Air France privacy policy

In the Policy, "AIR FRANCE" refers to the French airline company AIR FRANCE, whose registered office is located at 45, rue de Paris, 95 747 Roissy CDG cedex, France. To find out more, please visit our dedicated page on the AIR FRANCE corporate website.  "KLM" means Koninklijke Luchtvaart Maatschappij NV (also operating as KLM Royal Dutch Airlines or KLM), a Dutch airline with its registered office at Amsterdamseweg 55, 1182 GP Amstelveen, the Netherlands. To find out more, you can visit the www.klm.com website in the section "About KLM". AIR FRANCE and KLM are companies of the AIR FRANCE - KLM Group.  We offer our Flying Blue and BlueBiz loyalty programmes in partnership with KLM. Within the implementation of these programmes, AIR FRANCE and KLM are jointly responsible for the processing of your personal data and their respective responsibilities have been determined by an agreement. To exercise your rights regarding the processing of your personal data under these programmes, you can contact the AIR FRANCE or KLM Data Protection Department as set out in the Flying Blue Privacy Policy or in section 9 "HOW TO EXERCISE YOUR RIGHTS" of this Policy. We work closely with KLM to facilitate the exercise of your rights and to deal with any questions or complaints you may have. You can also find information relating to the processing of your personal data in relation to the Flying Blue programme in the dedicated Privacy Policy on the Flying Blue website and in relation to the BlueBiz programme in this Policy and in the KLM Privacy Policy.

Privacy is one of our major concerns and is at the heart of the experience we wish to offer through the use of our services. We are committed to guaranteeing a high level of protection for the personal data of our customers, prospects, users of our website or mobile applications and, more generally, of any data subject concerned by our processing operations.  We undertake to comply with the regulations applicable to all processing of personal data that we implement, in particular the provisions of the French Data Protection Act of 6 January 1978 (“Loi informatique et libertés”) as amended and the General Data Protection Regulation (EU Regulation 2016/679) or "GDPR".   In particular, we are committed to the following principles:

We are committed to implementing the appropriate internal procedures in order to raise the awareness of all our employees and to ensure compliance with these rules within our organisation.  Furthermore, we undertake to implement the appropriate technical and organisational measures to ensure an adequate level of security and to protect your personal data, as from the beginning of our projects and design of our processing operations.  Finally, we impose the same level of personal data protection in our contracts with our subcontractors. In order to ensure that these rules are properly applied, we have appointed a Data Protection Officer (DPO) who is the main contact for the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority.

3.1. Categories of standard personal data We may collect and process the following categories of personal data: a) Name, passport number and other identification data When you make a booking, the identification data we collect may include your title, surname and first name, gender, date of birth, nationality, country of residence, information appearing on your travel documents (passport or National Identity Card). If you add other passengers to your booking file or book a flight for other people, we also collect their identification data. In this case, you will also need to ensure, where appropriate, that they understand that we collect their personal data, how we use it and how they can exercise their rights. In the case of unaccompanied minors, we collect the identification data of the parents or legal guardian, as well as of the persons responsible for dropping the child off at the airport of departure and picking him/her up at the airport of arrival. If you have created a personal account, you can save this information and scan your travel document in the AIR FRANCE mobile application to use it for future bookings. The use of this feature is optional. In accordance with French and international laws, the non-communication or the inaccuracy of certain data may lead to a decision to deny boarding or entry into a foreign territory (for example on the decision of a customs service), without AIR FRANCE incurring any liability. For more information on the entry formalities applicable to your country of destination, please read the section Regulations. b) Contact, personal account or registration information Your contact information includes your telephone number and email address. When you create a personal account or subscribe to a specific service, we may also record your postal address, login details and any other data you provide to us through the corresponding registration forms. In the case of unaccompanied minors, we collect the contact information of the parents or legal guardian, as well as of the persons responsible for dropping the child off at the airport of departure and picking him/her up at the airport of arrival. If you are a business traveller, we may also collect information about your company, such as the company name and address, through the contract numbers we have with your company or via BlueBiz account references. c) Information about your bookings, ticket purchases or other services When you make a booking on one of our flights, we process the data you provide when you make this booking. This data includes the details of your flights as well as the prices and dates of your bookings. We also process information relating to the additional services you may select, such as extra luggage and seat options, as well as data necessary to finalise and pay for your booking. When you purchase products on the Air France Shopping website, we also collect information about those purchases.  d) Information about your trip When you travel with us, we process information about your trip, such as your itinerary, online or airport check-in, your mobile or hardcopy boarding pass, and information about your travel companions. We may also record your needs for specific assistance in moving around the airport and on board our aircraft, as well as your meal preferences, if you select them at the time of booking. In order to facilitate your trips to the airport, to alert you on the status of your flight and to guarantee a reliable and punctual service, we may also collect from certain airport management entities (for example from “Aéroport de Paris”) data on the confirmation of your passage through the various checkpoints through the airport.  For airports that have implemented optional biometric screening devices, we only collect confirmation of the verification of your identity at the various stages of your journey (check-in, baggage drop-off, boarding) as well as the data allowing us to automatically link this information to your booking and complete your boarding. We do not collect or process any biometric data about you. For more information on the collection and use of your personal data in the context of these biometric boarding systems, we invite you to read the privacy policies of the entities or authorities responsible for processing. Finally, for some destinations and due to the health context linked to the Covid-19 epidemic, we may have to collect and verify the documents required (certificates, supporting documents, questionnaires, negative Covid-19 test) by the authorities of your country of destination for public health purposes prior to boarding or disembarking. In order to prepare your trip and to obtain the list of required documents, we invite you to read the Traveldoc website. e) Information about our loyalty programmes When you become a member of our Flying Blue and BlueBiz loyalty programmes, we process your membership number, your Miles or Blue Credits balance, your bonuses and benefits, your membership type, your status and other information related to your account. We also record transactions in which you earn or spend Miles or Blue Credits. We record, among other things, the type of transaction (e.g. a flight), the date of the transaction, the Miles or Blue Credits earned or debited, and the seller (Air France, KLM or partners). We may also collect information relating to your membership in another partner programme at the time of your booking to offer you the corresponding advantages. We may use your Flying Blue membership information to provide or promote our services to you (see section 5.1 below). You can read the Flying Blue Privacy Policy for more information on the personal data we collect in relation with your membership in this programme. f) Membership in our other offers or programmes (Subscription cards, Youth or Senior Pass, Weekend Pass, Kids Service, Saphir Service) When you subscribe to one of our offers or programmes, we collect the information necessary to validate your subscription and to provide you with the corresponding service and benefits during your trip. g) Activation of entertainment services linked to your trip (Air France CONNECT Wi-Fi Pass and Air France Play)  When you subscribe to one of our entertainment offers, we collect the information necessary to validate your subscription and to provide the corresponding service and benefits during your trip. Your web browsing data is not stored.  h) Interactions, electronic or telephone communications When you communicate with us by email, by online chat or on social networks, we save these exchanges. We may also record telephone calls when you contact our customer service department by telephone as part of our service quality monitoring or for evidentiary or fraud prevention purposes. We also record your communication preferences, for example when you subscribe or unsubscribe to one of our newsletters or when you choose to receive communications related to your booking (such as boarding passes and flight status updates) through other channels (such as WhatsApp, Facebook, Messenger or WeChat).  i) Information we collect when you use our websites, mobile applications or other digital services When you visit our websites or use one of our mobile applications, we may record your IP address, browser type, operating system, referring site and browsing or application usage behaviour. We also collect information through the use of cookies or other similar technologies. For more information, please read our Cookie Management Policy. We keep track of the fact that you open our emails or the links in those emails. We may associate this information with other data we already have about you. With your permission, through the AIR FRANCE mobile application, we may also receive your location data or access certain data stored on your mobile phone, such as photos, contacts and data relating to your agenda. Access to contacts is used to enable you to automatically fill in the "travel companion" or "Flying Blue registration" forms. This enables you to fill in your personal information without having to enter it manually. The use of these features is optional.  j) Information about social networks In order to facilitate the creation of your account as well as your future connections, you have the possibility to link this account with most social networks (Facebook, Twitter, Instagram, etc.). You will therefore benefit from an optimised navigation on our website or our mobile applications. In this case, we do not share any personal data about you with the providers of these social networks. We receive statistics from Facebook about visitors to our Facebook page. You can find more information about the personal data we receive through the social network you use, as well as how to change your settings, on your social network provider's website and in their privacy policy. k) Other information you choose to share with us We process the information you choose to share with us, for example when you share your interests and preferences on our website, leave a comment on our Facebook page or complete a customer satisfaction survey. 3.2.  Categories of special personal data   As mentioned above, in order to provide you with the appropriate service, we may need to collect information that is sensitive under applicable data protection laws. Indeed, this data, such as specific assistance needs or meal preferences, may indirectly give information about your ethnic origin, your religious beliefs or your state of health and may fall under Article 9 of the GDPR. This data is only collected with your consent – when you select the corresponding services at the time of booking – and is only used to provide the relevant service during your trip. You may of course refuse to give your consent at the time of collection of this information, but this may result in your not being able to benefit from these services or benefits.  Biometric data is also subject to stricter rules. However, as mentioned in section 3.1.d, we do not collect or process any biometric data about you when these devices are used at airports from or to which we operate. 3.3 Cookies and similar technologies   When you use our website or mobile applications, we collect information through cookies and other similar technologies. For more information, please read our Cookie Management Policy. 3.4 Specific services, applications, events, campaigns or competitions For certain specific services, applications, events, campaigns, games or sweepstakes that we may offer to enhance your customer experience in addition to our usual services, we may collect other types of data than those described in this Policy. In this case, in accordance with the applicable regulations, information relating to the processing of this data may be communicated to you by a specific privacy statement or policy when you download the application or register for the service, event, campaign or sweepstakes by means of the corresponding form. 3.5 Collection of data about minors   We only collect and process personal data relating to minors under the age of 16 with the prior consent of their parents or guardians. If personal data concerning minors under the age of 16 is collected without this consent via the AIR FRANCE website, applications or mobile sites, parents or guardians have the possibility to object to the corresponding processing or to request the deletion of said data (see section 9 "HOW TO EXERCISE YOUR RIGHTS ").

We may collect the categories of personal data mentioned above by various channels: a) We collect the personal data that you provide directly to us For example, we collect personal data when you book a flight with us, make a purchase, check-in, create an online account, register for one of our loyalty programmes, make a request or complaint, respond to a satisfaction survey, leave us a message on social networks, contact our customer service department, chat with a chatbot, subscribe to receive our emails or mobile notifications, or sign up for one of our specific events, competitions or campaigns.  b) We receive your personal data from your tour operator or travel agency, our airline partners or other companies involved in the organisation and management of your travel We receive your data from these third parties through a booking system (GDS or other technology) in order to be able to provide you with our services and benefits. For example, when you book a flight through a travel agency or online booking site, we receive all the data necessary to manage your booking and to carry out your trip. The companies involved in the organisation and management of your travel are also responsible for processing your personal data. You can find more information on how they process your personal data in their respective privacy policies. c) We receive personal data from partners who participate in our loyalty programmes Our Flying Blue and BlueBiz frequent flyer programmes are offered by AIR FRANCE and KLM (see also 1 "About us" above). In several countries, we offer the Flying Blue programme in partnership with participating airlines. Through our loyalty programmes, you can earn or spend Miles and Blue Credits when you use our services, those of participating airlines and other partners (such as hotel chains or car rental companies). In order to provide you with these benefits, we share some of your personal data with these third parties. For example, if you purchase a service from one of our partners, they share with us the number of Miles you have earned so that we can update your balance. You can find the list of participating airlines and partners on our Flying Blue and BlueBiz websites. The participating airlines and our other partners are also responsible for processing your personal data. You can find more information on how they process your personal data in their respective privacy policies.  d) When you use our website or mobile applications, we collect information using cookies and similar technologies AIR FRANCE uses its own cookies and third-party cookies. For more information, please read our Cookie Management Policy. e) If you use social networks, we may also receive information from your social network provider For more information, please see section 3 "3. Which type of personal data do we process?" above. 

5.1.  Processing purposes The main purposes for which we use your personal data are:  a) To provide our services to you General information: To manage your bookings and arrange your travel and purchases, we need to process most of the information listed in section 3.1. Among other things, we need your identification data to identify you and issue your ticket. In order to provide you with all the information related to your flight, the different stages of your journey (check-in, boarding) and changes in the status of your flight, we need your contact information. To provide you with a service that meets your expectations, we also process all the data related to your trip and your preferences, especially if you have created a personal account. Legal basis for the processing: We process your personal data because it is necessary for the performance of your contract of carriage and the performance of our services.  b) To manage your membership in our loyalty programmes General information: In order for you or your company to benefit from the discounts and bonuses provided by our loyalty programmes, we process your name, contact details, member information, booking information, purchases and, where applicable, any interaction or communication with our services (see section 3.1 a, b, c, e, f). Legal basis for the processing: We process this data because it is necessary for the performance of your membership contract, the management of your accounts and associated benefits. c) To provide you with our services online or on our mobile applications and offer you an optimal experience General information: For example, we use your name and flight information when you check-in on our mobile application. Some of our online services and the application use your location, for example to show you the nearest location. In order to simplify the use of our online services or applications and to offer you an optimal experience, we may analyse your use of the digital media we offer you, in particular using cookies and similar technologies (see section 3.1 g). For example, we aim to understand which digital channel (email, social network) or device (desktop computer, tablet or smartphone) you prefer so that we can tailor our communication to the channel or digital device you use most. If you interrupt your booking session on our website, we can send you an email with a link to your session so that you can continue where you left off. This type of email will only be sent to you if you have requested it or if you have agreed to receive our updates and special offers by email (see section 4.1.e). You can withdraw your consent for these emails at any time by clicking on the unsubscribe link, by changing your communication preferences in your account (if available), or by contacting us (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). Legal basis for the processing: We process your personal data because it is necessary for the performance of your contract of carriage and the provision of our services and also for the purposes of the legitimate interests described above, in order to be able to serve you in the best way possible through the channel of your choice. Your location data is processed based on your consent. d) To perform statistical studies and improve our products and services General information: We research general trends in the use of our services, loyalty programmes, websites, mobile applications and social networks, as well as on the behavioural trends and preferences of our customers and users. We use the results of our research to develop better services and offers for our customers, improve our loyalty programmes, provide better customer service and improve the design and content of our websites and mobile applications. Categories of personal data: To perform our research, we may use the categories of personal data described in section 3.1. We also use the various surveys we conduct to measure your satisfaction and better understand your expectations. For example, we use your booking data and the additional services you purchase (extra luggage and seat options) to improve our services and provide more relevant offers. If our analyses show, for example, that travellers on certain flights are more likely to select seat options allowing them to have more space, we can use this information to offer more seats of the same type on similar flights. Legal basis for the processing: We process your personal data for the legitimate interests described above. In accordance with the applicable regulations, you have the right to object, for reasons specific to your particular situation, to the processing of your personal data for statistical research purposes (see section 9 "HOW TO EXERCISE YOUR RIGHTS"). e) To send you personalized updates and special offers based on your interests General information: If you are a subscriber, we will send you personalised advertisements and offers by email for products and services related to our company. You can unsubscribe at any time (see conditions below).  Channels: We use different channels such as email, mobile push notifications, postal mail, advertising space on websites and social networks. For example: - Emails relating to your booking and management of your flight: If you book a flight with us, you will receive emails regarding your booking (e.g. your booking confirmation, check-in and boarding information). These messages contain advertisements and offers for products and services related to our company. - Emails with updates on company news and offers related to our products and services: These emails include offers for our products and services as well as similar services offered by our partners. With your consent, we may also send you emails on special occasions, such as a special offer for your birthday or personalised offers for an upcoming trip in the months following your return. - Flying Blue and BlueBiz emails: As a member of our Flying Blue loyalty programme, you will receive emails including, among other things, your account status and all the information necessary for the basic operation of the programme. You can also subscribe to receive the latest programme news and personalised offers from Flying Blue, participating airlines or our other partners. If you are a member of our BlueBiz loyalty programme, you will receive the latest programme news by email as well as our offers or those of our partners. You can read the Flying Blue Privacy Policy for more information on the personal data we collect in connection with your membership in the programme. You can also find an overview of the participating airlines and our Flying Blue and BlueBiz partners on the Flying Blue and BlueBiz websites. - Direct messages through other communication channels: We may use other communication channels to send you direct messages including personalised advertisements and special offers, such as postal mail, mobile push notifications or social channels (e.g. Messenger, WhatsApp or WeChat). - Display of relevant information and personalised advertisements on websites and applications: see our cookie policy. In addition, we may also use your personal data to exclude you from advertisements that are no longer relevant to you. For example, if you log-in to our website through your personal AIR FRANCE account or your Flying Blue account, or if you visit our sites via a link contained in an email, we will associate your browsing and clicking behaviour with your booking details on our data management platform. We mainly use this data to exclude you from further advertising once you have booked a flight. - Customised audience targeting through social network platforms: You may choose to receive personalised advertisements and offers on the social network platforms you use. For example, we use the Facebook Custom Audience programme. This programme allows us, among other things, to display personalised advertisements and offers in your newsfeed on Facebook platforms, including Facebook Messenger and Instagram. We may also use this programme to exclude you from advertising campaigns on Facebook platforms, if, for example, you have already received advertisements or similar offers by email. To enable Facebook to determine whether you already have an account, we share your email address and telephone number in a secure (hashed) and pseudonymised manner. We do not share any other data with Facebook. Conversely, Facebook only provides us with aggregate data on the effectiveness of an advertising campaign. This is data that cannot be directly linked to you. Facebook does not inform us whether you have a Facebook account or not. We make every endeavour to ensure that your personal data remains secure and confidential. To determine our target audience for a specific Facebook campaign, we may use your booking details or data we collect when you use our websites, mobile applications or other digital media. Facebook may also use the data collected about you to identify a similar audience. This allows us to reach a new audience through Facebook. You can visit the dedicated Facebook pages to find out how your data is used for the personalised audience programme and how you can control the information that Facebook uses to personalise the advertisements sent to you. You can also read the Facebook Privacy Policy. We may also participate in similar programmes offered by other social networks, such as Google, Twitter, LinkedIn, Pinterest, Snapchat, WeChat, Kakaotalk and LINE. We invite you to read the respective privacy policies of these social networks to find out more about the processing of your data. If you have an Air France account, after logging in you can go to the page https://wwws.airfrance.fr/profile/communication-preferences and change your "Air France customised offers" preference to disable it. If you do not have an Air France account, you can contact us (please see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). When you contact us, please use the email address for which you wish to withdraw your consent. You may also have consented to receive personalised advertisements and offers on social network platforms by accepting our cookie policy. You can then read our Cookie Management Policy to see how you can withdraw your consent. Customised offers: Our goal is to provide you with offers for our services and products that are tailored to your interests and relevant to your expectations. For this purpose, we may use the categories of personal data described in section 3.1. For example, with your consent, we may send you an email after you return from a trip with offers based on your booking history, to inspire you for your next trip. In the same type of communication, we may also offer other similar services such as car rental, insurance services or hotel reservations offered by our partners. In this case, all communications are sent by AIR FRANCE. No contact details are shared with our partners for this purpose without your consent. Legal basis for the processing: Depending on the nature of your relationship with our airline (customer or prospect) and the communication we send to you, we process your personal data as described in this paragraph based on your consent or for the purposes of our legitimate interests, or those of our partners (in accordance with the applicable rules on commercial prospecting) in order to promote our services and to carry out direct marketing actions in view of your commercial relationship with our airline. You have the right to object to the use of your personal data for direct marketing purposes at any time (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). Unsubscribe: you can always unsubscribe to stop receiving personalised advertisements and offers. You will find an explanation of how to unsubscribe below : - Emails: You can unsubscribe from our advertisements and offers in our booking and loyalty programme emails, as well as emails you are subscribed to at any time, by clicking on the unsubscribe link. If you have a Flying Blue account, you can also unsubscribe by changing your communication preferences in your profile. If you unsubscribe, you will only receive emails that are necessary to be able to use our services (e.g. your booking confirmation, travel memo and e-ticket) or, if you are a member of our Flying Blue loyalty programme, only emails that are related to the operation of the programme (e.g. messages informing you of the status of your account) - Postal mail: You can object to receiving personalised offers by post by contacting us (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). - Other communication channels: If you have chosen to receive personalised advertisements and offers via mobile notifications, you can unsubscribe by changing your smartphone settings (for push notifications). Visit your social network provider's website for more information on how to unsubscribe from receiving personalised advertisements and offers through social networks (e.g. Messenger, WhatsApp, and WeChat). - Contact our Data Protection Department: you can always contact us to unsubscribe from receiving messages containing advertisements and offers (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). f) To communicate with you We use your contact details to communicate with you about our services or loyalty programmes, to answer your questions and to process your complaints. Legal basis for the processing: We process your personal data because it is necessary for the performance of your contract of carriage and the provision of our services. g) To ensure the safety of our flights Any incident likely to affect the safety or security of a flight may be subject to a computer recording and/or the lodging of a complaint and, in the case of serious offences, may result in a ban on transport on Air France flights for the passengers concerned. This computer recording is mainly carried out to ensure the management of significant events related to flight safety and in particular events related to unruly passenger behaviour. In this context, the information of the data subject is only available to authorised Air France personnel and is stored for 5 years. In case of a complaint, the data is used to ensure the follow-up of ongoing legal proceedings and kept for the duration of the proceedings and the measures pronounced. This data is also used, in an anonymised manner, for statistical purposes and systemic analysis in the field of flight safety. In the event of a ban on transport notified by the airline for serious offences, the data subject will (i) be informed (by letter prior to their registration) of the period during which these special security measures will be applied to them and (ii) will be given the opportunity to make their observations within the time limit provided for by the procedure. For this processing, enhanced technical and organisational measures are implemented to protect this data. For more information on accessing and rectifying this data, please see section 9 "HOW TO EXERCISE YOUR RIGHTS" below. Legal basis for the processing: We process this data to comply with our legal or regulatory obligations and also in our legitimate interest to ensure the safety of our flights and other passengers. The processing of the ban on boarding the airline's aircraft has been authorised by the CNIL (deliberation No. 2016-240 of 21 July 2016)."   h) To manage our disputes, prevent cases of fraud or comply with our legal obligations We collect, store and use your data for internal business purposes, such as record keeping, managing our disputes, preventing non-payment and fighting fraud. In the event of fraud, we may include your personal data in our internal control and alert systems. In addition, we process your personal data in accordance with our legal and tax obligations. We may be required by law to collect and share your identification, booking and travel information with public authorities or governmental organisations for border control, immigration, entry, security or anti-terrorism purposes. Legal basis for the processing: We process this data to comply with our legal or regulatory obligations and also in our legitimate interest, in particular to manage disputes, prevent non-payment or fight fraud. i) To check the conditions required to obtain the accreditation number for the "resident rate" on Air France and Air Corsica public service routes If you live in Corsica, you can benefit from discounted rates (known as "resident rates") on Air France and Air Corsica public service routes. You can only benefit from these rates if you obtain an accreditation number. You can get this accreditation number online by proving a principal and effective tax residence in Corsica. The documents downloaded by passengers who applied for a "resident" accreditation number via our websites are temporarily stored for the time "strictly necessary" for verification and the allocation of a possible accreditation number, then they are systematically destroyed. To know more about this process, you can read the dedicated privacy policy. Legal basis for the processing: Air France and Air Corsica, acting as joint data controllers, collect and process your personal data based on your consent and in your interest to offer you the following service: obtaining a personal accreditation number, called “Resident Rate”. Purpose of this processing is to offer you a dedicated booking process to purchase your ticket on the public service routes to and from Corsica, with Air France and Air Corsica.  j) To offer you specific services, applications, events, sweepstakes or special campaigns For specific services, applications, events, sweepstakes or special campaigns, we may use your personal data for purposes other than those described in this privacy policy. We inform you of these purposes when you subscribe to the service, event, sweepstakes or campaign, or when you download the dedicated application.  5.2. Legal basis As mentioned in the purposes described above, we may only process your personal data if we have a legal basis for doing so. In many cases, the legal basis for processing your data is "necessary for the performance of your contract of carriage" and, more generally, for the provision of our services. Some processing of personal data may be based on your consent. You can then withdraw it at any time for the processing concerned (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). In some cases, we may use your personal data if we (or third parties) have a legitimate interest in doing so. We always carefully assess all interests: yours, those of third parties and those of our airline. As an example, we process your data based on legitimate interest to ensure the safety of our flights or for statistical research or direct marketing purposes, or to offer discounts and personalised offers (see 5.1 d to f, h and i above for more information). We may also have a legal obligation to process your data, for example to complete the formalities of the immigration services (see 5.1.h above for more information). If you refuse to provide the personal data we need to perform the contract or meet a legal requirement, we may be unable to provide some or all of the services you have requested. For example, we may cancel your flight or not be able to provide you with the additional services you have requested. If you provide incomplete or incorrect information, we may deny you boarding or entry into a foreign territory under applicable international laws.

6.1.  General information Air France services are provided all across the world. In order to provide our services and to offer you the same experience across all our destinations, we need to share your personal data with internal and external parties. Within our airline, your data is processed by duly authorised employees: flight attendants, agents of our customer contact centres, sales departments, operating agents, IT departments, etc. We may also transfer your data to third parties such as companies in our Group including KLM, our partner airlines, your travel agents, payment service providers, service providers or subcontractors, etc. for the purposes described in point 6.2. In this respect, we remind you that we require all our subcontractors to implement strict confidentiality and protection measures for personal data processed, in accordance with the regulations and this Policy. 6.2. Sharing your data with third parties We may transfer or share your personal data with third parties for the following purposes: a) To facilitate your bookings and travel arrangements To manage your purchases, bookings or travel arrangements, we may share your personal data with third parties who process this information on our behalf or assist us in providing our services worldwide, such as customer contact centres or airport operators, but also other companies involved in the organisation of your travel such as airport managers, booking system providers (GDS or other technology) or travel agents. You can read the privacy policies of these third parties for more information.  Depending on your booking and the flights you take on your journey, your details may also be shared with other airlines that operate some of these flights. These can be airlines of our Group or external partners, including members of our SkyTeam alliance. This sharing may be necessary for your journey, but it also ensures continuity of service and recognition of your "Frequent Flyer" status throughout your journey, facilitates the management of your booking, particularly in the event of unexpected disruption, and ensures the safety and security of all flight operations within the alliance. To find out more about the companies in our Group and the airlines we work with, you can visit our corporate.airfrance.com website. You can also refer to point b) in section "4. HOW DO WE COLLECT YOUR PERSONAL DATA?". b) To assist our operations and provide our services In order to provide our services, we also use other types of third parties, such as providers of specific IT services, social network providers, marketing agencies or external fraud detection and prevention services. As with all of our subcontractors, these third parties are required to adequately safeguard your personal data and to process it only in accordance with our instructions in application of the regulations and this Policy. Within the Air France-KLM Group, our processing activities are handled by centralised databases and systems which may be hosted or managed by a group company on behalf of other group companies. In addition, for the sake of efficiency, beyond travel-related services, certain operational and commercial functions may be performed by one of the group companies for other group companies. This means that our group companies may have access to your personal data in the context of these processing operations. Our group companies may only process your personal data in the context of these activities and in accordance with this Policy. c) To manage our loyalty programmes and related advantages For more information, you can read chapter "1. ABOUT US " and point c) in section "4. HOW DO WE COLLECT YOUR PERSONAL DATA?". d) To improve our online services and mobile applications For more information, you can read point c) in section "5. FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?". e) To manage our business customers accounts and our business travel policies If you book a flight using your employer's business account, your employer will have access to certain booking details, such as the ticket price, travel dates and your destination. Your employer is responsible for the way in which it processes your personal data. f) To process payments and refunds In order to process payments and refunds for your purchases and bookings, we may transfer certain data to third parties such as banks, financial institutions or payment service providers. In many cases, these payment service providers also carry out anti-fraud checks. These third parties have their own privacy policies that apply to how they use your personal data. g) For personalised marketing through social network platforms For more information, you can read point f) in section "5. FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?". h) To enable our partners to provide you with their services and tailor them to your needs We may share your information with third parties who provide services or products that can be accessed via us (for example, flights on other carriers, hotel accommodation or car rental). We may also share certain non-personalised information (destination, date and duration of the trip) with these partners so that they can tailor and improve the services they provide to you. In this case, these exchanges are made through trusted third parties. Our partners also have their own privacy policies that apply to how they use your personal data. 6.3.  Specific services, applications, events, campaigns or sweepstakes We may offer specific services, applications, events, campaigns, games or sweepstakes to enhance your customer experience in addition to our usual services. For these purposes, we may share your data with third parties other than those described in this Policy (for example, when we organise a campaign or event with a partner or when we add their services to our applications). In this case, in accordance with the applicable regulations, information relating to the processing of these data may be communicated to you by a dedicated privacy statement or by privacy policy when you download the application, register for the service, event, campaign or sweepstake via the dedicated form. 6.4.  Public authorities As with any airline, in accordance with applicable French and international laws and regulations, we may be legally required to collect and share your identification data (e.g. passport information) and booking and travel information with the public authorities of France (customs, immigration, police, etc.) or of the countries from or to which you are travelling for the purposes of border control, immigration formalities, entry into the country or the fight against terrorism or any other serious crime.  Pursuant to Law No. 78-18 of 6 January 1978 “Loi informatique et Libertés” as amended and Article L. 232-7 of the French Internal Security Code, we inform you that, for flights operated by Air France departing from France to a non-European Union country or departing from a non-European Union country to France, the data listed below may be transferred to the Passenger Information Unit (PIU) according to the processing methods and for the purposes set out in Decree No. 2014-1095 of 26/09/2014:

The Passenger Information Unit (PIU) is a service of the French administration in charge of collecting air passenger data transmitted by air carriers and travel agencies and tour operators chartering all or part of an aircraft. For more information, you can read the following link: https://pnr.gouv.fr/eng/Air-carriers/About-the-API-PNR-France-system   For a list of other EU Member States collecting this information in the context of the application of European Directive No. 2016/681 of 27 April 2016 on the use of PNR data, you can read the following link : https://ec.europa.eu/home-affairs/news/list-member-states-applying-pnr-directive-intra-eu-flights_en We may also be legally required to share some of your data with public authorities in countries on your route for public health purposes (see section 3.1.d above). In some cases, we may also be required to disclose certain data to public entities and authorities, law enforcement officials, courts or other authorised third parties if (i) this information is required by the applicable laws, regulations or legal procedures (such as a summons or court order), if (ii) it is necessary to protect or defend our rights against legal claims and those of third parties, or (iii) for reasons of public health and safety. 6.5.  Third party websites Our websites and mobile applications include links to third party websites. If you click on these links, you will leave our websites and mobile applications. This privacy policy does not apply to the websites of these third parties. To find out more about how these third parties process your personal data, you can read their respective privacy policies and/or cookie management policies.

We do not keep your personal data for any longer than is necessary. The duration of storage depends on the purposes for which data are processed, as described in section 5 of this Policy. These retention periods are set based on the purposes of the processing and also take into account the applicable legal provisions imposing a precise retention period for certain categories of data, any applicable limitation periods and the recommendations of the CNIL, the French data protection authority, regarding certain categories of processing.

For the purposes set out in section 5 of this Policy, we may transfer your personal data (surname, first name, passport number, travel details, etc.) to recipients who may be located in countries other than your country of residence and in particular outside the European Union.  These transfers are carried out to offer you our services, manage your booking, organise your trip, more generally for the proper performance of your contract of carriage or because the companies in our group, our partners or our service providers operate from different countries. You can find our destinations on our website under the section Air France destinations and network. The laws of the countries to which we transfer your personal data may not offer the same level of protection. If these transfers are necessary to offer you our services and in particular to transport you to these countries, we undertake to guarantee the same level of protection of your personal data, in accordance with the requirements of the GDPR, in particular by signing, on a case-by-case basis, standard contractual clauses defined by the European Commission, or any other mechanism described in the Regulation.  In addition, we may be required, if the applicable laws so require, to transfer your personal data, in particular your identification or travel data, to public or governmental authorities of countries included in your itinerary and located outside the European Union. Please refer to point 6.4 of section "6. WHO CAN ACCESS TO YOUR PERSONAL DATA?".

9.1. Your rights In accordance with the applicable regulations, in particular the provisions of the GDPR and the French Data Protection Act of 6 January 1978 “Loi informatique et Libertés” as amended, you can contact us (see section 9.4 below) to exercise your rights to (a) access, (b) rectification, (c) erasure, (d) restriction of processing, (e) data portability and (f) object.  In addition, under French law, you also have the right to define guidelines on how we should process your personal data after your death.  a) Right to access You have the right to request confirmation that we process your personal data and, in this case, to receive a copy of it. When we respond to a request to exercise the right to access, we also provide you with additional information such as the purposes of the processing, the categories of personal data and any other information relating to this processing. b) Right to rectification You have the right to request the rectification of your personal data if you find that it is inaccurate. You can also request to complete your personal data, taking into account the purposes of the processing concerned. This may lead to the provision of additional data. c) Right to erasure You have the right to request the erasure of your personal data. This right can only be exercised in certain cases where one of the grounds set out in Article 17 of the GDPR applies. This may include, for example, personal data that is no longer necessary for the purposes for which we collected it or that has been unlawfully processed. If you exercise this right and if one of the grounds is applicable to your request, we will erase your personal data as soon as possible.  d) Right to data portability You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, if its processing is automated and based on the collection of your consent or on the performance of a contract to which you have subscribed. This right does not apply to other legal bases for processing. Where appropriate and technically feasible, you may also request the transfer of such data directly to another data controller. e) Right to restriction of processing You have the right to obtain the restriction of processing of your personal data. From a practical perspective, this means that we mark the data stored to temporarily suspend its processing. This right can be exercised for the grounds provided for in Article 18 of the GDPR, in particular when you dispute the accuracy of your personal data. This right does not give rise to data erasure. We have to inform you before the restriction of processing is lifted. f) Right to object You have the right to object to the processing of your personal data. This means that you can ask us to stop processing your personal data. This right only applies when processing are based on our legitimate interests (including the resulting profiling) (see 5.2 "Legal basis" above). For example, you can object at any time and free of charge to the processing of your personal data for direct marketing purposes, including for profiling purposes insofar as it is related to this direct marketing. If you exercise this right, we will no longer process your personal data for these purposes. You can also, when you are in contact with our customer service, object to the recording of your telephone call for the purposes of improving the quality of service, preventing disputes and malicious calls by notifying the advisor directly. 9.2.  Withdrawing your consent Where required by law for certain processing purposes (e.g. electronic marketing), your data is only processed after obtaining your explicit consent.  You can withdraw your consent at any time by following the specific instructions relating to the processing operations concerned. You can withdraw your consent by clicking on the unsubscribe link contained in our emails (e.g. AIR FRANCE newsletter), by changing your communication preferences on your account if the option is available (e.g. by log-in into your Flying Blue account) or by changing your smartphone settings for mobile push notifications and location data. For more information on how you can withdraw your consent to the cookies and other similar technologies that we use when you visit our websites or use our mobile applications, please see our Cookie management policy.  9.3.  Refusal of certain requests The rights described above are not applicable in all situations. Indeed, in accordance with the applicable regulations, we may be entitled to refuse certain requests. For each request, we carefully assess whether such an exemption applies and inform you accordingly. We may, for example, refuse your request to access if this is necessary to protect the rights and freedoms of other individuals or refuse to erase your personal data if the processing of such data is necessary to comply with legal requirements. The right to data portability does not apply, for example, if you did not provide the personal data or if we process the data based on other legal grounds than your consent or the performance of a contract.  9.4.  Contact for the exercise of rights   When you wish to exercise your rights, simply send a request to the AIR FRANCE Data Protection Department:  AIR FRANCE Délégué à la Protection des Données/Data Protection Officer - ST.AJ IL 45, rue de Paris 95747 Roissy CDG Cedex France Email address: mail.data.protection@airfrance.fr In order to process your request in the best possible way, we kindly ask you to include the necessary identification details with your request (surname, first name, email, copy of an official identity document such as an identity card or passport, Flying Blue ID, etc.) as well as any other information necessary to confirm your identity.  Requests are processed as quickly as possible and in accordance with the applicable law. However, any request that is not related to the protection of personal data cannot be processed. You can also contact us if you have any questions, comments or complaints regarding this Policy.  If you wish to exercise your rights regarding the processing of your personal data in connection with our Flying Blue and BlueBiz loyalty programmes, you can also contact the KLM Data Protection Department: KLM Royal Dutch Airlines Privacy Office - AMSPI BP 7700 1117 ZL Schiphol Airport Pays-Bas Email address: KLMPrivacyOffice@klm.com When necessary, AIR FRANCE and KLM will work together to guarantee the exercise of your rights or provide you with answers to all of your questions or complaints. 9.5.  Questions, comments or complaints Please do not hesitate to contact us if you have any questions or comments regarding this privacy policy.  You can also file a complaint with the French Data Protection Agency (Commission Nationale de l'Informatique et des Libertés (CNIL) in France or any other competent data protection authority.

10.1. Our commitments  Ensuring the security and confidentiality of the personal data you share with us is our priority. We therefore implement all the appropriate technical and organisational measures – in accordance with the applicable legal provisions (in particular Article 32 of the GDPR) – with regard to the nature of the personal data that you communicate to us and the risks presented by its processing, in order to preserve its security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion or unauthorised access to this data. 10.2. The security measures we take Bank transactions We are required to comply with the Data Security Standard for the Payment Card Industry ("PCI DSS") enacted by the PCI Security Standards Council ("PCI SSC"). This standard was created to increase the control of cardholder information in order to reduce the fraudulent use of payment instruments. Any AIR FRANCE service provider that may be required to process credit card data complies with the PCI DSS standard. We make every effort to fight identity theft on the Internet. This is why we use, for example, a system to detect fraudulent payments made by credit card. This system is designed to protect you in the event of loss or theft of your credit card. Protection of your personal data We take the security of the personal data you share with us very seriously and therefore implement various organisational measures to increase the awareness and accountability of our employees. Dedicated programmes within our company ensure this awareness and the sharing of best practices and security standards. In this context, a rich corpus of documentation on information security and privacy issues is made available to them. In addition, we implement appropriate technical measures based on the nature of the personal data you provide and the risks involved in processing it. We therefore strictly control physical and logical access to the internal servers hosting or processing your personal data. We protect our network with state of the art hardware devices (Firewall, IDS, DLP etc.) and architectures (including secure TLS 1.2 protocols) to prevent and limit the risk of cyber-malware.  The evolution of our security systems We have internal processes based on the best standards in place, including the ISO 27000 standards, to maintain a level of security in lines with best practices. We rely on dedicated experts to ensure the highest possible level of protection. In particular, we maintain a privileged relationship with ANSSI (French National Cybersecurity Agency), which allows us to be supported by the French reference in cybersecurity. 10.3. How can you protect yourself? The security and confidentiality of personal data are based on individual best practices.  When you make a booking, you will be given the references of your file. These booking references must remain confidential at all times. Disclosing them to other passengers may enable them to access your booking information through our systems or those of third parties involved in the organisation of your journey (e.g. travel agents or online search and booking sites). If you are travelling with other people on the same booking and do not want your personal information to be shared with them, we recommend that you make separate bookings. We also invite you not to disclose the passwords you use to access our services to third parties, to systematically disconnect from your profile and your social account (particularly in the case of linked accounts) and to close your browser window at the end of your session, particularly if you access the Internet from a computer shared with other people. This will prevent other users from accessing your personal data. To avoid linked hacking, we recommend that you use different passwords for all the online services you use. We cannot be held responsible in the event of theft of your log in details on a platform that is not managed by our services. Furthermore, we strongly recommend that you do not communicate to third parties or publish on social networks any documents issued by Air France containing your personal data (your boarding pass, your ticket number, etc.) or any other information related to your trip. In this case, you understand that you are responsible for reading and understanding the terms and conditions of use, information security practices and the privacy policy applicable to these social networks managed by third parties and that we cannot be held responsible for the way in which this data is processed, stored or disclosed on these platforms. To find out more about the best practices to apply in terms of IT security, please read the IT security portal. The general conditions relating to certain services accessible from the Air France websites, its mobile site or its mobile applications, may include more precise terms regarding the security of your personal data. 10.4. Management of security incidents  Zero risk does not exist and, even if we implement all the measures recognised as standard in terms of security, unexpected events may occur. We have specific procedures and resources to manage security incidents in the best possible conditions. We have also set up a specific procedure to assess the possible breach of your personal data, notify the competent authority within the time limit provided for by the regulations and inform you when this breach is likely to generate a significant risk for you and affect your privacy. Exercises are carried out periodically to check the functioning of the security installations and the adequacy of the procedures and systems deployed.

If you have any further questions about this policy or the way we process your data, please contact our data protection department at mail.data.protection@airfrance.fr.

This version is applicable as from May 15th,  2021. It replaces the version of March 1st, 2021. We reserve the right to change this Policy from time to time. All changes are published on our website. We invite you to read it regularly, especially when you book new flights with our company.