Effective: 23 November, 2018
“Personal data” refers to all information that can be directly or indirectly linked to a natural person. In section 3 you can see what kind of personal data that we process.
SAS protects your personal privacy. The personal data you give us access to, as well as data that we collect, for example about how you use SAS websites, will be processed with the utmost respect. Our goal is to be as transparent and clear as possible but if you still have questions about how we process your personal data, please contact our Data Protection Officer.
SAS is the legal entity that is responsible for personal data in accordance with prevailing laws on data protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data Protection Regulation, “GDPR”).
SAS has appointed a Data Protection Officer to help SAS ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to data protection email@example.com.
SAS collects personal data about you that you provide to us when you use our websites or our services, for example when you book a trip, when you contact our customer service or use our mobile app.
In connection with your trip, SAS will process your personal data in accordance with a common industry standard for reservation and travel data in the airline and travel industry, referred to as Passenger Name Record (“PNR”) in electronic reservation systems. PNR data contains the passengers' name, address, contact information and relevant information regarding any such additional services requested, as well as travel data for a passenger or group of passengers who are traveling together. The purpose of a common industry standard is to create standardized processes for exchanging reservation and travel data between different airlines for passengers who are flying with more than one airline to reach their destination and to facilitate airport services for passengers, such as check-in and luggage handling.
With your consent, we may also collect personal data about you from external sources, for example SAS partners (these can be companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners or data from client registers that we have purchased from third parties. Data may also be obtained from social networks such as Facebook or Google that you have connected to some of our services.
Depending on how and to what extent you use SAS websites and SAS services, SAS may process different categories of information about you. We will only process information about you to fulfill an agreement with you, to meet a legal requirement, if SAS has a legitimate interest or if we have been given your consent to do so. See below for more information about which data we collect and why.
SAS collects your personal data for different purposes. The personal data that we collect and how we use it depends on which services you use and which (if any) membership and/or logins you have. SAS will use your personal data for the following purposes:
To be able to fulfill our agreement with you (for example so that you can carry out your travel), we must process certain data about you. The information we process depends on which type of agreement we have concluded but in general we will process the following information:
We may also process personal data based on a so-called balancing of interests. In such cases, processing occurs only when SAS or a third party has a legitimate interest that is greater than your interests or fundamental rights and freedoms for the protection of your personal data.
We process the following personal data based on a balancing of interests:
We will also process your personal data to prevent, examine or report cases of fraud or security issues and to cooperate with law enforcement bodies. It is usually in both parties’ interest that your data is processed.
SAS may also be statutorily liable to process and save certain personal data about you and will do so to the extent required by law. For example, the legal requirements with which SAS must comply may concern reporting, customs and immigration issues and law enforcement.
SAS will also process your personal data when we have been given your consent for processing. You have the right to revoke your consent at any point in time, please refer to point 13.1 below.
We will only process the following data if we have been given your express, specific, informed and unambiguous consent:
For those who have provided consent to additional processing of your personal data, the data will also be used to create a profile about you. Profiling means that your personal data is used to assess certain personal aspects about you, for example to analyze or predict your ability to pay, your personal preferences, interests, reliability, behavior, permanent residence or relocation. SAS does this to provide you with more personal assistance and offers that are of interest just to you, both through a personal, customized experience of our websites and through marketing distributions.
Some of the profiling that is conducted is based on so-called predictive models or “scoring.” For example, this may mean that we follow up on the outcome of earlier offers on the basis of a number of different variables (for example, who has opened it and who then went on to make a purchase), in order to then be able to target the right type of offer to the right category of recipient.
SAS will only share your personal data with companies within the SAS Group except in the exemption situations described below.
Because of mandatory requirements from foreign authorities and to make possible the execution of the travel plans you have chosen, SAS and other airlines may be under an obligation to provide foreign authorities access to certain PNR data and Advanced Passenger Information (“API”), with respect to passengers who are flying to, from or over countries both within and outside the European Union (“EU”) and the European Economic Area (“EEA”), including the USA. Such data is used primarily to prevent and combat terrorism and other serious crime. In addition, PNR and API are governed through Directive 2016/681/EU. For further information, including information about which countries that request access to this reservation data, please email our Data Protection Officer.
If it is necessary in order for us to be able to carry out your flight in accordance with the terms and conditions for travel, your personal data will also be shared with:
If you have expressly and specifically consented to this or if you are a EuroBonus member, your personal data will be shared with SAS partners (for example, companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners, credit reporting companies, social media providers and search engines.
Personal data will be transferred between companies in the SAS Group, including for the implementation of our international flights, to administer and maintain your account and membership and for statistical purposes.
Personal data that is shared within the SAS Group in this way will sometimes be transferred to countries that are not members of the EU or the EEA and that do not ensure a satisfactory level of security for personal data. Such transfers will be carried out in accordance with the prevailing law on data protection.
When personal data is transferred to a non-EU/EEA country without satisfactory levels of protection for personal data, we will apply appropriate measures, usually by including a standard contractual clause that has been adopted by the European Commission. These standard contractual clauses can be found at the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
If there is a lack of both a decision on adequate levels of protection by the European Commission and established appropriate security measures in the form of standard contractual clauses in accordance with the above, we will transfer your personal data to companies within the SAS Group, based on the fact that it is necessary in order to fulfill the agreement we have with you. If you are an EuroBonus member, this will be EuroBonus terms and conditions and if you are the account holder, this will be profile account terms and conditions.
We have taken extensive technical and organizational measures to protect your data from loss, abuse and unauthorized access. Processing and transfer of data between your web browser and our server is properly protected by encryption and we are continuously updating our security measures.
When you pay for any of our services using a card, all information is sent via a secure connection to ensure that your personal data cannot be read by third parties. The actors with whom we collaborate in terms of card payments are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your card details.
We use subcontractors to be able to provide our services to you. Our subcontractors process your personal data only on behalf of SAS and in accordance with instructions issued by SAS. All subcontractors that process personal data on behalf of SAS have concluded personal data processing agreement with SAS in accordance with applicable law. SAS hires subcontractors in several different areas, for example for IT services like storage and operation.
We will save your personal data as long as it is necessary with regard to the purpose of the processing.
If you are an EuroBonus member or if you have created a profile account on our website, information about you will be saved as long as you are a member of EuroBonus or have an active account with SAS.
If you book a trip with SAS, we will save your data for ten years after the trip is completed in order to meet legal and regulatory requirements and process any grievances and complaints. If you visit SAS websites without booking a trip, see section 10 for storage times with respect to cookies.
Cookies are used to get web pages to work more effectively but also to provide certain information to the owner of a home page. Cookies make it possible to differentiate different users from each other, which in turn can give respective users a more tailored and positive experience of the website.
Some of the cookies used on SAS websites are so-called third party cookies, which are set by some of the partners of SAS. If you have consented to it, these third party cookies use information about your use of SAS websites, as well as other websites, for example which pages you visit or which advertisements you are interested in, in order to be able to provide advertisements later that are more customized for you, both on SAS websites and on other websites, so-called interest-based advertising.
You have many rights concerning how we process your personal data. For example, you have the right to revoke your consent to a certain processing at any point in time, see next section. If you are an EuroBonus member or a profile account holder, by logging into your account you can easily revoke your consent for certain processing. The same applies to other rights in accordance with the information below.
If you do not have any accounts with us or you need help, please contact our Data Protection Officer.
If we process information about you based on your consent, you have the right to revoke your consent at any point in time by contacting our Data Protection Officer. We will then terminate the processing of the personal data that is based on your consent. You can only revoke your consent for future processing and not for processing that has already happened. If you revoke your consent, this may mean that for example, you can no longer receive similar tailored offers and that you cannot fully use some of our services.
You also have the right to decline marketing notifications. Every marketing notification that we send to you will contain a link that you can use if you wish to unsubscribe from further marketing distributions.
Otherwise, at any time you can change your mind regarding the type of marketing notification that you wish to receive from SAS by contacting us.
If you are an EuroBonus member you can log in to your EuroBonus profile to change your marketing preferences. If you have registered on the SAS home page, you can change your preferences regarding marketing distribution by logging in to your profile account on our home page.
Note that although you have informed us of your wish to no longer receive marketing notifications, SAS will still send you such information that is necessary for SAS to be able to meet its commitments to you, for example booking confirmations and other information in connection with your booking with us. If you are an EuroBonus member, you will still receive such information that is necessary for us to be able to administer your membership.
If your personal data that SAS processes are incorrect, incomplete or irrelevant, you can either log in to your account and correct the data or request that the data are corrected or deleted by emailing firstname.lastname@example.org . Please note that deletion may mean that SAS cannot perform booked services and that your account may be terminated.
You have the right to restrict the use of your personal data or request the termination of the use of your personal data. This will probably mean that SAS can no longer provide its services to you.
If you want to get more information about how we process your personal data or if you want to know what kind of personal data about you that we process, you can request to obtain your personal data. You have the right to request a copy of your personal data from our register. If you are an EuroBonus member or have a site profile account, you can request an excerpt when you are logged in.
If you are not an EuroBonus member or have an account, you can email email@example.com In order for us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, for example:
SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above.
It is important for us that you feel safe and we will process your personal data with the utmost respect. If you still consider that SAS is processing your personal data in an incorrect manner, you are welcome to contact us. You also have the possibility of submitting a grievance to the Swedish Data Protection Authority.
You have the right to raise an objection at any point in time to the processing of your personal data that is based on our legitimate interest in accordance with point 5.2 above. If SAS cannot demonstrate compelling legitimate grounds for the processing of your data that outweighs your interests, rights and freedoms or that the processing is done for the establishment, exercise or defence of legal claims, then SAS will no longer process your personal data.
You have the right to request to receive your personal data that we process in a machine-readable format, which you have the right to transfer to another Data Protection Officer.
Your right to erasure means that you can request that we delete the personal data we have about you without undue delay, if it is no longer necessary for the purpose for which it was collected, if you revoke your consent and there is no other legal ground for the processing, if you object to the processing, or the erasure is necessary due to compliance with a legal obligations. However, this does not apply if the processing is necessary in order to exercise the right to freedom of expression and information, fulfill a legal obligation or a task of public interest or in order to determine, make applicable, establish, exercise or defend legal claims.