1. Who we are
2. Types of personal data we collect and use
3. How we collect your data
4. Purposes for which we use your data
4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.
(G) Unruly behaviour i. Passengers who have behaved unruly on the ground or onboard our aircraft or who have misused our services may be banned for a maximum period of five years, or may be welcome aboard only on certain conditions. KLM keeps a list of unruly passengers (see 2.1 (J) above). Passengers placed on these lists will be personally informed (in writing where possible) about the fact that they have been placed on this list and why, what measures KLM has taken against them, and how long these special security measures will apply to them. For more information on how to access or rectify this data, see 8 “Your Rights” below. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request.
5. Granting access to or sharing data with third parties
6. Security and retention
6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre).
(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention
We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.
7. International transfer of data
8. Your rights