Privacy statement Our privacy commitment to you
When you use our products and services, you trust us with your information. We find this relationship extremely important and promise the following to you.
- We always process your data in accordance with the EU Data Protection Rules and other applicable privacy legislation to protect it from unauthorised access and to ensure safe data transfers.
- We are transparent about how we use the data collected from you.
- We make clear to you what your benefit is for sharing your data with us and match our communication with your needs and preferences.
- We do this in easy-to-understand language throughout the whole KLM and partner airline journey.
- We put you in control of your data and will use your feedback to improve continuously.
- We ensure that your data is safe with us. In the unlikely event that your data has been breached, we will make sure to stop the leak as soon as possible and inform you immediately.
- If we need to disclose your data outside our organisation, we describe this explicitly in our privacy statement. We do not share, sell, or give your personal information to any outside organisation without your explicit consent.
- We are trustworthy with your data and strive for international certifications (e.g. ISO-27001).
About this privacy statement
This privacy statement applies to all personal data that KLM processes when customers use our websites or mobile apps or contact us. We process your personal data primarily to handle your bookings, arrange your trips and purchases, and answer your questions. We may also use your data to send you offers adjusted to your interests and preferences.
In this privacy statement, we provide more information about the personal data we collect and use and what your rights are. For more information, please click on the relevant paragraph below.
1. Who we are
We are Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or KLM), a Dutch airline, with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands.
We offer our corporate loyalty programme Bluebiz in partnership with our group company Air France. Air France (Société Air France, S.A.) is an airline with offices at Rue de Paris 45, F-95747 Roissy CDG Cedex, France. We are jointly responsible for the collection and use of your personal data for the Bluebiz loyalty programme. We have an arrangement in place setting out our respective responsibilities for complying with applicable privacy legislation. In short, we have agreed that you can contact either KLM’s or Air France’s Privacy Office (see 8 “Your rights” below) if you wish to exercise your rights or have any complaints about the collection or use of your personal data. KLM and Air France will assist each other when necessary so as to ensure that you can exercise your rights. We work together to ensure that your questions and complaints are properly addressed.
With our subsidiary Transavia Airlines CV ('Transavia', also part of the Air France-KLM Group) we exchange personal data of passengers who have caused (serious) nuisance and who have been refused boarding (see also 2.1 (J), 4.1 (G) and 5.3 below). Transavia is an airline with its office at Piet Guilonardweg 15, 1117 EE Schiphol, The Netherlands. Together with Transavia, we are responsible for the processing of your personal data that takes place in the context of this exchange. A mutual arrangement sets out our respective responsibilities for compliance with applicable privacy laws including the exercise of your rights (see section 8 “Your rights” below).
2. Types of personal data we collect and use
2.1. General We may collect and use the following categories of personal data: (A) Name, passport details and other identifying data When you make a reservation or book a flight with us, we collect your name, title, gender, date of birth, nationality, country of residence, and passport details. If you make a reservation or book a flight for other persons, we also collect their identifying data. Please make sure that they understand that we collect their personal data and how we use it. (B) Your contact details and your personal account or registration details We may collect your address, telephone number, and e-mail address. If you register for a service, event, contest or campaign or create a personal account, we may also record your log-in details and other information that you provide during registration or when filling in the account form. If you are a business traveller, we also collect information about your organisation, such as its name and address. (C) Information about your reservations, bookings, and purchases When you make a reservation or book a flight with us, we collect and use your reservation and booking details. Those details may include information about your flight, prices, and the date of your reservation or booking. In addition, we collect and use information about additional services (such as extra baggage, upgrades, and onboard WiFi) and products you purchase from us. (D) Information in relation to your trip When you travel with us, we collect and use information about your trip, such as your itinerary, online or airport check-in, mobile or hardcopy boarding pass, and information about your travel companions. We may also record your specific medical needs or dietary requests and any additional assistance you require.
Prior to boarding or disembarking, we may also perform health checks or collect or use your health data, because we are statutorily required to do so, for reasons of public interest in the area of public health, or with your explicit consent.
At some airports, as part of access controls, security measures and security procedures (such as matching checked baggage to the correct passenger), your identity may be verified using biometric features, for example through facial recognition. From the external organisation providing these controls or procedures, we normally receive confirmation that your identity has been verified (an identity confirmation). Unless otherwise specified, we do not receive any personal data about you other than that already in our possession (such as information about your boarding pass). We do not receive biometric data (such as a facial image). The external organisation providing biometric identification is the data controller for the processing of your biometric data. For more information on the processing of your personal data by this organisation, please refer to the relevant organisation's privacy statement. For more information on the purposes for which we use the identity confirmation, please refer to section 4.1 (H).
We may be required by law to make a copy of your proof of identity (see section 5.4 (A) below for more information).
3. How we collect your personal data
4. Purposes for which we use your data
4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.
(F) To communicate with you We use your contact details to communicate with you about our services or loyalty programme, to answer your questions, or to address your complaints.
(G) Passengers who exhibit unruly behaviour or misuse our services i. General: KLM maintains lists of passengers who have exhibited unruly behaviour or misused our services (see 2.1 (J) above). Depending on the severity of the behaviour, KLM may (i) for a period of three years attach additional conditions to their admission on board or (ii) for a period of (in principle) five years refuse them on board. In case of aggravating circumstances (such as repeated misconduct), KLM may decide to refuse a passenger for a period exceeding five years. In very severe cases, KLM may even decide to refuse a passenger permanently. We apply different guidelines for processing this special information in respect of children. Children under the age of 15 who exhibit unruly behaviour are not registered on the list. As for children aged 15 to 16, KLM may attach conditions to their admission for a maximum period of one year. Passengers who have been refused entry for five years or more will be personally informed (if possible, by e-mail) of the fact that they have been placed on the list, the reason for placement, what security measures have been imposed on them, how long these measures will be effective and where they can file a complaint or object to the placement. More information about access to or correction of this data can be found below under 8 'Your rights'. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request.
(H) To conduct our business operations or to comply with statutory obligations We collect, use and retain your personal data to conduct our business operations, such as conducting flights, ensuring flight safety and for record-keeping purposes. We also process your data to improve our business operations. For example, we use recordings of telephone calls to train our customer service staff (see 2.1 (F)). Furthermore, we process your personal data to comply with our legal and tax obligations and for the purposes of fraud prevention and control, and dispute resolution. In the case of fraud or misuse of our services, we may enter your personal data in our internal fraud control and warning systems (see 4.1 (G) above). 4.2 Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy statement. We will inform you about those purposes when you register for the service, event, contest, or campaign, or when you download the relevant app. 4.3 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we need your personal data to receive your booking, arrange your flight or purchases, facilitate your participation in our loyalty programmes, or to answer your questions (see 4.1 (A), (B) and (G) above). In those cases, the legal basis for processing your data is 'necessary for the performance of a contract'. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. Based on our legitimate interest, we will collect and use your data for, for instance, flight safety, statistical research, or direct marketing purposes, or to offer personalised discounts and offers (see 4.1 (C), (D),(E) and (G) above for more information). We may have a legal obligation to collect and use your data, for example, to satisfy immigration formalities (see 4.1 (H). If you refuse to provide the personal data that we need to perform the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested. If you provide incomplete or inaccurate information, we may be forced to deny you boarding or entry into a foreign territory.
5. Granting access to or sharing data with third parties
5.1. General We may share your personal data with third parties in the following cases: (A) To facilitate your bookings and trips To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (see 3.1 (B) above, “How we collect your data”). We also exchange your data with SkyTeam and SkyTeam Alliance members to provide you with a more seamless travel experience (see section 1 above). (B) For our Bluebiz corporate loyalty programme For more information, see “Who we are” and 3.1 (C) under “How we collect your data”. (C) Regarding corporate accounts If you book a flight using your employer's corporate account, your employer will have access to certain booking details, such as the ticket price, travel dates, and your destination. Your employer is independently responsible for how it collects and uses your personal data and informs you about it. (D) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy statement. (E) Regarding payment services To process payments for your trips and purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data. (F) Personalised marketing through social media platforms For more information, see 4.1 (E) under “Purposes for which we use your data”. (G) To enable our partners to tailor their services to your trip We may share your non-personalised information (destination, travel date, and duration of the trip) with partners that offer additional services (e.g. hotel accommodations, car rental services) so that they can provide you with offers tailored to your trip. Our partners operate their own privacy policies in terms of the way in which they use your personal data. 5.2. Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy statement, for example, when we organise a campaign or an event in collaboration with a partner or when we integrate their services into our apps. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app. 5.3. Data exchange with Transavia
Airlines have an obligation to guarantee flight safety. For this purpose, KLM takes certain (necessary) security measures. For example, KLM keeps a list of passengers who have exhibited unruly behaviour on the ground or on board (see 2.1. (J) and 4.2 (G) above). Based on this list, KLM can (i) for a period of three years attach additional conditions to their admission on board or (ii) for a certain period refuse them on board. Transavia, KLM’s subsidiary, maintains a similar list. To increase the scope of the internal security measures taken, KLM and Transavia exchange the personal data of passengers of whom has been decided that they must be refused boarding (see 4.1. (G) above). A person who is refused by KLM will now also be refused on board Transavia flights (and vice versa). If you have exhibited unruly behaviour and this has led to registration on the list, you will be personally informed about this by the airline where the unruly behaviour took place.
5.4 Government agencies (A) General We may be legally required to collect your personal data before you travel to another country and share it with the government agencies in the countries on your itinerary. For example, we may be legally required to collect and share your identifying data and your booking and travel information with those agencies for purposes of border control, immigration formalities, entering a country, or combatting terrorism or other serious crimes (see 5.4 (B) below). If you depart from certain countries, in specific cases we are required by law to make a copy of your passport and provide it to the Dutch government upon request. We may also be statutorily required to share your health data with the government agencies in the countries on your itinerary for public health purposes (see 2.1 (D) above). (B) PNR and API data i. General: under applicable European and local laws and regulations, we are required to disclose PNR and API data to certain government agencies.
6. Security and retention
6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular Article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre).
(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention
We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.
7. International transfer of data
8. Your rights
(D) Skyteam Alliance If you wish to exercise your rights regarding the processing of your personal data within the framework of the SkyTeam Alliance, please contact KLM's Privacy Office:
9. How this privacy statement is updated