SkyTeam Alliance Joint Privacy Notice
SkyTeam Airline Alliance Management Coöperatie U.A., a company registered in Amsterdam, the Netherlands (Chamber of Commerce registration number 34345101), whose address for visitors is at Amsterdamseweg 55, Wing 3.3 (1182 GDP) Amstelveen, the Netherlands (“SkyTeam”), is a global airline alliance that coordinates and provides commercial activities on behalf of and – to some extent – together with the SkyTeam Member airlines (“Members”).
1. Parties and privacy roles
This Privacy Notice aims to inform you about the processing activities performed by
SkyTeam and Members in their capacity of joint controllers; or
the Members in their capacity of joint controllers,
under applicable personal data protection laws, including the EU General Data Protection Regulation (EU 2016/679) (“GDPR”), as well as the EU member states’ national implementation acts of the GDPR.
SkyTeam and the Members (in their capacity of joint controllers) or the Members without SkyTeam (in their capacity of joint controllers) are hereinafter jointly referred to as “Controllers”, “we” or “us”.
2. The purposes for which we process your personal data, legal grounds and categories of personal data
This Privacy Notice informs you of the purposes for which we process your personal data as joint controllers, as well as the legal grounds applicable and the categories of personal data involved. Please find an overview with such information below.
SkyLink Digital Spine / Technology Hub: Integration
Processing purpose
Development / roll out of the overall ECR system. Most frequent flyers of individual Members are recognized by equating a Member’s elite membership to one of the two elite tiers (Elite or Elite plus) within the SkyTeam Alliance. Thus the appropriate benefits can be delivered to the customers who have earned them.
Joint controllers
MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with youCategories of personal data
Identification data (including e.g. first and last name) FFP number Tier level.
Processing purpose
Development / roll out of the overall FFP auto accrual & retro accrual system and daily operation. By purchasing a fare that qualifies for earning miles with one of the Members, your miles will automatically be credited to your FFP account. If you have already flown and have not received mileage credit, you can make a retroactive claim directly with your FFP.Joint controllers
MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with youCategories of personal data
Auto accrual
Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, operating and marketing carrier code). Frequent Flyer details (including, e.g. frequent flyer number)Retroactive accrual
Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, operating and marketing carrier code, seat number). Frequent Flyer details (including, e.g. frequent flyer number). PNR data.
Processing purpose
Development / roll out of the overall LAMS system
Providing access to ECR in order to check the Elite or Elite plus status of a customer and give access to a lounge
Joint controllers
MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with you
Processing of your personal data is necessary for the legitimate interests of the controllers involved enabling Members to offer and cross sell products including lounge access
Categories of personal data
Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, operating and marketing carrier, departure data). Frequent Flyer details (including, e.g. frequent flyer number).
Processing purpose
Development / roll out of the overall Seamless seats service
Joint controllers
MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with you
Processing of your personal data is necessary for the legitimate interests of the controllers involved enabling Members to offer and cross sell ancillary products via each others’ websites.
Categories of personal data
Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, seat number, sequence number). Frequent Flyer details (including, e.g. frequent flyer number). PNR data (including e.g. reservation and check-in data)
Processing purpose
Development / roll out of the overall Seamless check-in serviceJoint controllers
MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with you
Categories of personal data
Identification data (including e.g. first and last name) Flight details (including e.g. flight number, ticket number, seat number, sequence number) Frequent Flyer details (including e.g. frequent flyer number) PNR data (including e.g. reservation and check-in data)
SkyTeam Digital (website and app): Communication
Joint controllers
SkyTeam and MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with youCategories of personal data
Names, gender, date of birth, password, credit card number, security code, expiration date, address, email address, nationality, country of residence, any personal data required to issue a ticket
Joint controllers
SkyTeam and MembersLegal ground
Processing of your personal data is necessary for the performance of a contract with youCategories of personal data
Name, address, telephone number, email address of event organizer, event name, dates, location, event attendees names and association/company.
For more information on the personal data processed by SkyTeam in its capacity of an individual controller, please visit our Privacy Policy. For more information on the personal data processed by the Members in their capacity of individual or joint controllers outside the scope of the SkyTeam Alliance, please consult each Member’s respective privacy notice.
3. Does this Privacy Notice apply to you?
This Privacy Notice applies to you if you are a passenger, customer, event organizer, participant, lounge visitor, member or other natural person who makes use of one or more services indicated in paragraph 2 above.
4. Disclosure of your personal data to third parties
In some cases, we share your personal data with third parties, for instance because it is necessary for the purposes listed in paragraph 2. Your personal data may be shared with the following parties and/or for the following reasons:
Processors: we may share your personal data with other third parties acting on our behalf, such as our IT- and hosting providers. In such cases, these other third parties may only use your personal data for the purposes described in this Privacy Notice and only in accordance with our instructions.
Service providers: we may disclose your personal data where necessary with our (legal) consultants, accountants and other service providers who need access to such personal data to carry out work on our behalf in so far such is necessary for the purposes indicated in paragraph 2 and/or otherwise (legally) required.
Company acquisition or business or asset sale: in the event that a third party acquires all or part of our business and/or assets, we may disclose your personal data to that third party in connection with the acquisition. Furthermore, we reserve the right to disclose your personal data to third parties as part of any business or asset sale carried out because we have gone into insolvency or any similar situation, but only where lawful and compliant with the applicable data protection legislation, as amended from time to time.
Comply with applicable law: we may disclose your personal data where necessary to comply with applicable law or an order of a governmental or law enforcement body. We may also disclose your personal data in response to a request for personal data by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process.
5. International transfers
We may transfer personal data that we collect from you to third party processors or one or more Members (in their capacity of joint controllers) located in countries that are outside of the European Economic Area (“EEA”) in connection with the purposes indicated in paragraph 2. For example, some Members are domiciled in the Americas, Asia or Africa, which leads to the disclosing of your personal data outside the EEA.
We have the following appropriate safeguards in place to offer an adequate level of protection of your rights and freedoms as a data subject:
Adequacy decisions: international transfers of personal data take place on the basis of decisions that the relevant third country ensures an adequate level of protection. Such a transfer does not require any specific authorization. For example, the European Commission has issued adequacy decisions for, inter alia, the United Kingdom, Canada and New Zealand. A complete list of currently applicable adequacy decisions from the European Commission, can be found here.
Standard Contractual Clauses: international transfers of personal data take place on the basis of concluded Standard Contractual Clauses. For example, the European Commission’s Standard Contractual Clauses can be consulted here.
For more information on our transfers of your personal data, please contact us by using the contact details in paragraph 10.
6. Retention periods
We will retain your personal data for no longer than is necessary for the purpose(s) indicated in paragraph 2, and/or in accordance with legal obligations. As the Controllers are multiple entities residing in different jurisdictions where deviating rules on retention periods may apply, the specific retention periods will vary per entity. If you would like to receive more information on the retention periods that we apply, please contact us by using the contact details in paragraph 10. We will in any case comply with legal data retention obligations. Note that a longer retention period of your personal data may occur if this is necessary for example, if a dispute or (legal) proceedings are expected.
After the retention period, we will delete your personal data, unless we retain (part of) of your personal data for another purpose. We will only do so if we have a legal basis to retain your personal data. We will then ensure that personal data are only accessible for that other purpose.
7. Measures taken to protect your personal data
We have taken appropriate technical and organizational measures to protect your personal data against accidental or unlawful processing, including by ensuring that:
your personal data is protected against unauthorized access;
the confidentiality of your personal data is assured;
the integrity and availability of your personal data will be maintained;
personnel are trained in information security requirements;
actual or suspected data breaches are reported in accordance with applicable law.
8. Your rights
You may have certain rights in relation to your personal data, which are explained below. In each case, please use the contact details in paragraph 10 if you would like to exercise any of your rights.
Note that your rights are not absolute in all cases, and we may not be required to comply with your request. If such is the case, we will make sure you will be informed of this.
Right of access
You are entitled to a copy of the personal information we hold about you and to learn details about how we use it. Your personal data will usually be provided to you digitally.
Right to rectification
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
Right to erasure
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors. For example, we may not be able comply with your request due to certain legal or regulatory obligations.
Right to restriction of processing
In certain circumstances, you are entitled to ask us to (temporarily) stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.
Right to data portability
In certain circumstances, you have the right to ask that we transfer personal information that you have provided to us to a third party of your choice.
Right to object
You have the right to object to processing which is based on our legitimate interests. Unless we have a compelling legitimate ground for the processing, we will no longer process the personal data on that basis when you file an objection. Note however, that we may not be able to provide certain services or benefits if we are unable to process the necessary personal data for that purpose.
Rights relating to automated decision-making
You have the right not to be subjected to solely automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect. If you have been subject to a solely automated decision and do not agree with the outcome, you can contact us using the details below and ask us to review the decision. Currently, we do not make use of solely automated decision-making.
Right to withdraw consent
We may ask for your consent to process your personal data in specific cases. When we do this, you have the right to withdraw your consent at any time. Currently, we do not process your personal data on the basis of consent.
9. Updates to this Privacy Notice
This Privacy Notice was last updated in April 2023 and replaces our previous Privacy Notice.
Please check regularly to stay informed of updates to this Privacy Notice. If we make any changes to this Privacy Notice in the future, we will publish the revised Privacy Notice on our website. If changes are made that may significantly affect you as a data subject, we will do our best to directly inform you about those changes. All changes will take effect as soon as the Privacy Notice has been posted on our websites.
10. Questions and complaints
In case you have any questions or complaints regarding the processing or your personal data by us in the context of joint controllers, please contact our Members.
If you are of the opinion that the processing of your personal data is not in compliance with applicable law, you have the right to lodge a complaint with the competent data protection authority.
List of contact details and DPOs per Member Airline
Entity corporate address
Aerolíneas Argentinas S.A is an argentinian Airline. The address for notification purposes is: Rafael Obligado S/N Edificio Corporativo T4 Piso 5 (C1425DAA) Buenos Aires, Argentina
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): DPO@aerolineas.com.ar
Entity corporate address
Aerovias de Mexico S.A. de C.V. is an entity established in Mexico and has its address, for notification purposes, at Barajas Airport Terminal 1, Office 42142 2nd Floor C.P. 280424, Madrid, Madrid.
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): amdatospersonales@aeromexico.com
Entity corporate address
AIR EUROPA Líneas Aéreas, S.A.U. is a Spanish Airline and has its address, for notification purposes, at Centro Empresarial Globalia - Polígono Son Noguera - Ctra. Arenal a Llucmajor, Km 21.5 - 07620 Llucmajor - Balearics Islands
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): delegadopd@aireuropa.com
Entity corporate address
Air France S.A., having its registered office at 45, Rue de Paris, 95747 Roissy Charles de Gaulle cedex, Tremblay-en-France, France
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): mail.data.protection@airfrance.fr
Entity corporate address
CHINA AIRLINES LIMITED, a company incorporated and existing under the laws of Taiwan, registered with the Commercial/Company Register at Taiwan under number 11145904 and having its registered office in Taiwan and its principal place of business at No. 1, Hangzhan S. Rd., Dayuan Dist., Taoyuan City 33758, Taiwan
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): DPO@china-airlines.com
Entity corporate address
China Eastern Airlines Corporation Limited, a company registered in Shanghai, China (Chamber of Commerce registration number 913100007416029816), whose address for visitors is at No.66 Airport Avenue,Pudong New Area International Airport, Shanghai, contact ir@ceair.com
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): ceaprivacyoffice@ceair.com
Entity corporate address
Delta Air Lines, Inc. 1030 Delta Blvd; Atlanta, GA; 30354; USA
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): privacy@delta.com
Entity corporate address
PT Garuda Indonesia (Persero) Tbk, a company registered in Indonesia, with its registered office at Jalan Kebon Sirih No. 46A, Jakarta Pusat, Indonesia,
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): dataprotectionofficer@garuda-indonesia.com
Entity corporate address
Kenya Airways PLC., is a public limited company registered in Kenya (registration number C28/2008), whose address for visitors is at Airport North Road, Embakasi, Nairobi, Kenya contact customer.relations@kenya-airways.com
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): dpo@kenya-airways.com
Entity corporate address
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines), having its registered office and principal place of business at Amsterdamseweg 55, 1182 GP Amstelveen, the Netherlands, (Chamber of Commerce registration 33014286.
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): KLMPrivacyOffice@klm.com
Entity corporate address
Korean Airlines CO., LTD. is an entity established in Republic of Korea and has its address, for notification purposes, at 260, Haneul-gil, Gangseo-gu, Seoul, Republic of Korea (Registration No. 110-81-14794), or 33 Rue La Fayette, 75009 Paris (for EU territory)
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): privacy@koreanair.com
Entity corporate address
Middle East Airlines AirLiban S.A.L, registered in the Register of Commerce in Beirut under No. 1838, airport road near Beirut Rafic Hariri International Airport, P.O. Box 206, Beirut, Lebanon, contact callcenter@mea.com.lb, Tel: +961 1 629999.
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): datacare@mea.com.lb
Entity corporate address
SAS AB, registration number 556606-8499, SE-195 87 Stockholm, Sweden
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): dataprotectionofficer@sas.se
Entity corporate address
SAUDI ARABIAN AIRLINES
P.O.BOX 620
JEDDAH 21231
Kingdom of Saudi Arabia
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): swaallhyani@saudia.com
Entity corporate address
S.C. Compania Naţională de Transporturi Aeriene Române –TAROM S.A. Address: 224F Calea Bucureştilor Road, Town of Otopeni, Ilfov County, Romania; Registered with Ilfov Registrar of Companies under the Unique Registration No. J23/1298/2003; T.I.N. RO477647
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): data.protection@tarom.ro
Entity corporate address
Vietnam Airlines JSC
200 Nguyen Son Street,
Bo De Ward, Long Bien district,
Hanoi City,
Vietnam
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): cuongdoviet@vietnamairlines.com and linhtran@vietnamairlines.com
Entity corporate address
VIRGIN ATLANTIC AIRWAYS LIMITED, a company incorporated under the laws of England and Wales with registered number 1600117, and having its registered office at The VHQ, Fleming Way, Crawley, West Sussex, RH10 9DF, United Kingdom
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): data.protection@fly.virgin.com
Entity corporate address
Xiamen Airlines Co., Ltd., a company registered in Fujian, China, whose address for visitors is at 321 Donghuang Road, Xiamen, PR China (Zip Code 361006).
Contact details
For questions and claims related to the processing and protection of personal data, you can contact the Data Protection Officer (DPO): dpo@xiamenair.com