22 May 2018
“Personal data” refers to all information that can be directly or indirectly linked to a natural person. In section 3 you can see what kind of personal data that we process.
SAS protects your personal privacy. The personal data you give us access to, as well as data that we collect, for example about how you use SAS websites, will be processed with the utmost respect. Our goal is to be as transparent and clear as possible but if you still have questions about how we process your personal data, please contact our Data Protection Officer.
1. Who is responsible for your personal data?
SAS is the legal entity that is responsible for personal data in accordance with prevailing laws on data protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data Protection Regulation, “GDPR”).
SAS has appointed a Data Protection Officer to help SAS ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to firstname.lastname@example.org.
2. When and how do we process your personal data?
SAS collects personal data about you that you provide to us when you use our websites or our services, for example when you book a trip, when you contact our customer service or use our mobile app.
In connection with your trip, SAS will process your personal data in accordance with a common industry standard for reservation and travel data in the airline and travel industry, referred to as Passenger Name Record (“PNR”) in electronic reservation systems. PNR data contains the passengers' name, address, contact information and relevant information regarding any such additional services requested, as well as travel data for a passenger or group of passengers who are travelling together. The purpose of a common industry standard is to create standardised processes for exchanging reservation and travel data between different airlines for passengers who are flying with more than one airline to reach their destination and to facilitate airport services for passengers, such as check-in and luggage handling.
With your consent, we may also collect personal data about you from external sources, for example SAS partners (these can be companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners (these are listed here or data from client registers that we have purchased from third parties. Data may also be obtained from social networks such as Facebook or Google that you have connected to some of our services.
The use of the term “to process” refers to each action or combination of actions, independent of whether they are automated or not. All processing of personal data is thus covered, from collection, storage, processing and use to transfer, limitation or destruction.
3. Which personal data about you will we process?
Depending on how and to what extent you use SAS websites and SAS services, SAS may process different categories of information about you. We will only process information about you to fulfil an agreement with you, to meet a legal requirement, if SAS has a legitimate interest or if we have been given your consent to do so. See below for more information about which data we collect and why.
We are aware that certain types of personal data are particularly sensitive, such as data about ethnic origin, religious beliefs and health. We will only collect and use such sensitive personal data when it is absolutely necessary and in accordance with this policy, for example if you have requested specific medical assistance in connection with a booking, requested permission to fly with a medical condition or to fly less than four weeks before a planned birth with pregnancy, requested a special diet or if you chose to share such sensitive personal data with us in some other way.
4. For which purposes will we use your personal data?
SAS collects your personal data for different purposes. The personal data that we collect and how we use it depends on which services you use and which (if any) membership and/or logins you have. SAS will use your personal data for the following purposes:
- To provide and administer the services that you have requested from us and to meet our commitments to you in your use of SAS services, for example in association with the management and administration of your bookings and payments. This may include the processing of information regarding travel arrangements and services that have not been provided by SAS but which constitute a part of the travel arrangements you have chosen, such as data about connections, airport arrangements and customs and immigration formalities.
- For administrative purposes, for example in order to be able to process your membership, accounting, invoicing and auditing, verification and control of debit cards, necessary immigration and customs checks, matters concerning health and safety, as well as other administrative and/or legal purposes (e.g. complaints and grievances) when justified.
- To be able to fulfil our agreement with you, for example by sending such information to you that is necessary with respect to the service you have purchased from us, for example information about booking status, any changes to your travel arrangements and similar.
With your specific consent to one or more of the purposes below, we will also process your personal information in accordance with the following:
- To market our services and those of our partners, for example by sending or offering newsletters, campaigns, special offers and other marketing offers that we think are relevant or might be of interest to you and to be able to offer you an individually customised and personal experience when you visit our websites, use our mobile app or make use of our services. See point 5.5 below on profiling.
- Some general information about you and your profile may be shared with SAS partners in order for you to receive an individually customised experience when you visit our partners' websites.
- To improve, analyse, develop and maintain our services for the purpose of continuously improving our customer offer. This may occur, for example through internal analyses or by involving external advisers.
5. On which legal grounds do we process your personal data?
5.1 When it is necessary in order to fulfil an agreement with you
To be able to fulfil our agreement with you (for example so that you can carry out your travel), we must process certain data about you. The information we process depends on which type of agreement we have concluded but in general we will process the following information:
- Information that identifies you, such as name, address, date of birth, email address, telephone number, payment details, gender and passport number.
- Information about your bookings, your travel plans, your travel company, any booking preferences that require assistance or special diet and other information linked to your booking.
- Information that we obtained from external sources for example, information from SAS partners and other similar information, as well as information that we have obtained from someone else who has made a booking in your name.
- Information that you provide when you contact us in association with your travel, for example luggage check-in and aboard our flights, contact with our customer services (including audio recordings) or when you contact SAS via social media.
- Information attributable to any membership you have such as EuroBonus and if you are travelling under a company agreement, e.g. SAS Corporate Agreement and SAS Travel Pass.
5.2 When SAS has a legitimate interest
We may also process personal data based on a so-called balancing of interests. In such cases, processing occurs only when SAS or a third party has a legitimate interest that is greater than your interests or fundamental rights and freedoms for the protection of your personal data.
We process the following personal data based on a balancing of interests:
- For internal business purposes and to the extent necessary to develop the SAS general customer offers and business model, we may process booking and travel data (for example booking history and purchase behaviour) and customer service data. Our use of such information for statistical and analytical purposes will occur solely on an aggregated and non-individual level.
- When you book a trip with us you will receive a confirmation from us. If you consent to this in accordance with the information below, in this confirmation you may also receive offers connected to the booking you have just made.
We will also process your personal data to prevent, examine or report cases of fraud or security issues and to cooperate with law enforcement bodies. It is usually in both parties’ interest that your data is processed.
5.3 In order to meet legal requirements
SAS may also be statutorily liable to process and save certain personal data about you and will do so to the extent required by law. For example, the legal requirements with which SAS must comply may concern reporting, customs and immigration issues and law enforcement.
5.4 If we have been given your consent
SAS will also process your personal data when we have been given your consent for processing. You have the right to revoke your consent at any point in time, please refer to point 13.1 below.
We will only process the following data if we have been given your express, specific, informed and unambiguous consent:
- Your contact details in order to be able to contact you for marketing purposes (e.g. offers regarding EuroBonus membership), if you have booked a trip with us or registered to receive newsletters or offers via email.
- Information about your use of our services, including travel and booking history.
- We may also collect information about your personal characteristics (including your behaviour and personal preferences), for example what interested you on other websites, for the purposes of being able to provide you with more relevant offers. This may involve so-called segmented information, meaning non-individual information, for example about a group of individuals and its preferences (in other words, we will not have detailed information about which pages you have visited or searches you have done). This may also be individual-based information about you that we have obtained from external sources, for example purchase history and other information from SAS partners, demographic data, price sensitivity and other similar information. We collect and link this information to be able to create an individual profile about you. For more information about profiling, see section 5.5 below.
- If you use our mobile app, we may collect information about your geographical position. Such location information is used, for example, to make your trip easier, to display advertisements that are relevant for your current location and for statistical compilation.
- If you consent to us processing your geographical information but not to the information being collected via location services in your mobile, we can get information about your approximate geographical position from your use of our websites. For example, this can help us determine in which language we should present our websites for you.
5.5 What is profiling?
For those who have provided consent to additional processing of your personal data, the data will also be used to create a profile about you. Profiling means that your personal data is used to assess certain personal aspects about you, for example to analyse or predict your ability to pay, your personal preferences, interests, reliability, behaviour, permanent residence or relocation. SAS does this to provide you with more personal assistance and offers that are of interest just to you, both through a personal, customised experience of our websites and through marketing distributions.
Some of the profiling that is conducted is based on so-called predictive models or “scoring.” For example, this may mean that we follow up on the outcome of earlier offers on the basis of a number of different variables (for example, who has opened it and who then went on to make a purchase), in order to then be able to target the right type of offer to the right category of recipient.
6. To whom will SAS disclose your personal data?
SAS will only share your personal data with companies within the SAS Group except in the exemption situations described below.
Because of mandatory requirements from foreign authorities and to make possible the execution of the travel plans you have chosen, SAS and other airlines may be under an obligation to provide foreign authorities access to certain PNR data and Advanced Passenger Information (“API”), with respect to passengers who are flying to, from or over countries both within and outside the European Union (“EU”) and the European Economic Area (“EEA”), including the USA. Such data is used primarily to prevent and combat terrorism and other serious crime. In addition, PNR and API are governed through Directive 2016/681/EU. For further information, including information about which countries that request access to this reservation data, please email our Data Protection Officer.
If it is necessary in order for us to be able to carry out your flight in accordance with the terms and conditions for travel, your personal data will also be shared with:
- Other airlines and other companies that are involved in the provision of the service that you will make use of;
- Companies that are part of the booking and performance of your flight, e.g. travel agencies, freight forwarders and agents;
- IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;
- Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard and American Express;
- Security companies and businesses that work with preventing and combating fraud; and
- Authorities and law enforcement bodies.
If you have expressly and specifically consented to this or if you are a EuroBonus member, your personal data will be shared with SAS partners (for example, companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners (these are listed here), credit reporting companies, social media providers and search engines.
7. Will your personal data be processed outside the EU?
Personal data will be transferred between companies in the SAS Group, including for the implementation of our international flights, to administer and maintain your account and membership and for statistical purposes.
Personal data that is shared within the SAS Group in this way will sometimes be transferred to countries that are not members of the EU or the EEA and that do not ensure a satisfactory level of security for personal data. Such transfers will be carried out in accordance with the prevailing law on data protection.
When personal data is transferred to a non-EU/EEA country without satisfactory levels of protection for personal data, we will apply appropriate measures, usually by including a standard contractual clause that has been adopted by the European Commission. These standard contractual clauses can be found at the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
If there is a lack of both a decision on adequate levels of protection by the European Commission and established appropriate security measures in the form of standard contractual clauses in accordance with the above, we will transfer your personal data to companies within the SAS Group, based on the fact that it is necessary in order to fulfil the agreement we have with you. If you are an EuroBonus member, this will be EuroBonus terms and conditions and if you are the account holder, this will be profile account terms and conditions.
8. How do we protect your personal data?
We have taken extensive technical and organisational measures to protect your data from loss, abuse and unauthorised access. Processing and transfer of data between your web browser and our server is properly protected by encryption and we are continuously updating our security measures.
When you pay for any of our services using a card, all information is sent via a secure connection to ensure that your personal data cannot be read by third parties. The actors with whom we collaborate in terms of card payments are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your card details.
9. Does SAS use subcontractors?
We use subcontractors to be able to provide our services to you. Our subcontractors process your personal data only on behalf of SAS and in accordance with instructions issued by SAS. All subcontractors that process personal data on behalf of SAS have concluded personal data processing agreement with SAS in accordance with applicable law. SAS hires subcontractors in several different areas, for example for IT services like storage and operation.
10. For how long do we store your personal data?
We will save your personal data as long as it is necessary with regard to the purpose of the processing.
If you are an EuroBonus member or if you have created a profile account on our website, information about you will be saved as long as you are a member of EuroBonus or have an active account with SAS.
If you book a trip with SAS, we will save your data for ten years after the trip is completed in order to meet legal and regulatory requirements and process any grievances and complaints. If you visit SAS websites without booking a trip, see section 10 for storage times with respect to cookies.
SAS continuously conducts sorting of personal data in accordance with applicable law. This means, for example, that SAS will delete or anonymize data when it is no longer needed to meet the purpose of the processing.
11.1 What are cookies and how does SAS use them?
Cookies are used to get web pages to work more effectively but also to provide certain information to the owner of a home page. Cookies make it possible to differentiate different users from each other, which in turn can give respective users a more tailored and positive experience of the website.
Some of the cookies used on SAS websites are so-called third party cookies, which are set by some of the partners of SAS. If you have consented to it, these third party cookies use information about your use of SAS websites, as well as other websites, for example which pages you visit or which advertisements you are interested in, in order to be able to provide advertisements later that are more customised for you, both on SAS websites and on other websites, so-called interest-based advertising.
13. What are your rights?
You have many rights concerning how we process your personal data. For example, you have the right to revoke your consent to a certain processing at any point in time, see next section. If you are an EuroBonus member or a profile account holder, by logging into your account you can easily revoke your consent for certain processing. The same applies to other rights in accordance with the information below.
If you do not have any accounts with us or you need help, please contact our Data Protection Officer.
13.1 Revocation of consent
If we process information about you based on your consent, you have the right to revoke your consent at any point in time by contacting our Data Protection Officer. We will then terminate the processing of the personal data that is based on your consent. You can only revoke your consent for future processing and not for processing that has already happened. If you revoke your consent, this may mean that for example, you can no longer receive similar tailored offers and that you cannot fully use some of our services.
You also have the right to decline marketing notifications. Every marketing notification that we send to you will contain a link that you can use if you wish to unsubscribe from further marketing distributions.
Otherwise, at any time you can change your mind regarding the type of marketing notification that you wish to receive from SAS by contacting us.
If you are an EuroBonus member you can log in to your EuroBonus profile to change your marketing preferences. If you have registered on the SAS home page, you can change your preferences regarding marketing distribution by logging in to your profile account on our home page.
Note that although you have informed us of your wish to no longer receive marketing notifications, SAS will still send you such information that is necessary for SAS to be able to meet its commitments to you, for example booking confirmations and other information in connection with your booking with us. If you are an EuroBonus member, you will still receive such information that is necessary for us to be able to administer your membership.
13.2 Correction and deletion
If your personal data that SAS processes are incorrect, incomplete or irrelevant, you can either log in to your account and correct the data or request that the data are corrected or deleted by contacting our Data Protection Officer. Please note that deletion may mean that SAS cannot perform booked services and that your account may be terminated.
13.3 Right to restrict the processing
You have the right to restrict the use of your personal data or request the termination of the use of your personal data. This will probably mean that SAS can no longer provide its services to you.
13.4 Right to read the data
If you want to get more information about how we process your personal data or if you want to know what kind of personal data about you that we process, you can request to obtain your personal data. You have the right to request a copy of your personal data from our register. If you are an EuroBonus member or have a site profile account, you can request an excerpt when you are logged in.
If you are not an EuroBonus member or have an account, you can email our Data Protection Officer or send a written request to the address stated in section 14 below. In order for us to be able to verify your identity a signed request in writing must be sent by post and a copy of valid ID including your name and address and other such information that will help us identify you, for example:
- Any email addresses that you have used in communication with SAS
- EuroBonus number or TravelPass number
- Any telephone number you have used in communication with SAS (for example customer service cases)
- Booking number and/or flight number and date.
SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above.
13.5 Right to complain
It is important for us that you feel safe and we will process your personal data with the utmost respect. If you still consider that SAS is processing your personal data in an incorrect manner, you are welcome to contact us. You also have the possibility of submitting a grievance to the Swedish Data Protection Authority.
13.6 Right to object
You have the right to raise an objection at any point in time to the processing of your personal data that is based on our legitimate interest in accordance with point 5.2 above. If SAS cannot demonstrate compelling legitimate grounds for the processing of your data that outweighs your interests, rights and freedoms or that the processing is done for the establishment, exercise or defence of legal claims, then SAS will no longer process your personal data.
13.7 Right to data portability
You have the right to request to receive your personal data that we process in a machine-readable format, which you have the right to transfer to another Data Protection Officer.
13.8 Right to be forgotten
Your right to erasure means that you can request that we delete the personal data we have about you without undue delay, if it is no longer necessary for the purpose for which it was collected, if you revoke your consent and there is no other legal ground for the processing, if you object to the processing, or the erasure is necessary due to compliance with a legal obligations. However, this does not apply if the processing is necessary in order to exercise the right to freedom of expression and information, fulfil a legal obligation or a task of public interest or in order to determine, make applicable, establish, exercise or defend legal claims.
14. How can you contact us?
Data Protection Officer
Scandinavian Airlines System
Frösundaviks Allé 1
169 70 Solna