SkyTeam Alliance Joint Privacy Notice


SkyTeam Airline Alliance Management Coöperatie U.A., a company registered in Amsterdam, the Netherlands (Chamber of Commerce registration number 34345101), whose address for visitors is at Amsterdamseweg 55, Wing 3.3 (1182 GDP) Amstelveen, the Netherlands (“SkyTeam”), is a global airline alliance that coordinates and provides commercial activities on behalf of and – to some extent – together with the SkyTeam Member airlines (“Members”). Please find a list of all Members and their contact details

1.   Parties and privacy roles
This Privacy Notice aims to inform you about the processing activities performed by

  1. SkyTeam and Members in their capacity of joint controllers; or

  2. the Members in their capacity of joint controllers,


under applicable personal data protection laws, including the EU General Data Protection Regulation (EU 2016/679) (“GDPR”), as well as the EU member states’ national implementation acts of the GDPR.

SkyTeam and the Members (in their capacity of joint controllers) or the Members without SkyTeam (in their capacity of joint controllers) are hereinafter jointly referred to as “Controllers”, “we” or “us”.

2. The purposes for which we process your personal data, legal grounds and categories of personal data
This Privacy Notice informs you of the purposes for which we process your personal data as joint controllers, as well as the legal grounds applicable and the categories of personal data involved. Please find an overview with such information below.

SkyLink Digital Spine / Technology Hub: Integration

  • Processing purpose 
    Development / roll out of the overall ECR system. Most frequent flyers of individual Members are recognized by equating a Member’s elite membership to one of the two elite tiers (Elite or Elite plus) within the SkyTeam Alliance. Thus the appropriate benefits can be delivered to the customers who have earned them.
     

  • Joint controllers
    Members

  • Legal ground
    Processing of your personal data is necessary for the performance of a contract with you 

  • Categories of personal data 
    Identification data (including e.g. first and last name) FFP number Tier level.

  • Processing purpose
    Development / roll out of the overall FFP auto accrual & retro accrual system and daily operation. By purchasing a fare that qualifies for earning miles with one of the Members, your miles will automatically be credited to your FFP account. If you have already flown and have not received mileage credit, you can make a retroactive claim directly with your FFP.

  • Joint controllers
    Members

  • Legal ground
    Processing of your personal data is necessary for the performance of a contract with you 

  • Categories of personal data 

    • Auto accrual
      Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, operating and marketing carrier code). Frequent Flyer details (including, e.g. frequent flyer number)

    • Retroactive accrual
      Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, operating and marketing carrier code, seat number). Frequent Flyer details (including, e.g. frequent flyer number). PNR data.

  • Processing purpose 

    • Development / roll out of the overall LAMS system

    • Providing access to ECR in order to check the Elite or Elite plus status of a customer and give access to a lounge

  • Joint controllers
    Members

  • Legal ground

    • Processing of your personal data is necessary for the performance of a contract with you

    • Processing of your personal data is necessary for the legitimate interests of the controllers involved enabling Members to offer and cross sell products including lounge access

  • Categories of personal data 
    Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, operating and marketing carrier, departure data). Frequent Flyer details (including, e.g. frequent flyer number). 

  • Processing purpose 
    Development / roll out of the overall Seamless seats service

  • Joint controllers
    Members

  • Legal ground

    • Processing of your personal data is necessary for the performance of a contract with you

    • Processing of your personal data is necessary for the legitimate interests of the controllers involved enabling Members to offer and cross sell ancillary products via each others’ websites.

  • Categories of personal data 
    Identification data (including e.g. first and last name) Flight details (including, e.g. flight number, ticket number, seat number, sequence number). Frequent Flyer details (including, e.g. frequent flyer number). PNR data (including e.g. reservation and check-in data) 

  • Processing purpose 
    Development / roll out of the overall Seamless check-in service

  • Joint controllers
    Members

  • Legal ground
    Processing of your personal data is necessary for the performance of a contract with you 

  • Categories of personal data 
    Identification data (including e.g. first and last name)  Flight details (including e.g. flight number, ticket number, seat number, sequence number) Frequent Flyer details (including e.g. frequent flyer number) PNR data (including e.g. reservation and check-in data)  

SkyTeam Digital (website and app): Communication

  • Joint controllers
    SkyTeam and Members

  • Legal ground
    Processing of your personal data is necessary for the performance of a contract with you 

  • Categories of personal data
    Names, gender, date of birth, password, credit card number, security code, expiration date, address, email address, nationality, country of residence, any personal data required to issue a ticket

  • Joint controllers
    SkyTeam and Members

  • Legal ground
    Processing of your personal data is necessary for the performance of a contract with you 

  • Categories of personal data 
    Name, address, telephone number, email address of event organizer, event name,  dates, location, event attendees names and association/company.

For more information on the personal data processed by SkyTeam in its capacity of an individual controller, please visit our Privacy Policy. For more information on the personal data processed by the Members in their capacity of individual or joint controllers outside the scope of the SkyTeam Alliance, please consult each Member’s respective privacy notice.

3. Does this Privacy Notice apply to you?
This Privacy Notice applies to you if you are a passenger, customer, event organizer, participant, lounge visitor, member or other natural person who makes use of one or more services indicated in paragraph 2 above.

4. Disclosure of your personal data to third parties
In some cases, we share your personal data with third parties, for instance because it is necessary for the purposes listed in paragraph 2. Your personal data may be shared with the following parties and/or for the following reasons:

  • Processors: we may share your personal data with other third parties acting on our behalf, such as our IT- and hosting providers. In such cases, these other third parties may only use your personal data for the purposes described in this Privacy Notice and only in accordance with our instructions.

  • Service providers: we may disclose your personal data where necessary with our (legal) consultants, accountants and other service providers who need access to such personal data to carry out work on our behalf in so far such is necessary for the purposes indicated in paragraph 2 and/or otherwise (legally) required.

  • Company acquisition or business or asset sale: in the event that a third party acquires all or part of our business and/or assets, we may disclose your personal data to that third party in connection with the acquisition. Furthermore, we reserve the right to disclose your personal data to third parties as part of any business or asset sale carried out because we have gone into insolvency or any similar situation, but only where lawful and compliant with the applicable data protection legislation, as amended from time to time.

  • Comply with applicable law: we may disclose your personal data where necessary to comply with applicable law or an order of a governmental or law enforcement body. We may also disclose your personal data in response to a request for personal data by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process.


5. International transfers
We may transfer personal data that we collect from you to third party processors or one or more Members (in their capacity of joint controllers) located in countries that are outside of the European Economic Area (“EEA”) in connection with the purposes indicated in paragraph 2. For example, some Members are domiciled in the Americas, Asia or Africa, which leads to the disclosing of your personal data outside the EEA.

We have the following appropriate safeguards in place to offer an adequate level of protection of your rights and freedoms as a data subject: 

  • Adequacy decisions: international transfers of personal data take place on the basis of decisions that the relevant third country ensures an adequate level of protection. Such a transfer does not require any specific authorization. For example, the European Commission has issued adequacy decisions for, inter alia, the United Kingdom, Canada and New Zealand. A complete list of currently applicable adequacy decisions from the European Commission, can be found here

  • Standard Contractual Clauses: international transfers of personal data take place on the basis of concluded Standard Contractual Clauses. For example, the European Commission’s Standard Contractual Clauses can be consulted here.

For more information on our transfers of your personal data, please contact us by using the contact details in paragraph 10.

6. Retention periods
We will retain your personal data for no longer than is necessary for the purpose(s) indicated in paragraph 2, and/or in accordance with legal obligations. As the Controllers are multiple entities residing in different jurisdictions where deviating rules on retention periods may apply, the specific retention periods will vary per entity. If you would like to receive more information on the retention periods that we apply, please contact us by using the contact details in paragraph 10. We will in any case comply with legal data retention obligations. Note that a longer retention period of your personal data may occur if this is necessary for example, if a dispute or (legal) proceedings are expected.

After the retention period, we will delete your personal data, unless we retain (part of) of your personal data for another purpose. We will only do so if we have a legal basis to retain your personal data. We will then ensure that personal data are only accessible for that other purpose.

7. Measures taken to protect your personal data
We have taken appropriate technical and organizational measures to protect your personal data against accidental or unlawful processing, including by ensuring that:

  • your personal data is protected against unauthorized access;

  • the confidentiality of your personal data is assured;

  • the integrity and availability of your personal data will be maintained;

  • personnel are trained in information security requirements;

  • actual or suspected data breaches are reported in accordance with applicable law.


8. Your rights
You may have certain rights in relation to your personal data, which are explained below. In each case, please use the contact details in paragraph 10 if you would like to exercise any of your rights.

Note that your rights are not absolute in all cases, and we may not be required to comply with your request. If such is the case, we will make sure you will be informed of this. 

  • Right of access
    You are entitled to a copy of the personal information we hold about you and to learn details about how we use it. Your personal data will usually be provided to you digitally.

  • Right to rectification
    We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

  • Right to erasure
    In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors. For example, we may not be able comply with your request due to certain legal or regulatory obligations.

  • Right to restriction of processing
    In certain circumstances, you are entitled to ask us to (temporarily) stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information. 

  • Right to data portability
    In certain circumstances, you have the right to ask that we transfer personal information that you have provided to us to a third party of your choice.

  • Right to object
    You have the right to object to processing which is based on our legitimate interests. Unless we have a compelling legitimate ground for the processing, we will no longer process the personal data on that basis when you file an objection. Note however, that we may not be able to provide certain services or benefits if we are unable to process the necessary personal data for that purpose.

  • Rights relating to automated decision-making
    You have the right not to be subjected to solely automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect. If you have been subject to a solely automated decision and do not agree with the outcome, you can contact us using the details below and ask us to review the decision. Currently, we do not make use of solely automated decision-making.

  • Right to withdraw consent
    We may ask for your consent to process your personal data in specific cases. When we do this, you have the right to withdraw your consent at any time. Currently, we do not process your personal data on the basis of consent.


9. Updates to this Privacy Notice
This Privacy Notice was last updated in April 2023 and replaces our previous Privacy Notice.

Please check regularly to stay informed of updates to this Privacy Notice. If we make any changes to this Privacy Notice in the future, we will publish the revised Privacy Notice on our website. If changes are made that may significantly affect you as a data subject, we will do our best to directly inform you about those changes. All changes will take effect as soon as the Privacy Notice has been posted on our websites.

10. Questions and complaints
In case you have any questions or complaints regarding the processing or your personal data by us in the context of joint controllers, please contact our Members.

If you are of the opinion that the processing of your personal data is not in compliance with applicable law, you have the right to lodge a complaint with the competent data protection authority.