional material. You may withdraw consent at any time.
Website Operation & Improvement Technical Data Legitimate Interest: To ensure our website security and improve user experience.


3. Disclosure and Sharing of Your Personal Data

We may share your personal data with the following third parties:

  1. Civil Aviation Authorities (CAAs): Including UAE GCAA, UK CAA, EASA, or other relevant national regulators for licence verification, training records submission, and compliance.
  2. Accreditation/CPD Bodies: UK and international bodies for Continuous Professional Development (CPD) certification, quality assurance, and training validation.
  3. Affiliated Companies/Partners: Other entities within the ATWATS group or trusted partners involved in course delivery or administrative support.
  4. Payment Processors: Third-party services to securely handle online payments.
  5. Professional Advisors: Bankers, Accountants, Lawyers, auditors, or insurers.
  6. Law Enforcement/Regulators: When required by law or necessary to protect our legal rights, particularly for compliance with UAE or international law.

We ensure that all third parties are obligated to respect the security of your personal data and treat it in accordance with this Privacy Policy and applicable data protection laws.



4. International Data Transfers (UAE and UK)

ATWATS is a Dubai-based entity; therefore, the processing of your data primarily takes place in the UAE.

  1. Transfer out of the UK (UK GDPR): For individuals located in the UK, your personal data will be transferred outside the UK (to the UAE). We rely on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), to ensure your data receives a level of protection essentially equivalent to that under UK GDPR.
  2. Transfer out of the UAE (PDPL): We comply with the UAE PDPL requirements regarding cross-border data transfer, ensuring that the recipient country has an adequate level of protection or that appropriate legal safeguards are in place.


5. Data Security and Retention

  1. Security: We have implemented robust technical and organisational security measures (including access controls) to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised way.
  2. Retention: We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements (e.g., GCAA/CPD records, tax records). Our specific retention periods are outlined in our internal Data Retention Policy.


6. Your Legal Rights (Data Subject Rights)

Under both UAE PDPL and UK GDPR, you have significant rights over your personal data. These rights include, but are not limited to:

Your Right Description
Right to be Informed To be provided with clear, transparent, and easily understandable information about how we process your personal data (this Privacy Policy serves this purpose).
Right of Access (SAR) To request a copy of the personal data we hold about you.
Right to Rectification To have inaccurate or incomplete data corrected.
Right to Erasure To ask us to delete your personal data (subject to legal or contractual requirements to retain data, e.g., GCAA records).
Right to Restrict Processing To temporarily limit the way we use your data.
Right to Data Portability To receive your data in a structured, commonly used, and machine-readable format and transmit it to another Controller.
Right to Object To object to processing based on our legitimate interests or for direct marketing purposes.
Right to Withdraw Consent To withdraw your consent at any time where consent is the lawful basis for processing.

To exercise any of these rights, please contact our Data Protection Officer (DPO) using the contact details provided in Section 1. We will respond to your request in line with the requirements of applicable law.



7. Complaints

  1. In the UAE:: If you have concerns about our use of your data, you should first contact our DPO.


8. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our website and updating the "Effective Date" at the top of this policy.