Effective: 25 Jan, 2022
As a member of the EuroBonus program, we invite you to be part of the EuroBonus community and experience an array of easy, joyful and personalised services to help simplify your life. Our goal is to get to know you, so that we can provide you with tailored offers and services that are truly useful to you, and to filter away those that would only take up space and time.
Airstair 3 AB, with corporate identity number 559224-9782, under change of name to SAS EuroBonus AB (“EB”), and Scandinavian Airlines System Denmark- Norway-Sweden, a consortium established under the laws of Denmark, Norway and Sweden, and having its principle office at Frösundaviks allé 1, SE-195 87 Stockholm, Sweden (“SAS”), will jointly determine the purposes and means of the processing of your personal data as so called joint controllers within the meaning of Article 26 of the General Data Protection Regulation (EU Regulation no. 2016/679). For this purpose, EB and SAS have entered into a joint-controller agreement.
We will below explain how we collect, use, transfer, store or otherwise process any personal data relating to you as a member of our EuroBonus program. Our aim is to be as clear, transparent and candid as possible. However, do not hesitate to contact us should you still have any questions about how we process your personal data.
Personal data means any information relating to you as a natural person and through which you can be identified, directly or indirectly, such as your name or photo.
We recognize that special categories of information, such as data revealing ethnic origin, religious beliefs or health information, are particularly sensitive. We will only collect and use such sensitive data where strictly necessary. For instance, it is important for us to know if you are late stage pregnant or require a wheelchair to board a flight.
Processing of personal data means any operation or set of operations performed on personal data, whether or not by automated means. All actions carried out on personal data, from collection and storage to alteration, use or disclosure thus constitute ‘processing’.
The EuroBonus Terms and Conditions
The foundation and purpose of the EuroBonus program is for you to earn points and benefits on your activities with us and for us to provide you with a spectrum of easy, useful and personally adapted services and offers. We are committed to getting to know you so that we can deliver the best individualised travel and life style deals and features that we can, and to continuously improve our EuroBonus program.
To be able to fulfil this promise, it is necessary for us to process data that relates to you as a person. The legal basis on which we process your personal data is thus the EuroBonus Terms and Conditions that govern the relationship between EB and you as a EuroBonus member. We have below listed the different types of personal data that we will or may process in order to fulfil our requirements under the EuroBonus Terms and Conditions. In other words, we will only process the data necessary to meet our end of the EuroBonus Terms and Conditions.
You are, of course, free to terminate the EuroBonus membership at any time. You may also restrict the processing of your personal data, or ask us to correct or erase certain data. We will restrict the processing of your personal data, update or delete the personal data accordingly. However, please note that restricting the processing of personal data or erasing personal data entails a termination of the EuroBonus membership, as we will then no longer be able to provide you with our services of the EuroBonus program. For further information, please refer to your rights below.
We will process your personal data when we are under a legal obligation to do so, for instance when we are obliged to provide information to government authorities or we are subject to a court order.
We will process personal data based on our legitimate interests in order to prevent, investigate or report cases of fraud or safety issues and to cooperate with law enforcement agencies.
In order to be able to provide you with the EuroBonus membership as promised, we collect and process the following data on you. We only collect the data we need to deliver on our promise for the EuroBonus membership.
The information submitted when you apply for a EuroBonus membership and/or update your EuroBonus account, e.g. name, gender, birthday, address, country of residence and membership level.
The details regarding your travels, e.g. the origin and destination of the trip, carrier, type of tickets, lounge visits, checked-in luggage, purchase of extra luggage, pre-ordered meals, flight seats or upgrades, duration of stay, time of purchase and amounts paid.
The details collected by EB’s and SAS’ business partners (“our business partners”) regarding your purchases, flight transfers, hotel and/or car rental purchases. For instance, the destination of the trip, duration of stay, name and location of the hotel, type of room, car rented, rental time, time of purchase and amounts paid.
Data on other purchases or activities entitling you to earn or use EuroBonus points at our business partners’ physical or online stores, such as items purchased, the time of purchase and amounts paid.
Demographic data obtained from our business partners, including data on home ownership, members of household and vehicle ownership.
Publicly available data obtained from external sources, such as information on government authority registers, tax returns, LinkedIn, and news articles.
Information on customer care and travel irregularities such as delayed or canceled flights, lost luggage, and complaints, refunds, and compensation paid.
Personal data created by us as a result of our analysis of the above data, such as customer segments, scorings and profiles established for you in order to e.g. adapt our communication, evaluate your price and product preferences or to predict what accessory services you may be interested in.
The fundamental aim of our EuroBonus program is to get to know our members so that we can offer you the best possible assortment of useful and personal travel and life style services and offers. To deliver on this promise, it is necessary for us to process the personal data on you as described in the section above.
Specifically, we will process your personal data for the following purposes:
Your membership account, bookings and travels:
Administer your EuroBonus membership, points earned and used as well as update your contact details and cancel EuroBonus accounts of deceased members.
Manage and carry out your bookings, purchases, discounts and flights. If you have chosen to receive emails from us, we will also send you a summary of relevant travel information, e.g. flight schedule and luggage included, prior to your departure. This summary will also provide you with relevant offers and benefits related to your upcoming travel, e.g. regarding lounge access or luggage.
Improving our products, services, features and communication:
Process, on an aggregated level, all reservations and total revenue in order to optimize e.g. the flight network and pricing.
Analyse how you collect and use your EuroBonus points, and what products and services you decide to purchase and how, so as to create more tailored and relevant offers for and activities alone or together with our business partners.
Calculate the annual revenue from each EuroBonus member in order to reward loyal customers. Based on their life style and preferences, also organise and send out invitations to exclusive events and activities.
Streamline our communication with you and minimise spam e.g. by registering if you do not open our emails, analysing what subjects are of interest and administering requests to no longer receive such emails. We also use the data to remove unnecessary information, e.g. offers for purchasing extra luggage if you have already done so.
Identify our members in the entire travel chain and offer relevant travel benefits and information services. Based on your flight schedule information, we may for instance provide you with information on local train departures from the destination airport.
Investigate what features and services of SAS’ applications and EB’s/SAS’ websites are well-used and which ones are not, and use this data to continuously improve and facilitate your use of EB’s and SAS’ platforms and services.
Allow SAS’ flight crew, ground operations, customer service and other relevant SAS personnel to identify your membership level in order to provide you with associated benefits on-board and on-ground. We want to e.g. reward loyal members by directing/ automatizing the seat selection process towards your preferred seat.
Analyse to what extent our members of different membership levels actually make use of their associated benefits. For instance, understand when and under which circumstances SAS’ lounge is of interest to you to optimise our members’ lounge visits.
Getting to know you and personalizing our communications, service and offers:
Compile statistical data on needs, preferences, purchase behavior and purchasing power in the purchase of our and our business partners’ products and services, and analyse and apply this data to streamline and personalize the offers and services we provide to our members on an individual level.
Create value in the EuroBonus program and understand your preferences, needs and (online) behavior and profile you as a basis for creating personalized offers and services. By using predictive models and scorings, we try to understand which members tend to appreciate what products and services and to thereafter highlight relevant products and services to those members.
Examine and generalize needs, preferences, purchasing behavior and purchasing power to understand customers behavior and segments. For instance, we analyse what other customers tend to buy depending on different attributes (e.g. when they booked their trip, where they are going, how long they are away) and try to predict which products or services you may be interested in purchasing based on other customers’ behavior. These models and analyses are sometimes performed on our behalf by service providers contracted by us.
Improve EB’s and SAS’ ability to give better personalised service at EB’s and SAS’ customer care departments. For instance, data on recent flight irregularities that you have experienced allows EB and SAS to anticipate what your phone call to customer care may be about and find a solution or award compensation.
Follow up on paid media campaigns, such as information on impressions, clicks and conversion rates, to analyse and create platforms for communication. We monitor our campaigns both on an aggregated and on an individual level (provided that cookies are accepted) and obtain personal data from a range of sources, e.g. Facebook and Google.
Cookies and online behavior:
Collect, store and study online behaviour alone or pooled with other personal data from SAS’ customer database, in order to identify e.g. destinations, you may be interested in. We enrich SAS’ customer database with this data from e.g. cookies and Google Analytics. Vice versa, we enrich the online data with SAS’ customer database information. We use this data to e.g. provide you with targeted offers regarding that destination by placing banners and other advertisements on SAS’ website and application as well as on external media channels such as Facebook and Google.
Profiling means any form of automated processing of personal data in order to evaluate, analyse or predict aspects concerning someone’s personal preferences, interests, behavior, location or movements. In simpler terms, it is the analysis we carry out on your personal data to better understand what types of products, services, communication channels and features you appreciate and which ones you don’t. The fulfillment of many of our purposes above require different degrees of profiling, from placing members into different segments to creating more in-depth predictive scorings for certain behaviors and preferences.
Automated decision-making is when the results of profiling lead to a decision based only on automated processing which produces a legal effect for you or affects you in a similar fashion. For example, our analysis of our members’ different membership levels, purchasing power and preferred travel class may result in differentiated offers, in terms of price and level of comfort, being sent to those members with respect to not only flights, but also to hotels or rental cars.
The logic behind such processing is thus to use available technologies not only to analyse needs and preferences, but to also produce different effects based on those needs and preferences. Where these effects carry legal weight or are otherwise significant for you as a member, the processing may constitute automated decision-making and will only occur subject to your consent, unless the processing is necessary in order for EB to perform the EuroBonus Terms and Conditions.
The personal data is collected from many different sources.
Most of the personal data we hold on you will stem from you directly, e.g. from your setting up a EuroBonus account or purchase of flights and activities through SAS’ application or EB’s/SAS’ website. Similarly, we obtain information from you when you decide to use your EuroBonus card or your points, or when you decide to use other offers and services.
In addition, we obtain personal data from you from the following sources.
EB’s and SAS’ different departments and sales points at airlines, such as information on lounge visits and customer care contacts.
Our business partners, e.g. data on hotel reservations and rental car bookings from travel agencies, and data on purchases to collect or use EuroBonus points.
Cookies that you accept and programs such as Google Analytics, Google Customer Match, Facebook Custom Audience, Adobe Analytics e.g. track and collect data on your online behavior.
We create ‘new’ personal data based on the data collected from the sources above, in the form of predictive scorings and profiles/segments. These models and analyses are sometimes performed on our behalf by service providers contracted by us. For example we use a customer segmentation called Mosaic.
Publicly available data from external sources such as public registers at government authorities, filed tax returns, LinkedIn and news articles.
We only keep personal data for the period of time necessary to meet our commitments under these EuroBonus Terms and Conditions.
If you have accepted cookies, personal data collected through Google Analytics will be stored for three years. Personal data collected through Adobe Analytics will be stored for two years. Having historical data helps us better understand your behavior and interactions with us, and a three year data period is required to obtain a sufficiently good data foundation for statistical analysis. Using the data for analytical predictive and personalisation purposes therefore helps us adapt our products and services to your needs.
Personal data is shared between affiliates within the SAS group to manage and operate SAS’ international flights, the EuroBonus points system, the EuroBonus account and member information from EuroBonus members internationally.
Personal data is also shared with our business partners in order to coordinate special offers and activities. For example, we cooperate and exchange personal data with travel agencies to analyse your behavior and preferences regarding, among other things, hotels and rental cars, in order to be able to provide you with relevant hotel and rental car offers.
We also pool personal data collected by us with personal data obtained from our business partners and external sources.
Personal data that is shared within the SAS group or with our business partners will sometimes be transferred to countries that do not belong to the European Union (“EU”) or the European Economic Area (“EEA”) and which do not ensure an adequate level of protection for personal data. Such transfers will be carried out in compliance with applicable data protection laws.
When transferring personal data to a non-EU/EEA country without an adequate level of protection for personal data we will apply appropriate safeguards by entering into standard contractual clauses adopted by the European Commission. The standard contractual clauses can be found via the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
EB may use post, landline or mobile phone, SMS, email, social media and other digital channels to communicate direct marketing with you. EB may use these means of communication to send promotional communications to you concerning EB’s, SAS’ and our business partners’ respective products and services. EB will only communicate with members below the age of 18 years to confirm the services/offers used. Any other direct communication with members under the age of 18 years will take place only by post and will be addressed directly to the legal guardian..
You may at any time decline to receive marketing from EB by using the links in the relevant digital communication or by changing the settings in your EuroBonus account.
As set out above EB and SAS are so called joint controllers of your personal data, and are the legal entities responsible for personal data in accordance with applicable legislation on data protection, including the GDPR.
SAS has designated a Data Protection Officer who supports SAS in ensuring that personal data is processed correctly. SAS’ Data Protection Officer is also the Data Protection Officer for EB and supports EB in ensuring that personal data is processed correctly. You may contact the Data Protection Officer with questions or requests relating to the processing of your personal data, at the following address: firstname.lastname@example.org. If you have questions regarding the EuroBonus program in general, please contact SAS Customer Service / EuroBonus at www.flysas.com.
For instance, you have the right to access the personal data that we process on you. You can easily obtain an excerpt of the personal data on you that we process and find more information by signing in to your EuroBonus account.
In the same way, you can find further information on and enforce also the following rights:
Correct, update or delete information that is incorrect or incomplete on your EuroBonus account.
Restrict our processing of your personal data.
To be forgotten. The right to be forgotten means that you may request that we delete all the personal data we have collected on you. Enforcing this right will normally entail termination of your membership.
Receive a copy of the personal data related to you and information regarding our processing of your personal data in a commonly used data format and to transmit – or have transmitted, where technically feasible – the personal data to another controller.
Request that personal data not be used for direct marketing purposes.
Submit a complaint to the data protection authority within your jurisdiction, which in Sweden is the Data Protection Board (Sw. Datainspektionen).
You can also find more information about all the different safeguards and technical measures we have put in place to protect your data and your right to privacy and freedom and to ensure that we are fully compliant with applicable data protection legislation.
If you require assistance or have any questions regarding your rights, please contact the Data Protection Officer at email@example.com.
Should you not or no longer wish to be a part of our EuroBonus system, you are free to terminate the EuroBonus program at any time, as set out in Section 6.6 of the EuroBonus Terms and Conditions.
In certain situations, we will need your consent in order to process your personal data.
The collection, analysis and transfer of personal data described below may in many ways further enhance your EuroBonus membership experience. However, we will only process your personal data for these purposes following your consent.
For instance, we may request your consent in order to:
Collect and use your geolocation data, in order to provide you with real-time offers e.g. at restaurants and shops nearby a gate where you are located.
Allow our business partners to use the personal data that they receive from us for their own purposes, to enable them to create targeted marketing via their own channels.
Compile reports on travel patterns, spending etc. to sell to third parties.
Purchase data from external sources, such as financial transactions based on EU Directive no. 2015/2366 (Payment Services Directive 2) for e.g. income and price sensitivity analyses.
Pre-complete booking forms with your contact details, accompanying persons, passport and payment data etc. to facilitate a faster and simpler use of our services.
Processing of personal data in china
How doea sas collect & receive your information?
Please find below list of the SDKs that are currently deployed on the SAS App operating in China. SAS may update this list of SDKs from time to time if any changes take place.
List of the SDKs deployed on the SAS App operating in China as of November 1, 2021:
How sas uses your data
This part describes what personal data we collect about or from you, the purposes for which we use it, and why we use it for our basic and expanded business functions. Your personal data will be collected and processed in accordance with Personal Information Protection Law (“PIPL”) which came into force as of November 1, 2021, and any other laws and regulations of China that govern this area. Any processing of personal data that we perform is in accordance with the provisions of the privacy laws in China, and this data may only be used for the limited purposes discussed in this part.
Scandinavian Airlines System Denmark-Norway-Sweden is responsible for the processing of your personal data via SAS websites and in association with the use of SAS services.
In order to provide you with travel ticketing services and other SAS services and products, we need to collect and use certain personal data. Below lists the personal data that we may request you to provide to us or we may collect and use about you. Please understand that some service feature requires some personal data before it can be provided. After you exercise your right to object, we will be unable to continue providing the service corresponding to the personal data involved in the objection and we will no longer process your corresponding personal data.
We may request you to provide to us the following personal data:
Identification and contact information
Your EuroBonus member account No. and flight information, mileage redemption recipient’s information, and minor member’s guardian information. Such information will be used to maintain you as our EuroBonus member, verify member identity and process your accumulation, reward and redemption of points and other services.
Profile account holder information
Your site profile account No., name, age, address and contact information. Such information will be used to maintain you as our profile account holder and manage your account and travels.
Data and images of identity documents required in business processing
ID card, passport, visa page, papers required by authorities for taking a flight, validity period, authorities of issuance, age or date of birth, gender, and their corresponding images. Such information and images will be used, in accordance with laws and regulations, to verify your identity when you book a ticket, check in, take a flight, process entry/exit formalities, purchase air insurance, enjoy SAS services and any other services.
Your credit card No., billing address, credit card validity, orders and operation records, log and risk control information. Such information will be used, when you purchase a ticket, to maintain your payment information, verify your identity and provide you with SAS services.
Information to improve travel and other services
Emergency contact person, special service requirements and personal likes and dislikes (in-flight meals, location of seats in cabin, in-flight services). Such information will be used to improve and promote our service so that we can provide you with services that better address your needs and may push to you, subject to your agreement, our promotional and marketing messages.
Information required by public health authorities or other goverment agencies or collected to demonstrate your fitness to take the flight
Contact information, information regarding the presence or absence of possible COVID-19 or other global pandemic symptoms; information regarding potential exposure to COVID-19 or other global pandemic; information collected by our ground or reservations staff pursuant to directives by public health organizations or other government agencies. Such information will be used to comply with legal and regulatory requirements, determine your fitness to travel consistent with applicable government regulations and guidelines.
Any other personal data
We collect for the purpose of: making and operating connections between multiple flights and expediting baggage clearance across international borders; complying with certain regulatory requirements regarding emergencies and otherwise in relation to operating passenger flights; complying with certain regulatory requirements for verifying and authenticating your identity and have a legitimate business interest in complying with applicable legal and regulatory requirements; using this information to perform our contract with you; complying with certain requirements in the public interest such as to protect against risks to passenger and public health, and passenger and aircraft safety.
On what legal basis does sas process your personal data
Our legal basis for processing your personal data described above will depend on the personal data concerned and the specific circumstances where we process it. And we will generally collect personal data from you only where:
we have obtained your consent to do so;
such data is necessary for us to perform a contract with you;
the processing is in our legal interests and not overridden by your rights;
we have legal obligations to process your personal data from you or may otherwise need the personal data to protect your vital interest or that of other persons;
it is necessary for responding to a public health emergency or for protecting life, health and property safety of a natural person;
acts, such as news reporting and supervision by public opinions, are carried out for the public interest, and the processing of personal data is within a reasonable scope;
it is necessary to process the personal data disclosed by the individual concerned or other personal data that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL and related laws and regulations; and
other circumstances prescribed by laws and administrative regulations.
With whom does sas share your information?
We may share your personal data we collect or receive with:
Other airlines and other companies that are involved in the provision of the service that you will make use of;
Companies that are part of the booking and performance of your flight, e.g., travel agencies, freight forwarders and agents;
IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;
Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard;
Security companies and businesses that work with preventing and combating fraud;
Companies within the SAS Group, including but not limited to SAS EuroBonus AB, SAS Link AB, Scandinavian Airlines Ireland Ltd, SAS Ground Handling A/S, SAS Ground Handling AS, SAS Ground Handling AB, SAS Cargo Group A/S, SAS Cargo Norway AS and SAS Cargo Sweden AB.
Government agencies and authorities, law enforcement officials, law courts; or
Third parties: (a) if we believe disclosure is required by applicable law, regulation or legal process (such as pursuant to judicial order); or (b) to protect and defend our rights, or the rights or safety of third parties, including to establish, make, or defend against legal claims.
Exercising your rights
SAS fully respects your right to know, access, rectify, restrict the processing of, delete your personal data etc.
Right of access
You have the right to obtain from us confirmation as to whether or not personal data about you is being processed, and, where that is the case, to request access to the personal data. The access information includes the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
You have the right to obtain a copy of the personal data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on our costs.
Right to rectify
You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to delete
You have the right to request us to delete your personal data.
Right to object
You have the right to object at any time to the processing of your personal data by us for certain purposes. If you exercise this right to object, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any costs.
However, such a right to object may not exist in certain circumstances, e.g., if the processing of your personal data is necessary to take steps prior to entering a contract or to perform a contract already concluded.
Right to cancel account
You have the right to cancel a previously registered account at any time. Once completion of the cancellation of your account, all information therein will be deleted or anonymized and we will no longer collect, use or provide to third parties the personal data relating to the account. Nevertheless, the information provided by you or generated during your use of our services will need to be retained by us for the period required by laws and regulations, and authorities will have the right to access such information according to law during that legal retention period.
To exercise these rights, you can email firstname.lastname@example.org with requests. For us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, such as:
Any email addresses that you have used in communication with SAS
EuroBonus number or TravelPass number
Any telephone number you have used in communication with SAS (for example customer service cases)
Booking number and/or flight number and date.
SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above. After we receive a request to exercise one of these rights, we will provide information on the action we take on the request without undue delay and in any event within 30 days of receipt of the request. This time may be extended by a further 30 days in certain circumstances, for example, where requests are complex or numerous.
Information security is important to SAS. We have adopted proper measures such as separate storage, encryption, access control, de-identification etc., in accordance with the requirements of data classification and categorization, to protect your information security from unauthorized access, disclosure, loss, misuse, alteration, and improper use of your information and avoid negative impact on your personal rights and interests.
SAS attaches great importance to the protection of minors' personal data. If you are a minor under the age of 14, you should obtain the written consent of your parents or legal guardians before using our products and/or services. For the collection of personal data of minors with the consent of their parents or legal guardians, we will only use or disclose this information with the permission of the law, the explicit consent of their parents or guardians or the necessary protection of the minors. If a minor has provided us with personal data without parental or guardian consent, the parent or guardian may contact us by emailing us at email@example.com . We will remove the information and unsubscribe the child from any of our electronic marketing lists.