Privacy Policy
Our privacy commitment to you
When you use our products and services, you trust us with your information. We find this relationship extremely important and promise the following to you.
- We always process your data in accordance with the EU Data Protection Rules and other applicable privacy legislation to protect it from unauthorised access and to ensure safe data transfers.
- We are transparent about how we use the data collected from you.
- We make clear to you what your benefit is for sharing your data with us and match our communication with your needs and preferences.
- We do this in easy-to-understand language throughout the whole KLM and partner airline journey.
- We put you in control of your data and will use your feedback to improve continuously.
- We ensure that your data is safe with us. In the unlikely event that your data has been breached, we will make sure to stop the leak as soon as possible and inform you immediately.
- If we need to disclose your data outside our organisation, we describe this explicitly in our Privacy Policy. We do not share, sell, or give your personal information to any outside organisation without your explicit consent.
- We are trustworthy with your data and strive for international certifications (e.g. ISO-27001).
About this privacy policy
4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.
(G) Passengers who exhibit unruly behaviour or misuse our services i. i. KLM maintains lists of passengers who have exhibited unruly behaviour or misused our services (see 2.1 (J) above). Depending on the severity of the behaviour, KLM may (i) for a period of three years attach additional conditions to their admission on board or (ii) for a period of (in principle) five years refuse them on board. In case of aggravating circumstances (such as repeated misconduct), KLM may decide to refuse a passenger for a period exceeding five years. In very severe cases, KLM may even decide to refuse a passenger permanently. Special information regarding children: Children under the age of 15 who exhibit unruly behaviour are not registered on the list. As for children aged 15 to 16, KLM may attach conditions to their admission for a maximum period of one year. Passengers will be personally informed (if possible, by e-mail) of the fact that they have been placed on the list, the reason for placement, what security measures have been imposed on them, how long these measures will be effective and where they can file a complaint or object to the placement. More information about access to or correction of this data can be found below under 8 'Your rights'. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request.
(H) To conduct our business operations or to comply with statutory obligations We collect, use, and retain your personal data to conduct our business operations, such as for record-keeping purposes, to prevent or combat fraud, or to settle disputes. In the case of fraud or misuse of our services, we may enter your personal data in our internal fraud control and warning systems. As a result, your bookings may be subject to close scrutiny and in particular cases be refused or cancelled, or you may no longer be welcome on board our aircraft or only on certain conditions (see 4.1 (G) above). We also collect and use your personal data to comply with our legal and tax obligations. 4.2 Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy policy. We will inform you about those purposes when you register for the service, event, contest, or campaign, or when you download the relevant app. 4.3 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we need your personal data to receive your booking, arrange your flight or purchases, facilitate your loyalty membership, or to answer your questions (see 4.1 (A) to (B) and (F) above). In those cases, the legal basis for processing your data is 'necessary for the performance of a contract'. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. On that legal basis, we will collect and use your data for, for instance, flight safety, statistical research, or direct marketing purposes, or to offer personalised discounts and offers (see 4.1 (C), (D),(E) and (G) above for more information). We may have a legal obligation to collect and use your data, for example, to satisfy immigration formalities (see 4.1 (H). If you refuse to provide the personal data that we need to perform the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested. If you provide incomplete or inaccurate information, we may be forced to deny you boarding or entry into a foreign territory.
5.1. General We may share your personal data with third parties in the following cases: (A) To facilitate your bookings and trips To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (see 3.1 (B) above, “How we collect your data”). (B) For our bluebiz corporate loyalty programme For more information, see “Who we are” and 3.1 (C) under “How we collect your data”. (C) Corporate accounts If you book a flight using your employer's corporate account, your employer will have access to certain booking details, such as the ticket price, travel dates, and your destination. Your employer is independently responsible for how it collects and uses your personal data and informs you about it. (D) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy policy. (E) Payment services To process payments for your trips and purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data. (F) Personalised marketing through social media platforms For more information, see 4.1 (E) under “Purposes for which we use your data”. (G) To enable our partners to tailor their services to your trip We may share your non-personalised information (destination, travel date, and duration of the trip) with partners that offer additional services (e.g. hotel accommodations, car rental services) so that they can provide you with offers tailored to your trip. Our partners operate their own privacy policies in terms of the way in which they use your personal data. 5.2. Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy policy, for example, when we organise a campaign or an event in collaboration with a partner or when we integrate their services into our apps. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app. 5.3. Data exchange with Transavia
Airlines have an obligation to guarantee flight safety. For this purpose, KLM takes certain (necessary) security measures. For example, KLM keeps a list of passengers who have exhibited unruly behaviour on the ground or on board (see 2.1. (J) and 4.2 (G) above). Based on this list, KLM can (i) for a period of three years attach additional conditions to their admission on board or (ii) for a certain period refuse them on board. Transavia, KLM’s subsidiary, maintains a similar list. To increase the scope of the internal security measures taken, KLM and Transavia exchange the personal data of passengers of whom has been decided that they must be refused boarding (see 4.1. (G) above). A person who is refused by KLM will now also be refused on board Transavia flights (and vice versa). If you have exhibited unruly behaviour and this has led to registration on the list, you will be personally informed about this by the airline where the unruly behaviour took place.
5.4 Government agencies (A) General We may be legally required to collect your personal data before you travel to another country and share it with the government agencies in the countries on your itinerary. For example, we may be legally required to collect and share your identifying data and your booking and travel information with those agencies for purposes of border control, immigration formalities, entering a country, or combatting terrorism or other serious crimes (see 5.4 (B) below). We may also be statutorily required to share your health data with the government agencies in the countries on your itinerary for public health purposes (see 2.1 (D) above). (B) PNR and API data i. General: under EU Regulations 2016/679 and 2004/82 and applicable local laws and regulations, we must pass on PNR and API details to government bodies, including the Passenger Information Units (PIUs) of various countries. API (Advance Passenger Information) concerns information about your flight and passport details. PNR (Passenger Name Record) concerns all information about your bookings, such as flight information, passengers in the booking and payment information. We pass on these PNR details to the Dutch PIU (Pi-NL) for all flights. When required to do so, we also pass on API and PNR details to the authorities in countries other than the Netherlands. ii. Country specifics: - France: under Article L 237 -7 of the French Homeland Security Code, KLM may need to transmit your reservation, checking and boarding data (API/PNR) to the French national public services and competent authorities for the purposes of and subject to conditions as defined in Decree No 2014-1095 dated 26 September 2014, as amended by Decree No 2018/714 dated 3 August 2018. 5.5. Third-party websites Our websites and mobile apps contain links to third-party websites. If you follow those links, you will leave our websites or mobile apps. This privacy policy does not apply to the websites of third parties. For more information on how they handle your personal data, please check their privacy and/or cookie policies (if available).
6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre).
(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention
We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.
9.1. This privacy policy took effect on 15 September 2022 and replaced our previous privacy policy of 20 August 2020. This privacy policy is amended from time to time. We will notify you of any changes before they take effect.