Privacy Policy

We are Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or KLM), a Dutch airline, with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands. KLM is part of the Air France-KLM Group. For more information, please check our website under “Corporate”. KLM is responsible for the collection and use of your personal data described in this privacy policy. We offer our corporate loyalty programme bluebiz in partnership with our group company Air France. Air France (Société Air France, S.A.) is an airline with offices at Rue de Paris 45, F-95747 Roissy CDG Cedex, France. We are jointly responsible for the collection and use of your personal data for the bluebiz loyalty programme. We have an arrangement in place setting out our respective responsibilities for complying with applicable privacy legislation. In short, we have agreed that you can contact either KLM’s or Air France’s Privacy Office (see 8 “Your rights” below) if you wish to exercise your rights or have any complaints about the collection or use of your personal data. KLM and Air France will assist each other when necessary so as to ensure that you can exercise your rights. Next to that, we work together to ensure that your questions and complaints are properly addressed. With our subsidiary Transavia Airlines CV ('Transavia', also part of the Air France-KLM Group) we exchange personal data of passengers who have caused (serious) nuisance and who have been refused boarding (see also 2.1 (J), 4.1 (G) and 5.3 below). Transavia is an airline with its office at Piet Guilonardweg 15, 1117 EE Schiphol, The Netherlands. Together with Transavia, we are responsible for the processing of your personal data that takes place in the context of this exchange. A mutual arrangement sets out our respective responsibilities for compliance with applicable privacy laws including the exercise of your rights (see 8 “Your rights” below).

2.1. General We may collect and use the following categories of personal data: (A) Name, passport details and other identifying data When you make a reservation or book a flight with us, we collect your name, title, gender, date of birth, nationality, country of residence, and passport details. If you make a reservation or book a flight for other persons, we also collect their identifying data. Please make sure that they understand that we collect their personal data and how we use it. (B) Your contact details and your personal account or registration details We may collect your address, telephone number, and e-mail address. If you register for a service, event, contest or campaign or create a personal account, we may also record your log-in details and other information that you provide during registration or when filling in the account form. If you are a business traveller, we also collect information about your organisation, such as its name and address. (C) Information about your reservations, bookings, and purchases When you make a reservation or book a flight with us, we collect and use your reservation and booking details. Those details may include information about your flight, prices, and the date of your reservation or booking. In addition, we collect and use information about additional services (such as extra baggage, upgrades, and onboard WiFi) and products you purchase from us. (D) Information in relation to your trip When you travel with us, we collect and use information about your trip, such as your itinerary, online or airport check-in, mobile or hardcopy boarding pass, and information about your travel companions. We may also record your specific medical needs or dietary requests and any additional assistance you require. We usually receive a confirmation from the third party that facilitates biometric boarding (such as via facial recognition) that your identity has been verified. Unless indicated otherwise, we do not receive any identifiers about you (such as facial images) other than the personal data we already have at our disposal (such as passport details). For more information on the collection and use of your personal data as part of biometric boarding, please check the privacy policy of the organisation that facilitates biometric boarding. Prior to boarding or disembarking, we may also perform health checks or collect or use your health data, because we are statutorily required to do so, for reasons of public interest in the area of public health, or with your explicit consent. (E) Information in relation to our corporate loyalty programme When you become a member of our corporate loyalty programme bluebiz, we collect and use your membership number, blue credits balance, rewards and benefits, type and level of membership, and other information regarding your membership. We also register the transactions with which you earn or spend blue credits. We register, amongst others, the type of transaction (e.g. a flight), transaction date, blue credits earned or debited, and vendor (Air France, KLM or bluebiz partner). We may use your Flying Blue membership information to provide or promote our services to you (see 4.1 below). Please check the Flying Blue privacy policy for more information on the personal data we collect in relation to your Flying Blue membership. (F) Our communication with you When you send us an e-mail, chat with us via our website, or contact us though one of our social media channels, we register your messages. If you call us, our customer service will register your questions or complaints in our database. We may also record telephone calls for training purposes or to prevent or combat fraud. We register your communication preferences, for example when you subscribe to one of our newsletters or when you choose to receive information or alerts regarding your booking (such as your boarding pass and flight status updates) through channels other than e-mail (e.g. WhatsApp, Messenger, or WeChat). (G) Information we collect when you use our websites, mobile apps, or other digital services i. When you visit our websites, use our mobile apps or any other digital service, we may register your IP address, browser type, operating system, referring website, web-browsing behaviour and app use. We collect this information via cookies and similar technologies. For more information, please read our cookie policy. When you visit our websites via a link in an e-mail or when you log in to your KLM account or Flying Blue account, we may add the information we collect via cookies and similar technologies to other information we already have about you. ii. We receive an automatic notification when you open our e-mails or click on a link in such e-mails. We may combine this information with other data we already have about you. iii. With your consent, we may receive your location data. iv. You can give us your consent to access certain data stored on your mobile phone, such as photographs and contacts. (H) Information about social media Depending on your social network settings, we may receive information from your social network provider. For example, if you log in to our services using a social network account, we may collect your social network profile, including your contact details, interests, and contacts. We also receive visitor statistics from Facebook in connection with our Facebook fan page. Although KLM and Facebook are jointly responsible for those visitor statistics, Facebook Ireland Limited is your primary point of contact and handles requests to exercise your rights and any complaints you may have. Where necessary, we will assist Facebook in responding to your requests or complaints. For more information on the personal data that we receive from social network providers and how to change your settings, please check the websites and privacy policies of the social network providers. (I) Information you choose to share with us We collect and use information that you choose to share with us, for example when you share your interests and preferences on our website, leave a comment on our Facebook page, fill out a customer survey or submit an entry for a contest. (J) Unruly behaviour and misuse of our services KLM keeps a list of passengers who have exhibited unruly behaviour on board or on one of our aircrafts. Unruly behaviour includes, amongst others, interference with safety, disturbance of public order, inflicting injury to our ground staff, crew or passengers or causing damage to our property. For the purpose of this list, we process the names of the passengers, their gender, date of birth, e-mail address, flight details, the interview report (i.e., outcome of adversarial proceedings), a short factual description of the incident and the severity of the behaviour, the type and duration of the safety measures imposed and, if applicable, a copy of the official report. We may share a limited selection of these data (first and last name, date of birth and the duration of the security measure imposed) with our subsidiary Transavia (see also 1 above and 3. (G), 4.1. (G) and 5.3. below). We also keep a list of passengers who misuse our services (including our Flying Blue or bluebiz loyalty programmes). For this purpose, we process passengers' names, dates of birth and ticket numbers and a short factual description of the incident and severity of the misuse. For more information, see 4.1 (G) below. 2.2 Special categories of personal data Some categories of personal data, such as data revealing racial or ethnic origin, data revealing religious or philosophical beliefs, health-related data, and personal data relating to criminal law matters, are subject to stricter rules under applicable privacy laws. We collect and use these categories of personal data, for example, to provide you with assistance or facilities appropriate to your medical needs during your trip, to accommodate your requests, to ensure flight safety or to comply with statutory requirements. Biometric data is also subject to stricter rules. However, as explained under 2.1 (D), we normally do not collect or use your biometric data. 

This privacy policy does not apply to any services provided to you by KLM Health Services. Their services are separate from our services. For more information on how KLM Health Services processes your personal data, please read the privacy policy on KLM Health Services’ website. 2.3 Children younger than 16 years We collect data about children if you provide us with information about your child in relation to a flight you book or a service or product you purchase. In the case of children travelling alone, we will record not only the contact details of their parent(s) or legal representative(s) but also the contact details of the persons who will drop them off or pick them up at the airport. 2.4 Specific services, mobile apps, events, contests or campaigns For specific services, mobile apps, events, contests or campaigns, we may collect other types of data than those described in this privacy policy. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app.

We collect the categories of personal data referred to above in the following ways: (A) Personal data provided by you When you book a flight with us, create an online account, register for our corporate loyalty programme bluebiz, contact us via social media, fill out a customer survey, contact our customer service, subscribe to receive our e-mails or mobile push notifications, submit an entry for a contest, or register for one of our events or campaigns. (B) Personal data received from your travel agent, our airline partners, and other companies involved in facilitating your trips We receive your data from these parties to handle your reservations and bookings and to arrange your trips and purchases. For example, when you book a flight through a travel agent or an online platform, we receive your identifying data, contact details, and booking details from those third parties. (C) Personal data received from partners that participate in our corporate loyalty programme The bluebiz corporate loyalty programme is offered by KLM and Air France (please also see “Who we are” above). The programme allows you to save and spend blue credits with KLM and Air France and our airline loyalty partners. To that end, Air France and KLM exchange the booking data collected as part of our airline booking procedures (see 2.1 (C) above). We also share your personal data with our loyalty partners. If, for example, you purchase a service from one of our loyalty partners, they will share the Credits you have earned with us, so that we can update your balance. You can find a list of our airline loyalty partners on the bluebiz website. Our airline loyalty partners are independently responsible for the collection and use of your personal data. You can find more information on how they handle your personal data in their respective privacy policies. (D) When you use our website or mobile apps, we collect information using cookies and similar technologies KLM uses its own cookies and third-party cookies. For more information, please read our cookie policy. (E) If you use social networks, we may also receive information from your social network provider For more information, see 2.1 (H) above. (F) We receive certain information from public authorities or government agencies to maintain onboard safety and security KLM receives the names of persons who have been put on a blacklist by the State of the Netherlands or government agencies. For example, the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. For more information, see 4.1 (G) below. (G) If you exhibit unruly behaviour, we collect certain information for flight safety If you exhibit unruly behaviour before or during a flight, KLM will draw up an incident report. In addition to the data already provided to us in the context of your booking or reservation (e.g. name and date of birth), this report may also contain information originating from persons involved in the incident and/or charged with handling it. See also 2.1. (J) above.

4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.

If the persons in your booking are members of our Flying Blue loyalty programme, we will use the contact details they provided to inform them about their flight and any changes in their flight status. We need to know your specific medical needs to ensure that you receive appropriate care. We only use this data to ensure that you receive appropriate medical care. (B) To facilitate our bluebiz corporate loyalty programme (C) To provide you with our online services and mobile apps and a seamless digital experience i. For example, we use your name and flight details when you use our app to check in for your flight. ii. Some of our online services and apps use your location, for example, to show you the nearest location of interest. iii. To offer you the best possible digital experience, we analyse your use of digital media, so that we can tailor our communication towards the digital channel or device that you use most (see 2.1 (G)). iv. If you break off your booking session on our website, we will send you an e-mail with a link to your booking session, so you can continue where you left off. You will receive similar e-mails if you break off booking sessions on the websites of our partner Airtrade. We will only send you such e-mails at your request or if you have agreed to receive updates and special offers from us by e-mail (see 4.1 (E)). You can withdraw your consent for such e-mails at any time by clicking on the unsubscribe link in the e-mail, by changing your communication preferences in your account (if available), or by contacting us (see 8 “Your Rights” below). (D) For statistical research i. General: we research general trends in the use of our services, loyalty programmes, websites, mobile apps, and social media, as well as trends in the behaviour and preferences of our customers, loyalty members and users. We use our research results to develop better services and offers for our customers, improve our loyalty programme, provide better customer service, and improve the design and content of our websites and mobile apps. ii. Categories of data: to perform our research, we may use the categories of personal data described at 2.1 (A) to (I) and the personal data we collect when you are a Flying Blue member (see our Flying Blue privacy policy for more information). We only use 'aggregated data' or 'pseudonymised data' for our research. This is data that cannot be traced back directly to you because all directly identifiable elements (e.g. names and e-mail addresses) are removed or encoded and given a number. We take appropriate measures to ensure that only a limited group of employees has access to the data set. iii. Example: if our research into booking details and data about additional services purchased (extra baggage, upgrades) shows that passengers travelling long distances are more inclined to purchase extra legroom, we may use that information to offer extra legroom more prominently for long-distance flights. iv. Legal basis and right to object: we collect and use your personal data for our legitimate interests described above (see sub (i) “General”). You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data for statistical research (see 8 “Your rights” below). (E) Marketing purposes i. General: we may use your personal data for direct marketing purposes. In this paragraph, we explain how we use your data for these purposes. ii. Channels: we use various channels such as e-mail, mobile push notifications, our own websites and apps and websites and apps of third parties, social media and postal mail. For example: – Booking related e-mails: if you book a flight, you will receive multiple e-mails regarding your booking (e.g. your booking confirmation, information about checking in and boarding). Those e-mails contain advertisements and offers tailored to you and your flight. – E-mails from KLM with updates and offers: you can choose to receive e-mails containing updates and offers tailored to your interests, such as our newsletter. These e-mails contain offers for our own services and services offered by our partner, such as package deals and offered by our partner Airtrade. With your consent, we will also send you e-mails on specific occasions, such as a special offer on your birthday or personalised offers for your next trip within a few months after your return. – Direct messages through other communication channels: with your consent, we use other communication channels to send you direct messages with personalised advertisements and special offers, such as postal mail, mobile push notifications or social channels (e.g. Messenger, WhatsApp, or WeChat). - Display relevant information and personalised advertisements on our own websites and apps and on third-party websites and apps: see our cookie policy. We may also use your personal data to exclude you from advertisements which are no longer relevant for you. - Custom audience targeting through social media platforms: you may choose to receive personalised advertisements and offers on the social media platforms you use. To display relevant information and personalised advertisements via various channels we may share certain identifiers (such as your e-mail address, phone number, IP address or your passenger name record (PNR)) in a pseudonymised (hashed) format with third parties. For example, we use the Facebook Custom Audience programme of Meta. Among other things, this programme enables us to display personalised advertisements and offers in your newsfeed on Meta platforms, including Facebook Messenger and Instagram. We can also use this programme to exclude you from advertising campaigns on Meta platforms, if, for example, you have already received similar advertisements or offers by e-mail. To enable Meta to determine whether you have a account on one of Meta’s platforms, we share a pseudonymised (hashed) identifier with Meta. We do not share any other data with Meta. Meta, in turn, only provides us with aggregated data about the effectiveness of an advertising campaign. This is data that cannot be traced directly back to you. This way, we try to make every effort to keep your personal data secure and confidential. To determine our audience for a specific ad campaign, we may use your booking details or the data we collect when you use our websites, mobile apps, or other digital media. In addition, Meta may use the personal data it collects about you to compile a similar audience. This allows us to reach a new audience through Meta. Learn more about how Meta uses your data for its custom audience programme and how you can control how information about you is used by Meta to personalise the ads you see. You can also check Meta`s privacy policy. We may participate in similar programmes offered by other third parties to display relevant information and personalised advertisements via other channels. These may for example include programmes offered by other social media platforms (such as Twitter, LinkedIn and Pinterest), but also search engine platforms (such as Google and Microsoft Bing) and third-party websites (such as Partnerize, Skyscanner and TripAdvisor). Please check the privacy policies of these third parties for more information. If you no longer want us to include you in the programmes we use to display relevant information and personalised advertisements via various channels, please send an e-mail to KLMPrivacyOffice@klm.com to withdraw your consent. When sending this e-mail, please use the e-mail address for which you would like to withdraw your consent.

iii. Personalised offers: we aim to make advertisements and offers as relevant as possible for you. To that end, we may analyse the categories of personal data described in 2.1 (A) to (I), 4.1 (C) (statistical research data) and the personal data we collect when you are a Flying Blue member (see our Flying Blue privacy policy for more information). We use the results of this analysis to personalise advertisements and offers. For example, with your consent, we may send you an e-mail after you return from a trip with offers based on your booking history, to offer you inspiration for your next trip. We may also use your booking history (e.g. travel for pleasure or business, cabin class, destination, Flying Blue member) to provide you with a discount for an upgrade or extra baggage. iv. Legal basis and right to object: unless indicated otherwise, we collect and use your personal data as described in this section 4.1 (E) for our legitimate interests and the interests of third parties. You have the right to object to the use of your personal data for direct marketing purposes, including related profiling activities, at any time (see 8 “Your rights” below). v. Unsubscribe: you can always unsubscribe from receiving personalised advertisements and offers. Please find below an explanation of how you can unsubscribe. – E-mails: you may unsubscribe from our advertisements and offers in our booking and loyalty programme e-mails and from e-mails to which you have subscribed at any time by clicking on the unsubscribe link in the e-mail. In many cases, you can also unsubscribe by changing your communication preferences in your account. If you unsubscribe, you will only receive e-mails necessary to be able to use our services (e.g. your booking confirmation and e-ticket) or to participate in our loyalty programme (e.g. welcome message sent to members). – Postal mail: you may unsubscribe from receiving personalised advertisements and special offers by postal mail by contacting us (see 8 “Your rights” below). – Other communication channels: if you have opted to receive personalised advertisements and offers through mobile push notifications, you can unsubscribe by changing your smartphone settings (for mobile push notifications). Visit the website of the social media platform for more information on how to unsubscribe from receiving personalised advertisements and offers through social channels (e.g. Messenger, WhatsApp, and WeChat). – Contact our Privacy Offices: you may always contact us to unsubscribe from receiving messages containing advertisements and offers (see 8 “Your rights” below). (F) To communicate with you We use your contact details to communicate with you about our services or loyalty programme, to answer your questions, or to address your complaints. 

(G) Passengers who exhibit unruly behaviour or misuse our services i. i. KLM maintains lists of passengers who have exhibited unruly behaviour or misused our services (see 2.1 (J) above). Depending on the severity of the behaviour, KLM may (i) for a period of three years attach additional conditions to their admission on board or (ii) for a period of (in principle) five years refuse them on board. In case of aggravating circumstances (such as repeated misconduct), KLM may decide to refuse a passenger for a period exceeding five years. In very severe cases, KLM may even decide to refuse a passenger permanently. Special information regarding children: Children under the age of 15 who exhibit unruly behaviour are not registered on the list. As for children aged 15 to 16, KLM may attach conditions to their admission for a maximum period of one year. Passengers will be personally informed (if possible, by e-mail) of the fact that they have been placed on the list, the reason for placement, what security measures have been imposed on them, how long these measures will be effective and where they can file a complaint or object to the placement. More information about access to or correction of this data can be found below under 8 'Your rights'. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request. 

(H) To conduct our business operations or to comply with statutory obligations We collect, use, and retain your personal data to conduct our business operations, such as for record-keeping purposes, to prevent or combat fraud, or to settle disputes. In the case of fraud or misuse of our services, we may enter your personal data in our internal fraud control and warning systems. As a result, your bookings may be subject to close scrutiny and in particular cases be refused or cancelled, or you may no longer be welcome on board our aircraft or only on certain conditions (see 4.1 (G) above). We also collect and use your personal data to comply with our legal and tax obligations. 4.2 Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy policy. We will inform you about those purposes when you register for the service, event, contest, or campaign, or when you download the relevant app. 4.3 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we need your personal data to receive your booking, arrange your flight or purchases, facilitate your loyalty membership, or to answer your questions (see 4.1 (A) to (B) and (F) above). In those cases, the legal basis for processing your data is 'necessary for the performance of a contract'. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. On that legal basis, we will collect and use your data for, for instance, flight safety, statistical research, or direct marketing purposes, or to offer personalised discounts and offers (see 4.1 (C), (D),(E) and (G) above for more information). We may have a legal obligation to collect and use your data, for example, to satisfy immigration formalities (see 4.1 (H). If you refuse to provide the personal data that we need to perform the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested. If you provide incomplete or inaccurate information, we may be forced to deny you boarding or entry into a foreign territory.

5.1. General We may share your personal data with third parties in the following cases: (A) To facilitate your bookings and trips To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (see 3.1 (B) above, “How we collect your data”). (B) For our bluebiz corporate loyalty programme For more information, see “Who we are” and 3.1 (C) under “How we collect your data”. (C) Corporate accounts If you book a flight using your employer's corporate account, your employer will have access to certain booking details, such as the ticket price, travel dates, and your destination. Your employer is independently responsible for how it collects and uses your personal data and informs you about it. (D) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy policy. (E) Payment services To process payments for your trips and purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data. (F) Personalised marketing through social media platforms For more information, see 4.1 (E) under “Purposes for which we use your data”. (G) To enable our partners to tailor their services to your trip We may share your non-personalised information (destination, travel date, and duration of the trip) with partners that offer additional services (e.g. hotel accommodations, car rental services) so that they can provide you with offers tailored to your trip. Our partners operate their own privacy policies in terms of the way in which they use your personal data. 5.2. Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy policy, for example, when we organise a campaign or an event in collaboration with a partner or when we integrate their services into our apps. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app. 5.3. Data exchange with Transavia

Airlines have an obligation to guarantee flight safety. For this purpose, KLM takes certain (necessary) security measures. For example, KLM keeps a list of passengers who have exhibited unruly behaviour on the ground or on board (see 2.1. (J) and 4.2 (G) above). Based on this list, KLM can (i) for a period of three years attach additional conditions to their admission on board or (ii) for a certain period refuse them on board. Transavia, KLM’s subsidiary, maintains a similar list. To increase the scope of the internal security measures taken, KLM and Transavia exchange the personal data of passengers of whom has been decided that they must be refused boarding (see 4.1. (G) above). A person who is refused by KLM will now also be refused on board Transavia flights (and vice versa). If you have exhibited unruly behaviour and this has led to registration on the list, you will be personally informed about this by the airline where the unruly behaviour took place.

5.4 Government agencies (A) General We may be legally required to collect your personal data before you travel to another country and share it with the government agencies in the countries on your itinerary. For example, we may be legally required to collect and share your identifying data and your booking and travel information with those agencies for purposes of border control, immigration formalities, entering a country, or combatting terrorism or other serious crimes (see 5.4 (B) below). We may also be statutorily required to share your health data with the government agencies in the countries on your itinerary for public health purposes (see 2.1 (D) above). (B) PNR and API data i. General: under EU Regulations 2016/679 and 2004/82 and applicable local laws and regulations, we must pass on PNR and API details to government bodies, including the Passenger Information Units (PIUs) of various countries. API (Advance Passenger Information) concerns information about your flight and passport details. PNR (Passenger Name Record) concerns all information about your bookings, such as flight information, passengers in the booking and payment information. We pass on these PNR details to the Dutch PIU (Pi-NL) for all flights. When required to do so, we also pass on API and PNR details to the authorities in countries other than the Netherlands. ii. Country specifics:  - France: under Article L 237 -7 of the French Homeland Security Code, KLM may need to transmit your reservation, checking and boarding data (API/PNR) to the French national public services and competent authorities for the purposes of and subject to conditions as defined in Decree No 2014-1095 dated 26 September 2014, as amended by Decree No 2018/714 dated 3 August 2018. 5.5. Third-party websites Our websites and mobile apps contain links to third-party websites. If you follow those links, you will leave our websites or mobile apps. This privacy policy does not apply to the websites of third parties. For more information on how they handle your personal data, please check their privacy and/or cookie policies (if available).

6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre). 

(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention 

We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.

7.1. KLM may transfer your personal data to countries other than your country of residence. This is done to handle your booking or arrange your trip, or because our group companies, partners, or service providers provide their services from other countries. You can find the destinations we fly to on our website under “Flight Status”. The laws of the countries to which we transfer your personal data may not always offer the same level of personal data protection. 7.2. If you fly to a destination in a country other than your country of residence, transferring your personal data to that country is often necessary to provide our services to you. If this seems necessary, KLM will ensure that adequate safeguards are in place to comply with the requirements for the international transfer of personal data under applicable privacy laws. For transfers of personal data to countries outside the European Economic Area, KLM may use European Commission-approved Standard Contractual Clauses as safeguards. 7.3. We may be obliged to transfer your personal data to government agencies in the countries of your itinerary (see 5.4 above).

8.1. You may contact our Privacy Office (see 8.4 below) to exercise any of the rights you are granted under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data, (C) to erase your data, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing. (A) Right to access You may ask us whether we collect or use any of your personal data and, if so, to receive access to that data in the form of a copy. (B) Right to rectification You have the right to have your data rectified if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement. (C) Right to erasure You have the right to have your personal data erased. This means that we will delete your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data is no longer necessary for the purposes for which it was originally processed and situations where your data was processed unlawfully. Due to the way in which we maintain certain services, it may take some time before backup copies are erased. (D) Right to restriction of processing You have the right to obtain a restriction on the processing of your personal data. This means that we will suspend the processing of your data for a certain period. Circumstances which may give rise to this right include situations where the accuracy of your personal data is contested, and we need some time to verify its (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted. (E) Right to data portability Your right to data portability entails that you may ask us to provide you with your personal data in a structured, commonly used and machine-readable format, and have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller. (F) Right to object You have the right to object to the processing of your personal data. This means you may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). You can object to direct marketing at any time and at no cost to you if your personal data is processed for this purposes, which includes profiling to the extent that it is related to direct marketing. If you exercise this right, we will no longer process your personal data for such purposes. 8.2. Withdrawal of consent You may withdraw your consent at any time by following the specific instructions concerning the processing for which you provided your consent. For example, you can withdraw consent by clicking the unsubscribe link in the e-mail, adjusting your communication preferences in your account (if available), or changing your smartphone settings (for mobile push notifications and location data). You may also contact KLM’s Privacy Office. In relation to bluebiz e-mails, you may also contact Air France’s Privacy Office. For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our websites or use our mobile apps, please check our cookie policy. 8.3. Denial or restriction of rights There may be situations where we are entitled to deny or restrict your rights as described in 8.2 above. In all cases, we will carefully assess whether such an exemption applies, and inform you accordingly. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals, or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply if the personal data was not provided by you or if we process the data on grounds other than your consent or for the performance of a contract. 8.4. Privacy Office If you wish to exercise your rights, please send your request to KLM’s Privacy Office: KLM Royal Dutch Airlines Privacy Office - AMSPI PO Box 7700 NL-1117 ZL Luchthaven Schiphol The Netherlands E-mail: KLMPrivacyOffice@klm.com If you wish to exercise your rights concerning the processing of your personal data in relation to bluebiz, you may also contact Air France’s Privacy Office: Air France Délégué à la Protection des Données / Data Protection Officer - ST.AJ IL 45, rue de Paris 95747 Roissy CDG Cedex France E-mail: mail.data.protection@airfrance.fr

If you want to exercise your rights with regard to the processing of your personal data as a result of unruly behaviour exhibited by you before or during a Transavia flight, you can contact the Transavia Privacy Office: Transavia Privacy Office PO Box 7777 1118 ZM Schiphol Airport The Netherlands E-mail: privacyoffice@transavia.com 8.5. Questions, comments or complaints If you have any questions, comments or complaints about this privacy policy, please feel free to contact us. If your concerns have not been addressed to your satisfaction, you have the right to file a complaint with the competent supervisory authority. In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague is responsible for monitoring compliance with privacy regulations.

9.1. This privacy policy took effect on 15 September 2022 and replaced our previous privacy policy of 20 August 2020. This privacy policy is amended from time to time. We will notify you of any changes before they take effect.