Privacy Policy

Data Controller: Charlie Airlines Ltd, operating as Cyprus Airways. A Data Protection Officer (DPO) has been appointed to oversee compliance with applicable data protection legislation.

Quick Navigation

Who We Are & Contact Details
Policy Updates & Third-Party Links
Personal Data We Collect
How We Collect Your Data
Purposes & Legal Basis for Processing
Disclosures & International Transfers
Data Security
Data Retention Period
Your Rights & Complaints
Human Resources (Careers)

Who We Are & Contact Details

The Data Controller is Charlie Airlines Ltd, operating as Cyprus Airways. A designated Data Protection Officer (DPO) supervises compliance with the General Data Protection Regulation (EU) 2016/679 and applicable national legislation.

Email (DPO)	dpo@cyprusairways.com
Address	28 Eleftherias Street, Aradippou, 7101, Cyprus
Telephone	+357 24 020 980

Policy Updates & Third-Party Links

We review and update this Policy periodically. You are encouraged to ensure that the personal data we hold about you remains accurate and up to date.
Our website may contain links to third-party websites (e.g. Rentalcars.com, Booking.com, ParkCloud, Atlantic). Such websites operate under their own privacy policies, for which we bear no responsibility.

Personal Data We Collect

View Categories
- Identity Data: full name, date of birth, identity card/passport number.
- Contact Data: email address, telephone number.
- Transaction Data: payments relating to tickets and ancillary services.
- Marketing Preferences: newsletter and communication preferences (processed based on explicit consent).
- Recruitment Data: qualifications and information contained in CVs submitted in connection with employment applications.
- Special Assistance Data: strictly limited information necessary to provide PRM (Persons with Reduced Mobility) support at airports or onboard.
- Cookies Data: website usage and preference data collected in accordance with our Cookies Policy.

How We Collect Your Data

Source	Examples
Direct Interaction	Purchase of tickets or ancillary services (website or Call Centre), newsletter subscription, marketing consent, participation in competitions, job applications.
Automated Technologies	Cookies and analytics tools (in accordance with our Cookies Policy) used to record preferences and enhance user experience.

Purposes & Legal Basis for Processing

View Purposes
- Issuance of tickets and ancillary services, payment processing, and communication regarding delays or cancellations.
- Sending newsletters (where you have subscribed) and promotional communications (where you have opted in; you may unsubscribe at any time).
- Compliance with legal and regulatory obligations (including border control, API/PNR requirements).
- Recruitment procedures: assessment of suitability for available positions.

Disclosures & International Transfers

We share only the strictly necessary booking data with service providers (e.g. car rental, accommodation, insurance) in order to complete your travel arrangements.
All service providers are contractually bound to comply with GDPR-level data protection standards and to process data solely in accordance with our documented instructions.
Some partners may be located outside the European Economic Area (EEA). Transfers are carried out on the basis of adequacy decisions or EU Standard Contractual Clauses and in accordance with guidance issued by the Cyprus Data Protection Commissioner.
Payment processing is performed via a financial institution within the EEA certified under PCI DSS standards.
Where legally required, we transmit necessary data to border control authorities and passenger information units.

Data Security

We implement appropriate technical and organisational measures to safeguard your personal data against loss, unauthorised access, alteration, or disclosure. Access is restricted to personnel and service providers who require such data to perform their duties and who are subject to confidentiality obligations.

Data Retention Period

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected.
Call Centre recordings are retained for 30 days.
Where retention periods are prescribed by law or regulation, such periods shall prevail. Data may be retained for longer where required to comply with legal obligations or to establish, exercise, or defend legal claims.

Your Rights & Complaints

View Rights
- Access/Rectification: request access to your personal data and correction of inaccurate data.
- Objection: object to certain types of processing (subject to mandatory aviation/security legal requirements).
- Marketing: withdraw consent or unsubscribe from marketing communications at any time.
- Contact the DPO: dpo@cyprusairways.com.
If you are dissatisfied with our response, you may lodge a complaint with the Office of the Commissioner for Personal Data Protection, Iasonos 1, 1082 Nicosia, Cyprus.

Human Resources (Careers)

Recruitment Data
- The Human Resources Department processes employee and applicant data strictly for recruitment and employment purposes.
- General applications are retained for a limited period; you may contact hr@cyprusairways.com for updates or related requests.
- Access is restricted to HR personnel and authorised staff involved in the evaluation process.

This summary reflects our current practices. In the event of any inconsistency, the full version of the Privacy Policy as published by Cyprus Airways shall prevail.

Last updated: December 2025.

This information is subject to change and improvement without prior notice. Please check our website regularly for the most up-to-date information.