Privacy Policy Profile Account holders

This information notice summarizes the Privacy Policy for SAS Profile account holders.

Privacy policy profile account holders: Summary

Effective: 25 Jan, 2022

We are committed to ensuring your right to privacy and will only process your personal data as set out in this Privacy Policy for Profile Account holders. The Privacy Policy for Profile Account holders is an integral part of the Profile Account Terms and Conditions.

We will below explain how we collect, use, transfer, store or otherwise process any personal data relating to you as a Profile Account holder. Our aim is to be as clear, transparent and candid as possible. Should you still have questions about how we process your personal data, please contact our Data Protection Officer at dataprotectionofficer@sas.se.

Personal data means any information relating to you as a natural person and through which you can be identified, directly or indirectly, such as your name or photo.

We recognize that special categories of data, such as data revealing ethnic origin, religious beliefs or health information, are particularly sensitive. We will only collect and use such sensitive data in accordance with this Privacy Policy for Profile Account holders and where strictly necessary. For instance, it is important for us to know if you are late stage pregnant or require a wheelchair to board a flight.

Processing of personal data means any operation or set of operations performed on personal data, whether or not by automated means. All actions carried out on personal data, from collection and storage to alteration, use or disclosure thus constitute ‘processing’.

Performing the profile account terms and conditions

Your choice to create a Profile Account necessitates SAS to register and process your personal data and your activities while logged in and using our website. We will thus process your personal data on the legal basis that the processing is necessary in order to fulfill our requirements under the Profile Account Terms and Conditions.

Legitimate interests

We will process personal data based on our legitimate interests to remain competitive within our market segment and therefore to be able to, among other things, analyze the personal data of our Profile Account holders related to booking flights, popular destinations, choice of ancillary products, use of the homepage and application, and following up the outcome of e.g. email communications.

We will also process personal data based on our legitimate interests to prevent, investigate or report cases of fraud or safety issues and to cooperate with law enforcement agencies.

We have weighed our legitimate interest against the level of privacy intrusion that our processing of your personal data could lead to. We process your personal data on a general and aggregated level, in a transparent manner, for the purpose of improving our products and services offered to you and with a very high level of security and safeguards in place. We thus assess that the level of privacy intrusion is limited and that our interests of carrying out this processing of personal data is justified and legitimate.

Legal obligations

We will process your personal data when we are under a legal obligation to do so, for instance when we are obliged to provide information to government authorities or we are subject to a court order.

SAS registers and processes the following personal data about you and your activities, collectively the “personal data”:

  • Personal data submitted when you create, maintain or update the Profile Account.

  • Details collected regarding your travels and use of your Profile Account, such as origin and destination for the trip, carrier, type of tickets, luggage, pre-ordered meals, duration of stay, any complaints made, time of purchase, and amounts paid.

  • Information on customer care and travel irregularities such as delayed or canceled flights, lost luggage, and complaints, refunds, and compensation paid.

  • Process, on an aggregated level, all reservations and total revenue in order to optimize e.g. the flight network and pricing.

If you accept our cookies, we will process personal data on your online behavior as registered by cookies and analytics programs on our SAS website or application. For example, what terms you search for, length of the visits, which destinations are of interest to you and which links/headlines you choose to click on. Please see our Cookie Policy for more information on our use of cookies.

The personal data that we process is primarily collected directly from you, e.g. when you enter your contact details to register a Profile Account. In addition, we collect and derive personal data from our flight schedules, airport departments and systems as necessary to fulfill our requirements under the Profile Account Terms and Conditions.

The personal data is registered and processed for the following purposes:

  • Administer the Profile Account and bookings etc. made through the account.

  • Manage and carry out your bookings and travels.

  • Provide you with relevant information, such as booking information with flight dates, pre-ordered meals, seat selection, luggage purchased, in anticipation of an upcoming trip, as a message on the Profile Account or if you have requested to receive information through a different channel of communication, through that channel.

  • Register and analyze information on customer care and travel irregularities in order to e.g. follow-up on and improve our customer care services on a general and aggregated (i.e. not individual) level.

  • Carry out statistical analyzes on needs, preferences and purchasing behavior on a general and aggregated (i.e. not individual) level.

  • Perform basic analyzes on the use, frequency, preferred features and length of visits on our SAS website and application, to maintain, optimize and continuously improve the functionality and features of our digital platforms and the Profile Account.
    Update your contact information and cancel/block accounts of deceased customers.

We process the personal data regarding you as long as you are registered with an account. Your personal data is retained until the Profile Account is terminated.

Personal data is shared between affiliates within the SAS group to operate our international flights, to manage the Profile Account, for statistical analyzes, among other things.

Personal data that is shared within the SAS group will sometimes be transferred to countries that do not belong to the European Union (“EU”) or the European Economic Area (“EEA”) and which do not ensure an adequate level of protection for personal data. Such transfers will be carried out in compliance with applicable data protection laws.

When transferring personal data to a non-EU/EEA country without an adequate level of protection for personal data we will apply appropriate safeguards normally by entering into standard contractual clauses adopted by the European Commission. The standard contractual clauses can be found via the following link

Where there is no adequacy decision by the European Commission and also no established appropriate safeguards in the form of standard contractual clauses as outlined above, we will transfer your personal data to affiliates within the SAS group and to our business partners on the legal basis of the Profile Account Terms and Conditions, including the present Privacy Policy for Profile Account holders. More specifically, we will transfer your personal data on the basis that the transfer is necessary for us to perform the Profile Account Terms and Conditions.

Scandinavian Airlines System Denmark- Norway-Sweden, a consortium established under the laws of Denmark, Norway and Sweden, and having its principle office at Frösundaviks allé 1, SE-195 87 Stockholm, Sweden, is the controller which will determine the purposes and means of the processing of your personal data.

SAS is the legal entity responsible for personal data in accordance with applicable legislation on data protection, including the General Data Protection Regulation (EU Regulation no. 2016/679).

SAS has designated a Data Protection Officer who supports SAS in ensuring that the members’ personal data is processed correctly. You may contact the Data Protection Officer with questions or requests relating to the processing of your personal data, at the following address: dataprotectionofficer@sas.se.

If you have questions about your Profile Account, please refer to our contact details at flysas.com.

We want to be as transparent and clear as we can on how we process your personal data, and have therefore taken particular care in illustrating your rights under this Privacy Policy for Profile Account holders. On your profile account, you can now not only view and update your contact details, but also find information on your rights and on our processing of personal data laid out interactively. By navigating and operating the profile account, you can also easily enforce your rights.

For instance, you have the right to access the personal data that we process on you. You can easily obtain an excerpt of the personal data on you that we process and find more information by signing in to your profile account.


In the same way, you can find further information on and enforce also the following rights:

  • Correct, update or delete information that is incorrect or incomplete on your profile account.

  • Object to or restrict our processing of your personal data.

  • To be forgotten. The right to be forgotten means that you may request that we delete all the personal data we have collected on you.

  • Receive a copy of the personal data related to you and information regarding our processing of your personal data in a commonly used data format and to transmit – or have transmitted, where technically feasible – the data to another controller.

  • Request that personal data not be used for direct marketing purposes.

  • Lodge a complaint to the data protection authority within your jurisdiction, which in Sweden is the Data Protection Board (Sw. Datainspektionen).

You can also find more information about all the different safeguards and technical measures we have put in place to protect your data and your right to privacy and freedom and to ensure that we are fully compliant with applicable data protection legislation.
If you require assistance or have any questions regarding your rights, please contact our Data Protection Officer at dataprotectionofficer@sas.se.

Please note that restricting the processing of your personal data or enforcing your right to be forgotten will mean that we will no longer be able to provide you with our services relating to the Profile Account. The processing of personal data as set out in this Privacy Policy for Profile Account holders is necessary in order for us to perform the Profile Account Terms and Conditions.

You are at any time welcome to become a EuroBonus member by clicking on the following link: https://www.sas.se/en/eurobonus//. In our EuroBonus program, we offer a range of easy, joyful and personalised services and offers to make life easier for our members.

In certain situations, we will need your consent in order to process your personal data.

For instance, some of the features and services associated with the EuroBonus membership may be offered also to our Profile Account holders based on your consent. As these services involve processing of personal data beyond what is stated in this Privacy Policy for Profile Account holders, we will only perform such additional features and corresponding processing of personal data subject to your informed and specific consent.

Hence, we may ask you for your consent e.g. to process personal data to better understand your needs and preferences, i.e. for profiling purposes, to use information stored in cookies, or to pre-complete booking forms with your contact details, accompanying persons, passport and payment data etc. to facilitate a faster and simpler use of our services.

We may also ask for your consent to use post, mobile phone, SMS, MMS, email, social media and other digital channels to send promotional communications to you concerning our, or our business partners’, products and services.

Provided that you give your consent to the use of cookies on our website or application, we may also ask for your consent to process your personal data in order to analyze your online behavior in order to identify e.g. destinations that you may be interested in. Read more about our use of cookies in our cookie policy.

Processing of personal data in China

This section is applicable to customers located in the People's Republic of China (hereafter China) and describes how we collect, use, store, share and disclose your personal data in China and supplements other generally applicable sections of this Privacy Policy. If any inconsistency or deviation occurs, the provisions provided in this China section take precedence over provisions set out in other generally applicable sections of this Privacy Policy.

It applies to personal data we collect from or about you when you use SAS services, visit SAS websites, SAS WeChat official account or use any other internet sites operated by SAS that may be linked to this Privacy Policy, or contact our customer service team by calls, emails etc. By continuing to use our services, you agree to the collection and use of your personal data in accordance with the provisions of this Privacy Policy.

Updates

SAS reserves the right to modify the China section of this Privacy Policy and will post updated version of this policy in accordance with laws and regulations regarding data protection of China. To the extent SAS materially changes the China section of this Privacy Policy, SAS will inform you of such changes and, to the extent this affects the purposes and processing for which we have obtained your consent, we will re-seek your consent.

For the exercise of data protection rights and/or if you have any questions or comments regarding this China section of Privacy Policy, you are welcome to contact our Data Protection Officer at dataprotectionofficer@sas.se.

How does sas collect & receive your information?

This part supplements “When and how do we process your personal data” of this Privacy Policy and section 3 of this China section. SAS may collect and receive personal data from the App users located in China through the Software Development Tools (SDKs) deployed on the SAS App. Depending on the SDK, the type of personal data collected and received via the SDKs may include, without limitation, the App user’s name, email address, phone number, mailing address, EuroBonus number, credit card information (to the extent a credit card transaction is being made through the App), passenger flight information, App usage metrics, and device information such as IP address. SAS may use such information to verify and authorize credit card transactions, to receive feedback about the App and services, and to track and analyze usage of the App.

Please find below list of the SDKs that are currently deployed on the SAS App operating in China. SAS may update this list of SDKs from time to time if any changes take place.

List of the SDKs deployed on the SAS App operating in China as of November 1, 2021:

SDKs

How sas uses your data

This part describes what personal data we collect about or from you, the purposes for which we use it, and why we use it for our basic and expanded business functions. Your personal data will be collected and processed in accordance with Personal Information Protection Law (“PIPL”) which came into force as of November 1, 2021, and any other laws and regulations of China that govern this area. Any processing of personal data that we perform is in accordance with the provisions of the privacy laws in China, and this data may only be used for the limited purposes discussed in this part.

Scandinavian Airlines System Denmark-Norway-Sweden is responsible for the processing of your personal data via SAS websites and in association with the use of SAS services.

In order to provide you with travel ticketing services and other SAS services and products, we need to collect and use certain personal data. Below lists the personal data that we may request you to provide to us or we may collect and use about you. Please understand that some service feature requires some personal data before it can be provided. After you exercise your right to object, we will be unable to continue providing the service corresponding to the personal data involved in the objection and we will no longer process your corresponding personal data.

We may request you to provide to us the following personal data:

Identification and contact information

Your gender, date of birth, ID No., passport No., nationality; your name, address, phone No., E-mail address; and the personal data of any other persons that you travel with (including their contact information). Such information will be used to pass to you or your contact person messages on flights and orders (including flight departure, security check, boarding, reimbursement, flight delay, insurance services and notification of accident), organize your itinerary, e-mail itinerary or other products to you, verify your identity, receive your comments on service quality, receive your complaints and suggestions, provide you with SAS services and products, and push to you, if you agree to receive, promotional and marketing messages. Please be noted, when you book for others the relevant services, you need to provide such passengers’ personal data, and, before providing us with their information, please make sure such passengers understand and agree to this Privacy Policy.

EuroBonus information

Your EuroBonus member account No. and flight information, mileage redemption recipient’s information, and minor member’s guardian information. Such information will be used to maintain you as our EuroBonus member, verify member identity and process your accumulation, reward and redemption of points and other services.

Profile account holder information

Your site profile account No., name, age, address and contact information. Such information will be used to maintain you as our profile account holder and manage your account and travels.

Data and images of identity documents required in business processing

ID card, passport, visa page, papers required by authorities for taking a flight, validity period, authorities of issuance, age or date of birth, gender, and their corresponding images. Such information and images will be used, in accordance with laws and regulations, to verify your identity when you book a ticket, check in, take a flight, process entry/exit formalities, purchase air insurance, enjoy SAS services and any other services.

Payment information

Your credit card No., billing address, credit card validity, orders and operation records, log and risk control information. Such information will be used, when you purchase a ticket, to maintain your payment information, verify your identity and provide you with SAS services.

Information to improve travel and other services

Emergency contact person, special service requirements and personal likes and dislikes (in-flight meals, location of seats in cabin, in-flight services). Such information will be used to improve and promote our service so that we can provide you with services that better address your needs and may push to you, subject to your agreement, our promotional and marketing messages.

Information required by public health authorities or other goverment agencies or collected to demonstrate your fitness to take the flight

Contact information, information regarding the presence or absence of possible COVID-19 or other global pandemic symptoms; information regarding potential exposure to COVID-19 or other global pandemic; information collected by our ground or reservations staff pursuant to directives by public health organizations or other government agencies. Such information will be used to comply with legal and regulatory requirements, determine your fitness to travel consistent with applicable government regulations and guidelines.

Any other personal data

We collect for the purpose of: making and operating connections between multiple flights and expediting baggage clearance across international borders; complying with certain regulatory requirements regarding emergencies and otherwise in relation to operating passenger flights; complying with certain regulatory requirements for verifying and authenticating your identity and have a legitimate business interest in complying with applicable legal and regulatory requirements; using this information to perform our contract with you; complying with certain requirements in the public interest such as to protect against risks to passenger and public health, and passenger and aircraft safety.

Please be noted that we will collect, store, use, and transfer your sensitive personal data for the purposes for which it was provided and otherwise in accordance with ther terms of this privacy policy if you provide your explicit consent at the time of collection.

On what legal basis does sas process your personal data

Our legal basis for processing your personal data described above will depend on the personal data concerned and the specific circumstances where we process it. And we will generally collect personal data from you only where:

  • we have obtained your consent to do so;

  • such data is necessary for us to perform a contract with you;

  • the processing is in our legal interests and not overridden by your rights;

  • we have legal obligations to process your personal data from you or may otherwise need the personal data to protect your vital interest or that of other persons;

  • it is necessary for responding to a public health emergency or for protecting life, health and property safety of a natural person;

  • acts, such as news reporting and supervision by public opinions, are carried out for the public interest, and the processing of personal data is within a reasonable scope;

  • it is necessary to process the personal data disclosed by the individual concerned or other personal data that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL and related laws and regulations; and

  • other circumstances prescribed by laws and administrative regulations.


With whom does sas share your information?

We may share your personal data we collect or receive with:

  • Other airlines and other companies that are involved in the provision of the service that you will make use of;

  • Companies that are part of the booking and performance of your flight, e.g., travel agencies, freight forwarders and agents;

  • IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;

  • Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard;

  • Security companies and businesses that work with preventing and combating fraud;

  • Companies within the SAS Group, including but not limited to SAS EuroBonus AB, SAS Link AB, Scandinavian Airlines Ireland Ltd, SAS Ground Handling A/S, SAS Ground Handling AS, SAS Ground Handling AB, SAS Cargo Group A/S, SAS Cargo Norway AS and SAS Cargo Sweden AB.

  • Government agencies and authorities, law enforcement officials, law courts; or

  • Third parties: (a) if we believe disclosure is required by applicable law, regulation or legal process (such as pursuant to judicial order); or (b) to protect and defend our rights, or the rights or safety of third parties, including to establish, make, or defend against legal claims.

Exercising your rights

SAS fully respects your right to know, access, rectify, restrict the processing of, delete your personal data etc.

Right of access

You have the right to obtain from us confirmation as to whether or not personal data about you is being processed, and, where that is the case, to request access to the personal data. The access information includes the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.

You have the right to obtain a copy of the personal data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on our costs.

Right to rectify

You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to delete

You have the right to request us to delete your personal data.

Right to object

You have the right to object at any time to the processing of your personal data by us for certain purposes. If you exercise this right to object, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any costs.

However, such a right to object may not exist in certain circumstances, e.g., if the processing of your personal data is necessary to take steps prior to entering a contract or to perform a contract already concluded.

Right to cancel account

You have the right to cancel a previously registered account at any time. Once completion of the cancellation of your account, all information therein will be deleted or anonymized and we will no longer collect, use or provide to third parties the personal data relating to the account. Nevertheless, the information provided by you or generated during your use of our services will need to be retained by us for the period required by laws and regulations, and authorities will have the right to access such information according to law during that legal retention period.

To exercise these rights, you can email securedata@sas.se with requests. For us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, such as:

  • Any email addresses that you have used in communication with SAS

  • EuroBonus number or TravelPass number

  • Any telephone number you have used in communication with SAS (for example customer service cases)

  • Booking number and/or flight number and date.

SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above. After we receive a request to exercise one of these rights, we will provide information on the action we take on the request without undue delay and in any event within 30 days of receipt of the request. This time may be extended by a further 30 days in certain circumstances, for example, where requests are complex or numerous.

Security

Information security is important to SAS. We have adopted proper measures such as separate storage, encryption, access control, de-identification etc., in accordance with the requirements of data classification and categorization, to protect your information security from unauthorized access, disclosure, loss, misuse, alteration, and improper use of your information and avoid negative impact on your personal rights and interests.

Minors

SAS attaches great importance to the protection of minors' personal data. If you are a minor under the age of 14, you should obtain the written consent of your parents or legal guardians before using our products and/or services. For the collection of personal data of minors with the consent of their parents or legal guardians, we will only use or disclose this information with the permission of the law, the explicit consent of their parents or guardians or the necessary protection of the minors. If a minor has provided us with personal data without parental or guardian consent, the parent or guardian may contact us by emailing us at securedata@sas.se . We will remove the information and unsubscribe the child from any of our electronic marketing lists.