Notifications

Privacy policy EuroBonus members

In this Privacy Policy for EuroBonus members (“Privacy Policy), we explain how we process your personal data in the EuroBonus program. This Privacy Policy applies to all the personal data we process about you and for all interaction you have with EuroBonus, for example when earning or using EuroBonus points, using the membership services and interactions with our business partners.

Privacy policy EuroBonus members: Summary

Last updated: 1 September, 2024.

SAS EuroBonus AB ("EB") with corporate identity number 559224-9782, and Scandinavian Airlines System Denmark- Norway-Sweden, a consortium established under the laws of Denmark, Norway and Sweden, and having its principle office at Frösundaviks allé 1, SE-195 87 Stockholm, Sweden ("SAS"), will jointly determine the purposes and means of the processing of your personal data as so called joint controllers within the meaning of Article 26 of the General Data Protection Regulation (EU Regulation no. 2016/679) (the "GDPR"). For this purpose, EB and SAS have entered into a joint-controller agreement, the essence of which is set out in the joint-controller agreement summary.

EB and SAS as joint controllers (hereafter "we" or "us") are committed to ensuring your right to privacy and will only process your personal data as described in this Privacy Policy.

Below, we explain how we collect, use, transfer, store or otherwise process any personal data relating to you as a member of our EuroBonus program. Our aim is to be as clear, transparent, and candid as possible. However, do not hesitate to contact us should you still have any questions about how we process your personal data.

Most of the personal data we hold on you will stem from you directly, e.g. when you register for a EuroBonus account or purchase flights and from your activities when using the SAS application or EB’s or SAS’ websites. Similarly, we obtain information from you when you use your EuroBonus card or your points, or when you use other offers and services from us or our business partners.

In addition, we obtain personal data about you from the following sources:

  • EB’s and SAS’ different departments and sales points, such as lounge visits and customer care contacts.

  • EB’s business partners ("Business Partners"), e.g. hotel reservations, rental car bookings, co-branded credit cards, and purchases using or earning EuroBonus points.

  • Our suppliers acting on behalf of EB, e.g. EuroBonus shop, card linking service, affiliate web shopping, security companies and businesses that work with preventing and combating fraud and cyber investigations; and IT providers and developer who ensure the operation and security of our IT systems on behalf of EB.

  • SAS partner airlines participating in the EuroBonus Program, for example other carriers in the Sky Team Alliance.

  • Based on your consent, we also create ‘new’ personal data from information collected from the above-mentioned data sources, in the form of predictive segmentations. These models and analyses are sometimes performed on our behalf by service providers contracted by us, such as customer insight and third-party data suppliers.

We may also collect personal data about you from the cookies on our website. You can read more about cookies in our Cookie Policy

The basis and purpose of the EuroBonus program is for you to earn points and benefits from your activities with us and for us to provide you with a range of simple, useful and personalized services and offers. We are committed to getting to know you so that we can offer you the best personalized travel and lifestyle offers and features, and to continually improve our EuroBonus program.

In this section, we describe the activities in which we process your personal data, the purposes of the processing, the types of personal data we process, the legal basis for the processing and the retention period of the personal data.

3.1 EuroBonus membership and account

Purposes and personal data

To administer and manage your EuroBonus membership and account, EuroBonus points earned and used, sending out EuroBonus cards as well as to update your contact details and cancel EuroBonus accounts of deceased members, we process the following personal data about you:

  • Membership Information: name, EuroBonus number, membership level.

  • Member details: Gender, date of birth, and country of residence.

To calculate your annual revenue from your EuroBonus membership to assess your membership level, tier and benefits, we process the following personal data about you:

  • Membership Information.

  • EuroBonus points and transactions (including, bookings, purchases, travels, upgrades, and award trips).

To provide relevant information on your My EuroBonus Profile about your membership and account, such as current EuroBonus points and transactions (including, bookings, purchases, travels, upgrades and award trips), points earned and used, membership level and point expiry date, including details on EuroBonus points and transactions relating to Business Partners, we process the following personal data about you:

  • Membership Information.

  • EuroBonus points and transactions (including, bookings, purchases, travels, upgrades, and award trips), and expiry date for EuroBonus points.

  • Business Partner information: purchases, flight transfers, hotel and/or car rental purchases. For instance, the destination of the trip, duration of stay, name and location of the hotel, type of room, car rented, rental time, time of purchase and amounts paid.

  • Information about your travels: destinations, airlines, ticket types, lounge visits, luggage information, flight seats and upgrades and payment information such as (time of purchase and amounts paid).

To provide contractually based offers, such as offers based on membership level, EuroBonus points, campaigns, or member events, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • EuroBonus points.

To give correct and legal communication based on birthday (legal age for marketing), we process the following personal data about you:

  • Membership Information.

  • Date of birth.

  • Country of residence.

To offer contractually based benefits such as member gifts, family pooling, friends pooling and member give aways, we process the following personal data about you:

  • Membership Information.

  • Gender, date of birth, and country of residence.

  • Contact Information.

  • EuroBonus points and benefits.

  • Contact Information and Membership Information relating to family and friends.

To provide you with customer service and support (for example Membership Information is displayed to call center agents for member recognition or used to identify unknown or unidentified customers), we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • Customer service or support details

Personal data that you are contractually required to provide are marked as mandatory when you register as a member. Such personal data is necessary to become a EuroBonus member.

Legal basis

The legal basis for the processing of your personal data is to fulfil our contractual obligations (EuroBonus Terms & Conditions) to you as a EuroBonus member, see Article 6(1)(b) GDPR.

Retention time

We will process your personal data for as long as you are a EuroBonus member. Upon termination of your membership, your personal data will be deleted within one year of termination.

As set out in Section 3.13 in the EuroBonus Terms & Conditions, we have the right to terminate your membership in case of inactivity for more than 24 months, if you have no valid, usable points in your EuroBonus account. Your personal data will then be deleted. However, personal data relating to purchases, claims, refunds, and compensations may be stored for a longer time if required by law or necessary for the exercise or defense of legal claims.

3.3 Communication and improvement of member services

Purposes and personal data

To analyze and store information on how you earn and use your EuroBonus points, and what products and services you decide to purchase and how, to create more tailored and relevant offers and activities for you alone or together with Business Partners, we process the following personal data about you:

  • Membership Information.

  • Your use of EuroBonus points, services and products from us or our Business Partners.

To send service emails to you, e.g., to inform you that your EuroBonus points are about to expire, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • EuroBonus points.

To calculate your annual revenue from your EuroBonus membership to reward our loyal customers, we process the following personal data about you:

  • Membership Information.

  • EuroBonus points and transactions (including, bookings, purchases, travels, upgrades, and award trips).

  • Rewards and benefits.

To streamline our communication with you and minimize spam, e.g., by registering if you do not open our emails and administering requests to no longer receive such emails, and to remove unnecessary information, e.g., offers for purchasing extra baggage if you have already done so, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • Your interactions with and responses to our communication with you. Read more about SAS usage of cookies and pixels in SAS’ Cookie Policy.

To invite you to exclusive events and activities based on your preferences and tier level, we process the following personal data about you:

  • Membership Information.

  • Demographic data.

To send out surveys and collect answers about customer experience,we process the following personal data about you:

  • Membership Information.

  • Email address.

  • Answers to surveys.

To train and develop our AI systems, we process the following personal data about you:

  • Input data from circumstances such as "your use of exemplified services".

To identify and analyze how you travel for work to communicate with and send targeted offers and promotions to EuroBonus corporate members in SAS for Work, if you are an employee of a company that is a EuroBonus corporate member, we process the following personal data about you:

  • Frequency of business travels.

  • Usage of our services.

  • Employer (i.e., the EuroBonus corporate member).

Legal basis

The legal basis for processing personal data for our communication and improvement of member services is our legitimate interest in optimizing our services for individual communication and improvement of member services, see Article (6)(1)(f) GDPR . We have concluded that the processing of your personal data is necessary to achieve the relevant purposes. We also conclude that these interests override any competing interests and fundamental rights and freedoms. You always have the right to object to this conclusion and can read more about your rights below.

Retention time

We will continuously process personal data about you throughout your EuroBonus membership. We carry out regular deletion of personal data that is no longer relevant for the purposes at 2-year intervals.

Upon termination of your membership, your personal data will be deleted within one year of termination.

3.4 Personalized communications, services and offers.

Purposes and personal data

To collect and analyze statistical data about your needs, preferences, buying patterns and purchasing power based on your history of purchasing products and services from us and our Business Partners, we process the following personal data about you:

  • Membership Information.

  • EuroBonus points and transactions.

  • Personal preferences and needs regarding EB, SAS and our Business Partners products and services.

  • Purchasing patterns and purchasing power.

  • Answers to surveys.

We process the following of your personal data to add value to the EuroBonus program and to understand your preferences, needs and (online) behavior, and to create a personal profile of you, based on which we will provide you with personalized offers and services. By using predictive models and segmentation based on demography, gender and purchasing patterns, and performing analysis based on customer segmentation, we try to understand which products and services you value and highlight those products and services to you. Such models include the use of automatic tools and systems, such as AI.

  • Membership Information.

  • Contact Information.

  • EuroBonus points and transactions.

  • Personal preferences and needs regarding EB, SAS and our Business Partners products and services.

  • Online behavior, e.g., how you use of SAS’ applications and EB’s/SAS’ websites.

  • Answers to surveys.

We process the following of your personal data to predict other services and offers that may interest you based on member data. We examine and generalize needs, preferences, buying patterns and purchasing power to understand customer behavior and segments. For example, we analyze what other customers tend to buy according to different attributes (e.g. when they booked their trip, where they are going, how long they are away) and try to predict what products or services you might be interested in buying based on the behavior of other customers.

  • Membership Information.

  • Contact Information.

  • EuroBonus points and transactions.

  • Personal preferences and needs regarding EB, SAS and our Business Partners products and services.

  • Answers to surveys

  • Online behavior, e.g., how you use of SAS’ applications and EB’s/SAS’ websites.

  • Aggregated segmented information relating to your membership.

To provide you with personalized offers, recommendations, products, services, information and travel tips from us or our Business Partners, based on our profile on you and/or our predictions about your interests and preferences, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • EuroBonus points and transactions.

  • Personal preferences and needs regarding EB, SAS and our Business Partners products and services.

  • Online behavior, e.g., how you use of SAS’ applications and EB’s/SAS’ websites.

  • Aggregated segmented information relating to your membership.

  • Answers to surveys

We process the following of your personal data to track paid media campaigns, such as information on impressions, clicks and conversion rates, for analysis and to create platforms for communication. We monitor our campaigns at both an aggregate and individual level (where cookies are accepted) and receive personal data from a number of sources, including Facebook and Google.

  • Membership Information.

  • Contact Information.

  • EuroBonus points and transactions.

  • Information on impressions, clicks and conversion rates.

To enable us to advertise to you on social media platforms, such as Facebook and Instagram, through customer match and customer match lookalike, we process the following personal data about you:

  • Hashed email address.

To share your personal data with our Business Partners for analytical, marketing and profiling purposes, for example to deliver products and services used by you within the EuroBonus program, follow up on partnerships, develop new relevant products and services and to tailor our offers depending on your interests, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • EuroBonus points and transactions.

  • Preferences and needs regarding EB, SAS and our Business Partners products and services.

Legal basis

The legal basis for the processing of your personal data is your consent, see Article 6(1)(a) GDPR.

Retention time

Your personal data is processed as long as we have your consent. You are free to withdraw your consent at any time via your settings in your EuroBonus account.

We will continuously process personal data about you throughout your EuroBonus membership. We carry out regular deletion of personal data that is no longer relevant for the purposes at 3-year intervals.

Upon termination of your membership, your personal data will be deleted within 1 year of termination.

3.5 Cookies and online behavior

We process your personal data for the following purposes:

  • We process your personal data through strictly necessary cookies to provide necessary functionality and maintain security. Please see our Cookie Policy for details regarding personal data for necessary cookies.

  • We process your personal data to collect, store and analyze online behaviour, alone or in combination with other personal data for which we are the controller or which we have received from a third party, and to provide you with targeted offers on our, our Business Partners’ and third-party applications and/or websites. Please see our Cookie Policy for details regarding personal data for marketing cookies.

  • We process your personal data to identify abandoned baskets and send you reminders to complete your purchase or booking. Please see our Cookie Policy for details regarding personal data for performance and marketing cookies.

  • We process your personal data to perform aggregated analysis of data, alone or in combination with other data for which we are the controller or which we have received from a third party, on app behavior such as searches, clicks, purchases. Please see our Cookie Policy for details regarding personal data for statistical and analysis cookies.

Legal basis

The legal basis for the processing of your personal data through cookies is your consent, see Article 6(1)(a) GDPR, if you consent to the use of cookies on EB’s and SAS’ websites or SAS’ applications.

The legal basis for processing personal data through our necessary cookies is our legitimate interest in providing necessary functionality and maintaining security, see Article (6)(1)(f) GDPR. We have concluded that the processing of your personal data is necessary to achieve the relevant purposes. We also conclude that these interests override any competing interests and fundamental rights and freedoms. You always have the right to object to this conclusion and can read more about your rights below.

Retention time

Please find detailed retention periods in our cookie policy or until you withdraw your consent. You are free to withdraw your consent at any time via your cookie settings.

Please read more about our use of cookies in SAS’ Cookie Policy.

3.6 Fraud and crime prevention and legal claims

Purposes and personal data

To prevent, investigate, or report cases of fraud or safety/security issues and to cooperate with law enforcement agencies, we process the following personal data about you:

  • On award trips: Membership Information and credit card details.

  • Contact Information.

  • EuroBonus points and transactions (including, bookings, purchases, travels, upgrades and award trips).

To detect fraudulent behavior detection online through, e.g., device fingerprinting, we process the following personal data about you:

  • IP address and device information.

To establish, exercise, and defend against legal claims, where applicable, we process the following personal data about you:

  • Membership Information.

  • Contact Information.

  • Correspondence, payment information, descriptions of course of events, or other relevant circumstances or data.

Legal basis

The legal basis for processing personal data is strictly necessary for the purposes of preventing, investigating, or reporting cases of fraud, as well as to establish, exercise, and defend against legal claims, see Article 6(1)(f) GDPR. We have concluded that the processing of your personal data is necessary to achieve the relevant purposes. We also conclude that these interests override any competing interests and fundamental rights and freedoms. You always have the right to object to this conclusion and can read more about your rights below.

Retention time

The personal data that is caught by our filters, due to anomalous activities giving rise to suspicions of fraud and/or safety or security breaches, and which are processed for the establishment, exercise or defense of legal claims, will be retained until the matter is closed and cannot be appealed. Personal data that is not caught by our filters will be deleted immediately. Credit card details relating to a purchase are stored for seven years in accordance with accounting legislation.

3.7 Statistics, analysis and improvement of our products, services, and features

We process any personal data we hold about you for the purpose of aggregation. The aggregated data is used to compile statistics and to analyze and improve our products, services, and features. Once your personal data is aggregated, you can no longer be identified, and it is no longer considered personal data.

As a EuroBonus member, you can log in as a member on the SAS app, where you can access your EuroBonus account. Read more about how we process your personal data in the SAS application.

Personal data is shared between SAS Group companies for the administration and operation of SAS international flights, the EuroBonus points system, the EuroBonus account and member information of EuroBonus members internationally.

Personal data is also shared with our Business Partners to coordinate special offers, activities and analysis. For example, we work with and share personal data with our partners to analyse your behaviour and preferences in order to provide you with relevant services and offers. In some cases, we have joint control with our partners. This means that we and our partner jointly control your personal data and determine the purposes of the processing. You will be informed of this type of relationship when you use the relevant services.

We also share personal data in cases where:

  • it is agreed between you and us (such as Business Partners);

  • it is necessary to protect legal interests;

  • it is necessary for us to fulfill a statutory obligation, comply with a public authority or court decision, or comply with legislation;

  • we engage a third-party service provider or cooperation partner in order to perform services on our behalf, e.g. to provide IT or system services, administrative services or recruitment services, or to organize events;

  • you use the services of a SAS partner airline participating in the EuroBonus Program, for example other carriers in the Sky Team Alliance;

  • it is necessary for the functioning of our third-party cookies used on our website;

  • we market our activities on, e.g., our website and social media;

  • we cooperate with co-organisers of events and there is a need for access to participant lists or if other event participants have compelling reasons to access participant lists; or

  • it is otherwise permitted or required under applicable law.

In certain cases, the recipients of your personal data will be parties who act as data controllers in relation to the processing of personal data (e.g. public authorities, accountancy firms, etc.), while in other cases they will act as data processors who process personal data in accordance with our instructions and may not use personal data for their own purposes, in which case we will always enter into a data processing agreement.

The legal basis for sharing your personal data is:

  • Our legitimate interest (Article 6(1)(f) GDPR) in conducting our business efficiently such as engaging service providers or handling legal claims. In these cases we have concluded that the processing of your personal data is necessary to achieve the relevant purposes and that our interests override any competing interests and fundamental rights and freedoms. You always have the right to object to this conclusion and can read more about your rights below.

  • To fulfil our contractual obligations to you under the EuroBonus Terms & Conditions (Article 6(1)(b) GDPR) which applies to, for example, the sharing of personal data with Business Partners and within SAS Group.

  • To comply with a legal obligation such as disclosing personal data to a public authority.

  • Your consent if you have accepted third party cookies in the SAS application or on EB’ or SAS’ websites.

If you would like a full list of our recipients, please contact us using the details below.

Personal data shared within the SAS Group or with our Business Partners may be transferred to countries outside the European Union ("EU") or the European Economic Area ("EEA") that do not provide an adequate level of protection for personal data. Such transfers will be made in accordance with applicable data protection laws.

Where personal data is processed outside the EU/EEA, there is either a European Commission decision that the country in question provides an adequate level of protection, including the EU-US Data Privacy Framework, or appropriate safeguards to ensure that your rights are protected, such as the standard contractual clauses.

In order to ensure transparency in the processing of personal data, you have the right to obtain a copy of any standard contractual clauses by contacting us using the contact details below. You can find more information about the countries which are deemed to have an adequate level of protection on the European Commission’s website and you can read more about standard contractual clauses on the Swedish Authority for Privacy Protection’s website.

We have taken extensive technical and organizational measures to protect your data from loss, abuse and unauthorized access. Processing and transfer of data between your web browser and our server is properly protected by encryption and we are continuously updating our security measures.

When you pay for any of our services using a card, all information is sent via a secure connection to ensure that your personal data cannot be read by third parties. The actors with whom we collaborate in terms of card payments are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your card details.

You have several rights in relation to your personal data. You can exercise your rights by logging into your EuroBonus account and clicking on "Manage Personal Data" on the SAS website.

Right to withdraw consent

If we process information about you based on your consent, you have the right to withdraw your consent at any time. We will then terminate the processing of the personal data that is based on your consent. You can withdraw your consent for direct marketing and profiling under settings in your EuroBonus account, or by clicking the unsubscribe link in relevant communication. To withdraw you consent for cookies – visit "Manage Personal Data" on the SAS website.

Right to rectification

If you believe that your personal data is inaccurate or incomplete, you can ask for it to be corrected or completed by calling our customer service that will help you correct or complete your data. Visit "Manage Personal Data" on the SAS website for further details.

Right to restriction

In some cases, you have the right to request a restriction of the processing of your personal data, which means that the data is marked so that, in the future, it can only be processed for certain limited purposes. This is possible, for example, if you have objected to the processing, if you have disputed the accuracy of your personal data, or if the processing is unlawful. By requesting a restriction of our processing, you have the right to stop us from processing your personal data for a certain period of time for other purposes than, for example, to defend legal claims.

Right to information and access

You can request information regarding whether we are processing your personal data and ask to receive a copy of your personal data (known as a data subject access request or DSAR) together with certain additional information regarding how we process your personal data. Visit "Manage Personal Data" on the SAS website for further details.

Right to lodge a complaint

It is important for us that you feel confident that EB process your personal data with the utmost respect. If you are uncertain as to how EB is processing your personal data or have any complaints, you are welcome to contact our Data Protection Officer. You also have the possibility of submitting a grievance to the Swedish Data Protection Authority or the data protection authority of your country.

Right to object

You have the right to raise an objection at any point in time to the processing of your personal data that is based on our legitimate interest. If we cannot demonstrate compelling legitimate grounds for the processing of your data that outweighs your interests, rights, and freedoms or that the processing is done for the establishment, exercise or defense of legal claims, then we will no longer process your personal data.

Right to transfer your personal data (data portability)

If we process your personal data to fulfil a contract or on the basis of your consent, you may, in certain cases, be able to obtain the personal data for use elsewhere, e.g. by obtaining a copy of it in a machine-readable format and transmitting it to another data controller.

Right to erasure

In some cases, you may request that your personal data be erased. The right to erasure applies, for example, to personal data that is no longer necessary for the purpose for which it was collected, or to personal data that is processed on the basis of your consent if you choose to withdraw your consent. In certain circumstances, we may not be able to delete your personal data, for example, if your personal data is needed to comply with a legal obligation, if it is still needed for the purpose for which it was collected, or if our interest in continuing to process the data outweighs your interest in having it deleted. Visit "Manage Personal Data" on the SAS website for further details or to exercise your right.

We check this Privacy Policy regularly and will update it as necessary. Where there are significant changes made to this Privacy Policy, we will inform you (for example on our website or in SAS App). The latest version will always be available on the SAS website.

SAS has appointed a Data Protection Officer to help SAS and EB ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to data protection dataprotectionofficer@sas.se.

If you have questions regarding the EuroBonus program in general, please contact EuroBonus Customer Service at www.flysas.com.

Processing of personal data in china

This section is applicable to customers located in the People's Republic of China (hereafter China) and describes how we collect, use, store, share and disclose your personal data in China and supplements other generally applicable sections of this Privacy Policy. If any inconsistency or deviation occurs, the provisions provided in this China section take precedence over provisions set out in other generally applicable sections of this Privacy Policy.

It applies to personal data we collect from or about you when you use SAS services, visit SAS websites, SAS WeChat official account or use any other internet sites operated by SAS that may be linked to this Privacy Policy, or contact our customer service team by calls, emails etc. By continuing to use our services, you agree to the collection and use of your personal data in accordance with the provisions of this Privacy Policy.

Updates

SAS reserves the right to modify the China section of this Privacy Policy and will post updated version of this policy in accordance with laws and regulations regarding data protection of China. To the extent SAS materially changes the China section of this Privacy Policy, SAS will inform you of such changes and, to the extent this affects the purposes and processing for which we have obtained your consent, we will re-seek your consent.

For the exercise of data protection rights and/or if you have any questions or comments regarding this China section of Privacy Policy, you are welcome to contact our Data Protection Officer at dataprotectionofficer@sas.se.

How does SAS collect & receive your information?

This part supplements “When and how do we process your personal data” of this Privacy Policy and section 3 of this China section. SAS may collect and receive personal data from the App users located in China through the Software Development Tools (SDKs) deployed on the SAS App. Depending on the SDK, the type of personal data collected and received via the SDKs may include, without limitation, the App user’s name, email address, phone number, mailing address, EuroBonus number, credit card information (to the extent a credit card transaction is being made through the App), passenger flight information, App usage metrics, and device information such as IP address. SAS may use such information to verify and authorize credit card transactions, to receive feedback about the App and services, and to track and analyze usage of the App.

Please find below list of the SDKs that are currently deployed on the SAS App operating in China. SAS may update this list of SDKs from time to time if any changes take place.

List of the SDKs deployed on the SAS App operating in China as of November 1, 2021:

SDKs (PDF, 98KB)

How sas uses your data

This part describes what personal data we collect about or from you, the purposes for which we use it, and why we use it for our basic and expanded business functions. Your personal data will be collected and processed in accordance with Personal Information Protection Law (“PIPL”) which came into force as of November 1, 2021, and any other laws and regulations of China that govern this area. Any processing of personal data that we perform is in accordance with the provisions of the privacy laws in China, and this data may only be used for the limited purposes discussed in this part.

Scandinavian Airlines System Denmark-Norway-Sweden is responsible for the processing of your personal data via SAS websites and in association with the use of SAS services.

In order to provide you with travel ticketing services and other SAS services and products, we need to collect and use certain personal data. Below lists the personal data that we may request you to provide to us or we may collect and use about you. Please understand that some service feature requires some personal data before it can be provided. After you exercise your right to object, we will be unable to continue providing the service corresponding to the personal data involved in the objection and we will no longer process your corresponding personal data.

We may request you to provide to us the following personal data:

Identification and contact information

Your gender, date of birth, ID No., passport No., nationality; your name, address, phone No., E-mail address; and the personal data of any other persons that you travel with (including their contact information). Such information will be used to pass to you or your contact person messages on flights and orders (including flight departure, security check, boarding, reimbursement, flight delay, insurance services and notification of accident), organize your itinerary, e-mail itinerary or other products to you, verify your identity, receive your comments on service quality, receive your complaints and suggestions, provide you with SAS services and products, and push to you, if you agree to receive, promotional and marketing messages. Please be noted, when you book for others the relevant services, you need to provide such passengers’ personal data, and, before providing us with their information, please make sure such passengers understand and agree to this Privacy Policy.

EuroBonus information

Your EuroBonus member account No. and flight information, mileage redemption recipient’s information, and minor member’s guardian information. Such information will be used to maintain you as our EuroBonus member, verify member identity and process your accumulation, reward and redemption of points and other services.

Profile account holder information

Your site profile account No., name, age, address and contact information. Such information will be used to maintain you as our profile account holder and manage your account and travels.

Data and images of identity documents required in business processing

ID card, passport, visa page, papers required by authorities for taking a flight, validity period, authorities of issuance, age or date of birth, gender, and their corresponding images. Such information and images will be used, in accordance with laws and regulations, to verify your identity when you book a ticket, check in, take a flight, process entry/exit formalities, purchase air insurance, enjoy SAS services and any other services.

Payment information

Your credit card No., billing address, credit card validity, orders and operation records, log and risk control information. Such information will be used, when you purchase a ticket, to maintain your payment information, verify your identity and provide you with SAS services.

Information to improve travel and other services

Emergency contact person, special service requirements and personal likes and dislikes (in-flight meals, location of seats in cabin, in-flight services). Such information will be used to improve and promote our service so that we can provide you with services that better address your needs and may push to you, subject to your agreement, our promotional and marketing messages.

Information required by public health authorities or other government agencies or collected to demonstrate your fitness to take the flight

Contact information, information regarding the presence or absence of possible COVID-19 or other global pandemic symptoms; information regarding potential exposure to COVID-19 or other global pandemic; information collected by our ground or reservations staff pursuant to directives by public health organizations or other government agencies. Such information will be used to comply with legal and regulatory requirements, determine your fitness to travel consistent with applicable government regulations and guidelines.

Any other personal data

We collect for the purpose of: making and operating connections between multiple flights and expediting baggage clearance across international borders; complying with certain regulatory requirements regarding emergencies and otherwise in relation to operating passenger flights; complying with certain regulatory requirements for verifying and authenticating your identity and have a legitimate business interest in complying with applicable legal and regulatory requirements; using this information to perform our contract with you; complying with certain requirements in the public interest such as to protect against risks to passenger and public health, and passenger and aircraft safety.

Please be noted that we will collect, store, use, and transfer your sensitive personal data for the purposes for which it was provided and otherwise in accordance with the terms of this privacy policy if you provide your explicit consent at the time of collection.

On what legal basis does sas process your personal data

Our legal basis for processing your personal data described above will depend on the personal data concerned and the specific circumstances where we process it. And we will generally collect personal data from you only where:

  • we have obtained your consent to do so;

  • such data is necessary for us to perform a contract with you;

  • the processing is in our legal interests and not overridden by your rights;

  • we have legal obligations to process your personal data from you or may otherwise need the personal data to protect your vital interest or that of other persons;

  • it is necessary for responding to a public health emergency or for protecting life, health and property safety of a natural person;

  • acts, such as news reporting and supervision by public opinions, are carried out for the public interest, and the processing of personal data is within a reasonable scope;

  • it is necessary to process the personal data disclosed by the individual concerned or other personal data that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL and related laws and regulations; and

  • other circumstances prescribed by laws and administrative regulations.


With whom does sas share your information?

We may share your personal data we collect or receive with:

  • Other airlines and other companies that are involved in the provision of the service that you will make use of;

  • Companies that are part of the booking and performance of your flight, e.g., travel agencies, freight forwarders and agents;

  • IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;

  • Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard;

  • Security companies and businesses that work with preventing and combating fraud;

  • Companies within the SAS Group, including but not limited to SAS EuroBonus AB, SAS Link AB, Scandinavian Airlines Ireland Ltd, SAS Ground Handling A/S, SAS Ground Handling AS, SAS Ground Handling AB, SAS Cargo Group A/S, SAS Cargo Norway AS and SAS Cargo Sweden AB.

  • Government agencies and authorities, law enforcement officials, law courts; or

  • Third parties: (a) if we believe disclosure is required by applicable law, regulation or legal process (such as pursuant to judicial order); or (b) to protect and defend our rights, or the rights or safety of third parties, including to establish, make, or defend against legal claims.

Exercising your rights

SAS fully respects your right to know, access, rectify, restrict the processing of, delete your personal data etc.

Right of access

You have the right to obtain from us confirmation as to whether or not personal data about you is being processed, and, where that is the case, to request access to the personal data. The access information includes the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.

You have the right to obtain a copy of the personal data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on our costs.

Right to rectify

You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to delete

You have the right to request us to delete your personal data.

Right to object

You have the right to object at any time to the processing of your personal data by us for certain purposes. If you exercise this right to object, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any costs.

However, such a right to object may not exist in certain circumstances, e.g., if the processing of your personal data is necessary to take steps prior to entering a contract or to perform a contract already concluded.

Right to cancel account

You have the right to cancel a previously registered account at any time. Once completion of the cancellation of your account, all information therein will be deleted or anonymized and we will no longer collect, use or provide to third parties the personal data relating to the account. Nevertheless, the information provided by you or generated during your use of our services will need to be retained by us for the period required by laws and regulations, and authorities will have the right to access such information according to law during that legal retention period.

To exercise these rights, you can email securedata@sas.se with requests. For us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, such as:

  • Any email addresses that you have used in communication with SAS

  • EuroBonus number or TravelPass number

  • Any telephone number you have used in communication with SAS (for example customer service cases)

  • Booking number and/or flight number and date.

SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above. After we receive a request to exercise one of these rights, we will provide information on the action we take on the request without undue delay and in any event within 30 days of receipt of the request. This time may be extended by a further 30 days in certain circumstances, for example, where requests are complex or numerous.

Security

Information security is important to SAS. We have adopted proper measures such as separate storage, encryption, access control, de-identification etc., in accordance with the requirements of data classification and categorization, to protect your information security from unauthorized access, disclosure, loss, misuse, alteration, and improper use of your information and avoid negative impact on your personal rights and interests.

Minors

SAS attaches great importance to the protection of minors' personal data. If you are a minor under the age of 14, you should obtain the written consent of your parents or legal guardians before using our products and/or services. For the collection of personal data of minors with the consent of their parents or legal guardians, we will only use or disclose this information with the permission of the law, the explicit consent of their parents or guardians or the necessary protection of the minors. If a minor has provided us with personal data without parental or guardian consent, the parent or guardian may contact us by emailing us at securedata@sas.se . We will remove the information and unsubscribe the child from any of our electronic marketing lists.