privacy policy portal air france and klm business solutions

Portal Air France and KLM Business Solutions

INTRODUCTION

This website Business Solutions is available under the URL AFKL.biz (hereinafter to be referred to as

“Portal”) is owned by Air France and KLM. In these terms, "Air France" refers to the French airline

company AIR FRANCE, whose registered office is located at 45, rue de Paris, 95 747 Roissy CDG cedex,

France. To find out more, please visit our dedicated page on the Air France corporate website.

"KLM" means Koninklijke Luchtvaart Maatschappij NV (also operating as KLM Royal Dutch Airlines or

KLM), a Dutch airline with its registered office at Amsterdamseweg 55, 1182 GP Amstelveen, the

Netherlands. To find out more, you can visit the www.klm.com website in the section "About KLM". Air

France and KLM are companies of the Air France - KLM Group.

1. PRIVACY POLICY

In this privacy policy, we explain how Air France and KLM collect and use your personal data when you

visit our Portal or otherwise interact with us. Make sure to read the policy carefully.

About this privacy policy

This privacy policy applies to all personal data that Air France and KLM processes when a user visits our

Portal or contact us. Air France and KLM processes your personal data primarily to answer your questions.

In this privacy policy, Air France and KLM provides more information about the personal data Air France

and KLM collects and uses and what your rights are.

1.1 Types of personal data we collect and use

1.1.1 General

We may collect and use the following categories of personal data of users of our Portal:

(A) Contact details and personal account or registration details We may collect your address, telephone

number, and e-mail address. If you register for a service, event, contest or campaign or create a personal

account, we may also record your login details and other information that you provide during registration

or when filling in the account form.

(B) Our communication with users of our Portal When you send us an e-mail or chat with us online, we

or complaints in our database. We may also record telephone calls for training purposes or to prevent or

combat fraud. We register your communication preferences, for example, when you subscribe to one of

our newsletters or when you choose to receive information or alerts through channels other than e-mail

(e.g. WhatsApp and other future communication services).

i. When you visit our Portal, or any other digital service, we may register your IP address, browser

type, operating system, referring website, web-browsing behavior and app use. We may receive your

location data. We collect this information via cookies and similar technologies. For more information,

please read our cookie policy. When you visit our Portal via a link in an e-mail, we may add the

information we collect via cookies and similar technologies to other information we already have

about you.

ii. We receive an automatic notification when you open our e-mails or click on a link in such e-mails.

We may combine this information with other data we already have about you.

(D) Information you choose to share with us We collect and use information that you choose to share

with us, for example when you share your interests and preferences on our Portal, fill out a customer

survey or submit an entry for a contest.

1.2 Specific services, events, contests or campaigns

For specific services, events, contests or campaigns, we may collect other types of data than those

described in this privacy policy. We will inform you about this when you register for the service, event,

contest, or campaign.

1.3 How we collect data of users of our Portal

We collect the categories of personal data referred to above in the following ways:

(A) Personal data provided by you When you create an online account for the secured environment of the

Portal and tools, contact us via chat, fill out a customer survey, contact our customer service,

subscribe to receive our e-mails or mobile push notifications, submit an entry for a contest, or

(B) When you use our website, we collect information using cookies and similar technologies Air

France and KLM uses only functional and analytical cookies on the Portal. For more information,

please read our cookie policy.

1.4 Purposes for which we use data of users of our Portal

1.4.1 Main purposes for which we use your personal data

(A) To provide our services to you We use the information described under chapter 1.1-1.3 to handle your

requests. For example, we use your name, and other identifying information to handle your request

for issuing a waiver, reinstating a booking, etc.

(B) For statistical research

i. General: we research general trends in the use of our services, Portal, as well as trends in the

behavior and preferences of our users. We use our research results to develop better services and

offers for our users, provide better customer service, and improve the design and content of our

Portal.

ii. Categories of data: to perform our research, we may use the categories of personal data described

at chapter 1.1. We only use 'aggregated data' or 'pseudonymised data' for our research. This is data

that cannot be traced back directly to you because all directly identifiable elements (e.g. names and e-

mail addresses) are removed or encoded and given a number. We take appropriate measures to

ensure that only a limited group of employees has access to the data set.

iii. Example: if our research into booking details and data about additional services purchased (extra

baggage, upgrades) shows that passengers travelling long distances are more inclined to purchase

extra legroom, we may use that information to offer extra legroom more prominently for long-

distance flights.

iv. Legal basis and right to object: we collect and use your personal data for our legitimate interests

described above (chapter 1.1.1 and 1.4.1). You have the right to object, on grounds relating to your

particular situation, at any time to the processing of your personal data for statistical research (see

chapter 1.7 “Your rights” below).

to answer your questions, or to address your complaints.

1.4.2 Specific services, events, contests, or campaigns

For specific services, events, contests, or campaigns, we may use your personal data for purposes other

than those described in this privacy policy. We will inform you about those purposes when you register

for the service, event, contest, or campaign, or when you download the relevant app.

1.4.3 Legal basis

We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we

need your personal data to answer your questions (see chapter 1.4 “Purposes for which we use data of

users of our Portal”, above). In those cases, the legal basis for processing your data is 'necessary for the

performance of a contract'. If you have consented to the collection and use of your personal data (which

consent you may withdraw at any time, see chapter 1.7 “Your rights” below), we will collect and use your

data based on that consent. In certain cases, we may use your personal data if we have a legitimate

interest in doing so. We will always consider all interests carefully: your interests, the interests of others,

and Air France and KLM's interests. On that legal basis, we will collect and use your data for, for instance,

security and statistical research (see 1.4.1 above for more information). If you refuse to provide the

personal data that we need to perform the contract we have concluded with you or to comply with a

legal obligation, we may not be able to provide all the services you have requested from us.

Consequently, we may not be able to provide you with the additional services you have requested. If you

provide incomplete or inaccurate information, we may be forced to deny your request for a service.

1.5 Granting access to or sharing data with third parties

1.5.1 General

We may share your personal data with third parties in the following cases:

(A) For support or additional services To provide our services, we use the support or additional services

of third parties, such as IT suppliers, social media providers, marketing agencies, and screening

service providers. All such third parties are required to adequately safeguard your personal data and

only use such data in accordance with our instructions. The Air France-KLM group carries out its

business operations using centralized databases and systems. Those central databases and systems

may be hosted or managed by one group company for other group companies. In addition, for

efficiency purposes, certain operational functions may be performed by one group company for other

group companies. This means that our group companies may have access to your personal data for

these purposes. Our group companies may only use your personal data as required for the relevant

business function and in accordance with this privacy policy.

1.5.2 Specific services, events, contests, or campaigns

For specific services, events, contests, or campaigns, we may share your data with third parties other than

those described in this privacy policy, for example, when we organize a campaign or an event in

collaboration with a partner. We will inform you about this when you register for the service, event,

contest, or campaign.

1.5.3 Third-party Portals, websites

Our Portal can link to third-party websites. If you follow those links, you will leave our Portal. This privacy

policy does not apply to Portals, websites of third parties. For more information on how they handle your

personal data, please check their privacy and/or cookie policies (if available).

1.6 Security and retention

1.6.1 Security

(A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking

into account the nature of your personal data and the risks of processing, we have put in place all

appropriate technical and organizational measures as required by applicable legal provisions (in particular

article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of

security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure,

intrusion of or unauthorized access to these data.

i. Organizational measures: we have implemented and maintain various organizational measures

intended to strengthen the awareness and accountability of our employees. We have programs in

place designed both to ensure awareness and to promote the sharing of good practices and

safety standards. In this context, a rich collection of documents on information security

challenges and privacy protection have been made available to our employees.

ii. Technical measures: we strictly control physical and logical access to internal servers hosting or

processing your personal data. We protect our network with state-of-the-art hardware devices

(Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in

order to prevent and limit the risk of cybercrime.

(B) The evolution of our security systems To maintain an appropriate level of security, we have internal

processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely

on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a

privileged relationship with the NCSC (National Cyber Security Centre). The ISO/IEC 27K standard also

applies to third parties with which Air France/KLM has a relationship.

the security measures recognized as appropriate, unforeseen things can happen. We have specific

procedures and resources in place to manage security incidents under the best possible conditions. We

have also set up a specific procedure for assessing possible breaches of security that could lead to the

accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to your personal

data, for notifying the competent supervisory authority within the period stipulated by applicable law,

and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are

carried out periodically to verify the functioning of the security installations and adequacy of the

procedures and devices deployed.

1.6.2 Retention

We do not keep your personal data for any longer than is necessary. How long your personal data is

retained depends on the purposes for which the data is processed and the applicable statutory retention

periods.

1.7 Your rights

You may contact our Privacy Office (see chapter below) to exercise any of the rights you are granted

under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data,

the right to object to processing.

(A) Right to access You may ask us whether we collect or use any of your personal data and, if so, to

receive access to that data in the form of a copy.

(B) Right to rectification You have the right to have your data rectified if it is inaccurate or incomplete.

Upon request, we will correct inaccurate personal data about you and, taking into account the purposes

of the processing, complete incomplete personal data, which may include the provision of a

supplementary statement.

your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed

in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your

personal data is no longer necessary for the purposes for which it was originally processed and situations

where your data was processed unlawfully. Due to the way in which we maintain certain services, it may

take some time before backup copies are erased.

(D) Right to restriction of processing You have the right to obtain a restriction on the processing of your

personal data. This means that we will suspend the processing of your data for a certain period.

Circumstances which may give rise to this right include situations where the accuracy of your personal

data is contested and we need some time to verify its (in)accuracy. This right does not prevent us from

continuing to store your personal data. We will inform you before the restriction is lifted.

(E) Right to data portability Your right to data portability entails that you may ask us to provide you with

your personal data in a structured, commonly used and machine-readable format, and have such data

transmitted directly to another controller, where technically feasible. Upon request and where this is

technically feasible, we will transmit your personal data directly to the other controller.

(F) Right to object You have the right to object to the processing of your personal data. This means you

may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground

(including profiling) constitutes the legal basis for processing (see chapter 1.4.3 “Legal basis” above). You

can object to direct marketing at any time and at no cost to you if your personal data is processed for this

purposes, which includes profiling to the extent that it is related to direct marketing. If you exercise this

right, we will no longer process your personal data for such purposes.

1.7.1 Withdrawal of consent

You may withdraw your consent at any time by following the specific instructions concerning the

processing for which you provided your consent. For example, you can withdraw consent by clicking the

unsubscribe link in the e-mail, adjusting your communication preferences in your account (if available), or

changing your smartphone settings (for mobile push notifications and location data). You may also

contact Air France and KLM’s Privacy Office. For more information on how you can withdraw your

consent for cookies and similar technologies we use when you visit our Portal please check our cookie

policy.

1.8 Denial or restriction of rights

There may be situations where we are entitled to deny or restrict your rights as described in chapter 1.7.

In all cases, we will carefully assess whether such an exemption applies, and inform you accordingly. We

may, for example, deny your request for access when necessary to protect the rights and freedoms of

other individuals, or refuse to delete your personal data in case the processing of such data is necessary

for compliance with legal obligations. The right to data portability, for example, does not apply if the

personal data was not provided by you or if we process the data on grounds other than your consent or

for the performance of a contract.

1.9 Privacy Office

If you wish to exercise your rights, please send your request to Air France and KLM’s Privacy Office:

Air France’s Privacy Office:

Air France Délégué à la Protection des Données / Data Protection Officer - ST.AJ IL

45, rue de Paris

95747 Roissy CDG Cedex

France

E-mail: mail.data.protection@airfrance.fr

KLM Royal Dutch Airlines Privacy Office - AMSPI

PO Box 7700 NL

1117 ZL Luchthaven Schiphol

The Netherlands E-mail: KLMPrivacyO[email protected]

1.10 Questions, comments or complaints

If you have any questions, comments or complaints about this privacy policy, please feel free to contact

us. If your concerns have not been addressed to your satisfaction, you have the right to file a complaint

with the competent supervisory authority.

In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague is

responsible for monitoring compliance with privacy regulations.

In France, the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés)

in Paris is responsible for monitoring compliance with privacy regulations.

1.11 How this privacy policy is updated

This privacy policy took effect on 01 February 2023.

This privacy policy is amended from time to time. We will notify you of any changes before they take

effect.