SAS processes your personal data to provide the travel services you have purchased, make sure your baggage arrives at your destination and handle any issues connected with your trip. We also use this data to improve our products and services. The data is based on your booking reference and processed according to the IATA standard PNR (passenger name record). Once you’ve completed your trip, we delete your passport number but save the booking reference for further reference.
SAS cooperates with a number of suppliers including airports, ground handling suppliers, travel agents, IT service suppliers, authorities and other service providers such as call centers, hotels and transport companies. Additionally, information about SAS’ available flights and seats can be accessed by travel agents all over the world through global distribution systems such as Amadeus, Abacus and Travelport. These systems are also subject to GDPR.
Suppliers process your personal data according to a data protection agreement (DPA) or data exchange agreement (DEA). Your data may only be used in association with services you have purchased.
Personal data related to travelers is stored in Norway, Denmark, Sweden, Germany, Latvia, Poland, India and the US.
SAS processes your personal data so you can enjoy benefits and earn and spend EuroBonus points on rewards. We also use your data to send you personalized offers and identify you in the entire travel chain so we can offer you relevant benefits and information. We also cooperate with a number of partners that also process your personal data so you can earn and spend points outside of SAS.
Name, address, phone number, email, membership level
Personal data related to EuroBonus members is stored in Norway, Denmark, Sweden, Germany, Latvia, Poland, India and the US.
SAS processes your personal data to make your travel easier, deliver the travel services you have purchased and provide you with personalized offers. Providing SAS with your personal data makes it easier for you to use SAS’ digital services (through pre-filled booking dialogs, travel history, etc.).
You can opt in or out of receiving personalized offers at any time. If you choose to opt out, your personal data will no longer be processed for personalized offers.
Personal data related to SAS account holders is stored in Norway, Denmark, Sweden, Germany, Latvia, Poland, India and the US.
For companies that are members of SAS’ Corporate Program, SAS processes personal data provided by the company to deliver travel services. SAS also shares information about travelers with the company. This includes information about who has traveled where and when and what services they have purchased.
Personal data related to corporate travel is stored in Norway, Denmark, Sweden, Latvia, India and the US.
Sensitive data is any data related to a person’s fundamental rights and freedoms that if processed could limit the person’s rights and freedoms. SAS processes sensitive data provided by travelers so that it can provide the same service to all travelers and deliver the services purchased. This means that SAS also shares sensitive information with third parties during travel. This data is called SSR (special service request) information and it follows an IATA standard used throughout the airline industry.
One type of cookie will save a file permanently on your computer. This cookie is used to customize the website based on your choices and history.
Another common type of cookie is the session cookie that is sent between your computer and the server to collect information. Session cookies aren’t saved when you close your web browser. Read more about how cookies work at allaboutcookies.org.
We’re always working to improve our website by analyzing user behavior through tools such as Google Analytics and Adobe Analytics.
Online behavioral advertising is a way of serving advertisements on the websites you visit and making them more relevant to you and your interests.
SAS’ staff has received information and undergone training on GDPR. SAS’s suppliers have also been informed of the new GDPR regulation.
SAS has a designated Data Protection Officer and Data Protection Ambassadors throughout the organization to ensure that all personal data is processed according to the GDPR.
SAS will inform you and the authorities if your data has been breached.
All SAS “processors” that handle personal data sign a Data Protection Agreement to ensure that they are GDPR compliant.
All SAS partners acting as “controllers” sign a Data Exchange Agreement to ensure that they are GDPR compliant.
SAS works constantly to improve information security according to ISO 27001
You have the right to request a copy of the personal data SAS has on you. You may order one copy free of charge. Further requests are subject to an administrative fee. SAS aims to send you a link to download your personal data no later than 30 days after we receive your request.
SAS does not store your passport number or social security number. If you are a EuroBonus member, SAS Travel Pass holder or SAS account holder, you need to log in to request a copy of your personal data. All other travelers are identified by name, email and phone number. Please note that we require all of this information to identify you.
SAS does not process any data about travelers under 18 for any other purpose than a specific trip.
You have the right to ask SAS to delete all of the information we have about you. Please note that it can take SAS up to 30 days to delete all of this information.
If you exercise your right to be forgotten, your EuroBonus membership/SAS account will be terminated and all of your points will be deleted. You will also not be able to use the same digital services as before. If you are a SAS Travel Pass holder, only your company can exercise your right to be forgotten regarding data connected to your SAS Travel Pass.
Please also note that SAS cannot delete all personal data. To protect you from fraud, PNR data is not deleted in accordance with Regulation EC 261/2004 of the European Parliament and the Council of the European Union. In addition, any activity carried out by a traveler that qualifies under ICAO Resolution “A33-4 Adoption of national legislation on certain offences committed on board civil aircraft (unruly/disruptive passengers)” will not be deleted.
If you want to exercise your right to be forgotten, please go through the following checklist before making your request.
SAS has a designated Data Protection Officer to help travelers and ensure GDPR compliance.
If you have any questions or need assistance, just contact the SAS Data Protection Officer at email@example.com