Air France privacy policy
Our commitment to privacy protection
Air France is committed to offering its customers a unique travel experience all while respecting their right to privacy. Our privacy policy is designed to give you a better understanding of how we use your personal data, what safeguards we have in place, and how you can exercise your rights. • We always process your data in accordance with EU data protection rules and other applicable privacy legislation in order to protect it from unauthorized access and ensure the security of data transfers. • We are transparent about how we use the data we collect. • We clearly explain the benefits of sharing your data and we tailor our communication to your needs and preferences. • We do it in easy-to-understand language all along your journey with Air France and its partner airlines. • We put you in control of your data and use your feedback to continuously improve. • We guarantee the security of your data. In the unlikely event that your data has been breached, we will stop the leak as soon as possible and inform your immediately. • If we need to share your data outside of our organization to help us improve our services and better understand your needs, we will indicate it explicitly in our privacy policy. We will not sell or lend any of your personal data to any external organization without your consent. • We can be trusted with your data and we take measures to protect your personal information and ensure its security.
Protection of your personal data
To provide you with our services and in particular the services accessible on its website or its mobile applications, AIR FRANCE, as data controller, collects and processes personal data about you. This privacy policy ("Policy") applies to all data that we process, including when you make a booking, purchase a ticket, travel with us, purchase or use any of our services, visit our website, use our mobile applications or interact with us through the various channels available to you. It is important that you read this Policy, as well as any other privacy policies that may apply to you – such as our Flying Blue Privacy Policy if you are a member of our loyalty programme – so that you are fully informed of how we process your personal data, how we protect it and how you can exercise your rights. This Policy is not a contract and does not create any contractual obligation.
Privacy is one of our major concerns and is at the heart of the experience we wish to offer through the use of our services. We are committed to guaranteeing a high level of protection for the personal data of our customers, prospects, users of our website or mobile applications and, more generally, of any data subject concerned by our processing operations. We undertake to comply with the regulations applicable to all processing of personal data that we implement, in particular the provisions of the French Data Protection Act of 6 January 1978 (“Loi informatique et libertés”) as amended and the General Data Protection Regulation (EU Regulation 2016/679) or "GDPR". In particular, we are committed to the following principles:
Your personal data is processed lawfully, fairly and transparently (lawfulness, fairness, transparency). Your personal data is collected for specific, explicit and legitimate purposes, and is not furthered processed in a manner incompatible with these purposes (purpose limitation). Your personal data is collected in an adequate and relevant manner and is limited to the purposes for which it is processed (data minimisation). Your personal data is accurate, kept up to date and every reasonable step is taken to ensure that inaccurate data, having regard to the purposes for which it is processed, is deleted or updated (accuracy).
We are committed to implementing the appropriate internal procedures in order to raise the awareness of all our employees and to ensure compliance with these rules within our organisation. Furthermore, we undertake to implement the appropriate technical and organisational measures to ensure an adequate level of security and to protect your personal data, as from the beginning of our projects and design of our processing operations. Finally, we impose the same level of personal data protection in our contracts with our subcontractors. In order to ensure that these rules are properly applied, we have appointed a Data Protection Officer (DPO) who is the main contact for the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority.
As an airline, we are legally required to ensure that every passenger possesses the necessary entry, exit, and transit documents, along with any health and other documents mandated by the regulations in the countries of departure, destination, and transit.
In line with this obligation, our agents systematically check the presence and apparent validity of passengers' travel documents. In cases where there is doubt regarding the authenticity of the presented documents, or at certain high-risk stopovers, they may also capture a photograph of the documents for further verification and/or as evidence of the inspection conducted.
Legal basis for processing: This process is grounded in our legal obligation, as well as our legitimate interest in collecting evidence of the conducted inspection to defend ourselves in the event of potential sanctions or legal disputes.
Retention period: Photographs are retained for one month. If we receive notification of a passenger's non-admission, these photographs are used to support our submissions to the Ministry of the Interior and are kept with restricted access for the duration of the ministry's investigation, extended if necessary by the length of any judicial proceedings.
Data recipients: Air France agents and/or the ground handling service provider at the relevant stopover, the subcontractor responsible for verifying document authenticity when in doubt, internal Air France departments involved in managing inadmissible passenger cases, and the relevant departments of the French Ministry of the Interior.
k) To deliver accreditations number for the "Corsican resident rate" on Air France and Air Corsica public service routes
Legal basis for the processing: This processing is based on your consent and, with regard to retaining data as evidence, on the legitimate interest of Air France and Air Corsica in demonstrating compliance with the terms of the public service mandate.
Retention period: Data related to individuals holding an accreditation number are retained for the duration of the accreditation's validity (one year) and then archived for five years. Supporting documents provided for the application are deleted within 24 hours after the verification process is completed. l) To offer you specific services, applications, events, sweepstakes or special campaigns For specific services, applications, events, sweepstakes or special campaigns, we may use your personal data for purposes other than those described in this privacy policy. We inform you of these purposes when you subscribe to the service, event, sweepstakes or campaign, or when you download the dedicated application. 5.2. Legal basis As mentioned in the purposes described above, we may only process your personal data if we have a legal basis for doing so. In many cases, the legal basis for processing your data is "necessary for the performance of your contract of carriage" and, more generally, for the provision of our services. Some processing of personal data may be based on your consent. You can then withdraw it at any time for the processing concerned (see section 9 "HOW TO EXERCISE YOUR RIGHTS" below). In some cases, we may use your personal data if we (or third parties) have a legitimate interest in doing so. We always carefully assess all interests: yours, those of third parties and those of our airline. As an example, we process your data based on legitimate interest to ensure the safety of our flights or for statistical research or direct marketing purposes, or to offer discounts and personalised offers (see 5.1 d to f, h and i above for more information). We may also have a legal obligation to process your data, for example to complete the formalities of the immigration services (see 5.1.h above for more information). If you refuse to provide the personal data we need to perform the contract or meet a legal requirement, we may be unable to provide some or all of the services you have requested. For example, we may cancel your flight or not be able to provide you with the additional services you have requested. If you provide incomplete or incorrect information, we may deny you boarding or entry into a foreign territory under applicable international laws.
- API (Advanced Passenger information): identification and travel-related data collected at check-in,
- PNR (Passenger Name Record): booking data automatically transferred to the PIU.
We do not keep your personal data for any longer than is necessary. The duration of storage depends on the purposes for which data are processed, as described in section 5 of this Policy. These retention periods are set based on the purposes of the processing and also take into account the applicable legal provisions imposing a precise retention period for certain categories of data, any applicable limitation periods and the recommendations of the CNIL, the French data protection authority, regarding certain categories of processing.
This version is applicable as from July 15th, 2025. We reserve the right to change this Policy from time to time. All changes are published on our website. We invite you to read it regularly, especially when you book new flights with our company.