Privacy policy

Scandinavian Airlines System Denmark-Norway-Sweden is the data controller responsible for the processing described below. In this Privacy Policy, “SAS” refers to Scandinavian Airlines System Denmark-Norway-Sweden. “SAS Group” means all companies in which SAS AB (publ) directly or indirectly, from time to time, owns or controls more than 50 per cent of the shares.

SAS has appointed a Data Protection Officer to help SAS ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to dataprotectionofficer@sas.se.

SAS collects personal data about you that you provide to us when you use our websites or our services, for example when you book a trip, fly with us, contact our customer service or use our mobile app.

We may also collect personal data about you from the cookies on our website. You can read more about cookies in our Cookie Policy.

Depending on how and to what extent you use SAS websites and SAS services, SAS may process different categories of information about you.

In below section, you can find information on SAS’ activities where we process your personal data, what types of data we process, the purpose of the processing, the legal basis of the processing and the retention time of the personal data.

Activities where SAS handles personal data

Booking and travelling with SAS

Type of data:
Identification and contact information, e.g. name, date of birth, gender, address, e-mail address, travel document information (passport number, nationality etc.)
Travel information, e.g. flight number, travel class, departure and destination, meals, special service requests, baggage information, travel irregularities.

Financial/payment information, e.g. credit card information, transaction data.

Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes the following personal information: name of the passenger, passport details, travel dates, itineraries, seats, baggage, contact details, frequent flyer number, means of payment and special service request (SSR) like special meal requirements and /or special assistance.

Purpose of processing:
The purpose of processing the data in this activity is for SAS to administer and carry out the travel you have requested. This includes notifications and communication related to your travel. PNR data is necessary to process in order to perform our services as an airline.

Legal basis:
The legal basis of processing the personal data related to solely your booking, is in order to fulfil our contractual obligations to you when you book a trip with us, see GDPR art. 6 no 1 b.

The legal basis for e.g. check-in reminders, are our legitimate interest in providing you service, see GDPR art. 6 no 1 f. When SAS use the legal basis of legitimate interest, we document the legitimate interest of SAS to pursue the activity and the individual’s right to integrity in a legitimate interest assessment (LIA).

The legal basis for sharing some of your information with authorities for purposes related to, amongst others, immigration, law enforcement and customs checks is our legal obligation, see GDPR art. 6 no 1 c.

The legal basis for handling and saving financial information is our legal obligation towards accounting laws, see GDPR art. 6 no 1 c.

Retention time: If you book a trip with SAS, we will save your data for ten years after the trip is completed in order to meet legal requirements and process any grievances and complaints.

Information about SAS handling of unruly passengers and the processing of personal data related to these cases, can be found in article 24 in SAS Conditions of Carriage

Marketing, customer support and service.

Type of data:
Communication, e.g. contact with customer support, phone call recordings, marketing messages, newsletter, feedback forms, complaints, refunds.

Purpose of processing:
The purpose of this processing is to develop, analyze and market our services and support our customers in different errands.

Legal basis:
The legal basis of contacting you about our services after you recently booked a travel with us, is our legitimate interest in marketing our services, see gdpr art. 6 no 1 f. you will always have the option to opt out of this communication.

The legal basis for direct marketing is your consent, see gdpr art. 6 no 1 a.

The legal basis for processing your data in relation to customer support and customer service is our contractual obligation and regulatory demands, see gdpr art. 6 no 1 b and gdpr art. 6 no 1 c.

The legal basis for analyzing customer care data, is our legitimate interest in providing you service, see gdpr art. 6 no 1 f. when sas use the legal basis of legitimate interest, we document the legitimate interest of SAS to pursue the activity and the individual’s right to integrity in a legitimate interest assessment (lia).

Retention time:
We will save your personal data as long as it is necessary with regard to the purpose of the processing.

We will save your data from a completed trip for 12 months, in order to offer you communication on similar services.

Analytics, statistics and user tests

Type of data:
We may process your personal data such as travel history, booking information and customer care data. For user tests, we process your contact information and the answers provided in the user tests.

Purpose of processing:
The purpose of the processing is that it is necessary to develop and optimize our customer offer, customer care, flight network, digital platforms, business model and pricing. Our use of information for statistical and analytical purposes will only occur on an aggregated level. This means that we do not analyze your information on an individual level.

The purpose of user tests is to enhance our products, services and offerings.

Legal basis:
The legal basis for processing personal data for analytics and statistics purposes is our legitimate interest in optimizing our services and business model, see GDPR art. 6 no 1 f. When SAS use the legal basis of legitimate interest, we document the legitimate interest of SAS to pursue the activity and the individual’s right to integrity in a legitimate interest assessment (LIA).

The legal basis for user tests is your consent, which we collect before starting the user test, see GDPR art. 6 no 1 a, or the legal basis legitimate interest, in enhancing our products and services, see GDPR art. 6 no 1 f. When SAS uses the legal basis of legitimate interest, we document the legitimate interest of SAS to pursue the activity and the individual’s right to integrity in a legitimate interest assessment (LIA).

Retention time:
We will save your personal data as long as it is necessary with regard to the purpose of the processing.

Web behavior

Type of data:
Digital details and behavior, e.g. login information, IP address, web page usage (requires consent).

Purpose of processing:
The purpose of this processing is to offer you a personalized experience on our website.

Legal basis:
The legal basis is consent that you have actively given on our website, see GDPR art. 6 no 1 a.

Retention time:
See our cookie policy for retention times.

Profile Account

Type of data:
Information you provide us when registering a profile account, for example name, address, email, telephone number etc.

Purpose of processing:
The purpose of the processing is to enable customers to register a profile account with SAS and administer the service.

Legal basis:
The legal basis for this processing is our obligation to comply with the terms and conditions for profile account holders, see GDPR art. 6 no 1 b.

Retention time:
SAS saves this data for as long as you have a profile account.

Recruitment

Type of data:
Recruitment information when you apply for a job at SAS, e.g. contact information, prior experience and references.

Purpose of processing:
The purpose of this processing is to facilitate the recruitment process.

Legal basis:
The legal basis of processing recruitment data is the necessity for the performance of a contract to which the data subject is party or in order to take steps to fulfill a contract, see GDPR art 6 no 1 b.

Retention time:
If you apply for a job at SAS, we store your application for 24 months, in accordance with regulatory demands.

Grants and retirement club

Type of data:
Information when you seek grants from our foundations or information about your membership in the retirement club.

Purpose of processing:
The purpose of processing this data is for SAS to administer and carry out the activities.

Legal basis:
The legal basis of processing this personal data is because it is necessary to fulfil our terms of conditions of the grant applications and membership, see GDPR art. 6 no 1 b. For other activities, the legal basis is our legitimate interest in providing you service, see GDPR art. 6 no 1 f. When SAS uses the legal basis of legitimate interest, we document the legitimate interest of SAS to pursue the activity and the individual’s right to integrity in a legitimate interest assessment (LIA).

Retention time:
SAS saves this data for 7 years, according to regulatory demands.

SAS for work

Type of data:
Name, email, phone number, travel information: flight details (booked and completed travel), purchased travel extras. sas travel pass: product information, travel history, payment details.

Purpose of processing:
The purpose of the processing is to facilitate companies connected to sas corporate program, and the travelers travelling through this arrangement.

Legal basis:
The legal basis of processing this personal data is in order to fulfil our contractual obligations towards companies connected to sas corporate program when a trip with us is booked, see gdpr art. 6 no 1 b.

Retention time:
If you book a trip with sas for work we will save your data for ten years after the trip is completed in order to meet legal requirements and process any grievances and complaints.

Special categories of personal data

Some special categories of personal data are especially sensitive and needs extra protection, e.g. health data. The purpose of which SAS processes sensitive data provided by travelers is that so we can provide the same service to all travelers and deliver the services purchased. This means that SAS also shares sensitive information with third parties during travel. This data is called SSR (special service request) information and it follows an IATA standard used throughout the airline industry. The sensitive data processed is:

• Need for wheelchair, stretcher or bed at airport and/or inflight

• Medical needs and fitness for travel

• Disabilities and need for special assistance and/or service animals

• Special meals based on medical needs or religious beliefs

• Passengers traveling incognito or in custody

• Travelers that are deportees

This processing of personal data is necessary in order to fulfil our contractual obligations to you when you book a trip with us, see GDPR art. 6 no 1 b.

Data related to minors under 18

SAS does not process any data about travelers under 18 for any other purpose than a specific trip or to manage a profile account, or an EuroBonus account.

Use of SAS mobile app

You can download our mobile app to search for flights and book your trip, hotel or rental car, manage your booking and check in easily among other things. We will process your personal data in our mobile app in the same ways and for the same purposes as described in this Privacy Policy and in our table above. The SAS mobile app (“SAS App”) however contains some additional features compared to the website which are described in Section 8. For most such additional features we have assessed that we have a legitimate interest in processing your personal data in order to deliver a useful app. Where an activity is instead based on your consent, this is collected prior to the function being used.

Marketing, events and information

Type of data:
Name and email.

Purpose of processing:
The purpose of the processing is to inform and market our services and offers to relevant corporate customers and agents.

Legal basis:
The legal basis of processing this personal data is SAS legitimate interest in marketing our services, see GDPR art. 6 no 1 f. You will always have the option to opt out of this communication.

Retention time:
We will save your personal data as long as it is necessary with regard to the purpose of the processing, or until you opt out.

AI

SAS sometimes uses AI technology to improve our services and our communication with you. When AI tools are used, you will always receive information about this in connection with use.

SAS will only share your personal data with companies within the SAS Group except in the exemption situations described below.

Foreign authorities and law enforcement bodies

Because of mandatory requirements from foreign authorities and to make possible the execution of the travel plans you have chosen, SAS may be under an obligation to provide foreign authorities access to certain PNR data and advanced passenger information (“API”), with respect to passengers who are flying to, from or over countries both within and outside the European Union (“EU”) and the European Economic Area (“EEA”), including the USA. Such data is used primarily to prevent and combat terrorism and other serious crime. In addition, PNR and API are governed through Directive 2016/681/EU.

Subcontractors and third-parties

If it is necessary in order for us to be able to carry out your flight in accordance with the terms and conditions for travel or otherwise perform our services to you, your personal data will also be shared with:

• other airlines and other companies that are involved in the provision of the service that you will make use of, for example ground handlers;

• companies that are part of the booking and performance of your flight, e.g. travel agencies, freight forwarders and agents;

• IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;

• credit card companies with which SAS collaborates to offer different payment solutions.

• security companies and businesses that work with preventing and combating fraud and cyber investigations; and

• other partners such as companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains, car rental companies and travel insurance.

Joint controllers

Personal data is also shared with our Business Partners to coordinate data, offers, activities and analysis. In some cases, we have joint control with our partners. This means that we and our partner jointly control your personal data and determine the purposes of the processing. Below, you can view our current joint controllerships and visit their privacy policies to learn more about their handling of personal data.

• Meta

• Google

• Snapchat

• LinkedIn

• TikTok

• Adform

If you book a trip with SAS via SAS website and/or channels or via a travel agency, SAS and SAS EuroBonus AB (“EB”) will process the email address you provided when making the booking, as joint controllers, to verify whether or not you are a member of the EuroBonus program.

This limited processing of personal data is based on our legitimate interests in administrating the EuroBonus program, see GDPR art. 6 no 1 f. In case you are not a member of the EuroBonus program, no further processing will be made by SAS and EB as joint controllers.

Personal data will be transferred between companies in the SAS Group, including for the implementation of our international flights, to administer and maintain your account and membership and for statistical purposes.

Personal data that is shared within the SAS Group in this way or with subcontractors and third parties as described above in Section 4.2, will sometimes be transferred to countries that are not members of the EU or the EEA and that do not ensure a satisfactory level of security for personal data. Such transfers will be carried out in accordance with the prevailing law on data protection, such as adequacy decisions and additional contractual clauses. SAS Group transfers personal data to the following countries outside of EU/EEA for occasional services connected to our processes as an air carrier: USA, China, India, Indonesia, Brazil, UAE, Turkey, Albania, Montenegro, South Africa, Peru, Ethiopia, Ukraine, Lebanon, Colombia, El Salvador, Costa Rica, Mexico, Australia, Thailand, Egypt, Russia, Taiwan, and Singapore.

When personal data is transferred to a non-EU/EEA country without satisfactory levels of protection for personal data, we will apply appropriate measures, as a minimum by including a standard contractual clause that has been adopted by the European Commission. These standard contractual clauses can be found at the following link: Standard Contractual Clauses (SCC) (europa.eu)

If there is a lack of both a decision on adequate levels of protection by the European Commission and established appropriate security measures in the form of standard contractual clauses in accordance with the above, we will only transfer your personal data when it is necessary in order to fulfill our contractual obligations to you, see GDPR art. 49 no 1 b, for example in order to carry out your travel or to perform our obligations under the EuroBonus and Profile Account terms and conditions.

We have taken extensive technical and organizational measures to protect your data from loss, abuse and unauthorized access. Processing and transfer of data between your web browser and our server is properly protected by encryption and we are continuously updating our security measures.

When you pay for any of our services using a card, all information is sent via a secure connection to ensure that your personal data cannot be read by third parties. The actors with whom we collaborate in terms of card payments are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your card details.

Analytics and online behavior

We use certain technology features (similar to cookies) such as unique identifiers associated with your device in our SAS app with the purpose to help administer the app and to improve your experience and our services. Such features may be provided by third parties. After downloading the SAS app, we will ask for your consent to enable such features. If you choose to allow these types of features, you can control your settings at any time in the SAS app under Notifications. The legal basis for this processing is your consent, see GDPR art. 6 no 1 a. The data is saved for as long as we have your consent.

Mobile push notifications

With your consent, we use mobile push notifications to send you direct messages with flight related service information such as opening of check-in, change of gate or delays etc. as well as advertisement and special offers. You can control your settings at any time in the SAS app under Notifications. We will store your device ID backend to enable push notifications. The legal basis for this processing is your consent, see GDPR art. 6 no 1 a. The data is saved for as long as we have your consent.

Saved travelers

You have the option to store personal data regarding yourself and persons you are travelling with locally on your mobile device in the SAS app. This ensures that the necessary information is pre-filled during the booking or check-in process to enable a more convenient process. Such personal data stored on your device is only processed locally in the app and will not be collected by SAS.

Tech Support/App Support

We have an app support function to assist with any technical issues or errors occurring when you use the SAS app or to send feedback. We will only process your personal information to the extent necessary to solve your case. We will also store certain information regarding usage of the SAS App to be able to debug technical issues. The legal basis for this processing is our legitimate interest in providing you service and support, see GDPR art. 6 no 1 f. SAS save this data as long as we need in order to solve your case.

Historical flights

The SAS app has a feature which shows your flight history with SAS where you can view details of each flight such as origin and destination, date, flown kilometers, seat number and whether your boarded the flight. The legal basis for this processing is our legitimate interest in providing you this feature, see GDPR art. 6 no 1 f.

Bag tracking

With this feature you can track your checked-in luggage and view where your bag is located at the moment based on where the bag tag was last scanned.

Location

The SAS app may with your consent collect information about your geographical position. This feature is used when you book a flight in the SAS app to enable us to show you the closest airport for departure by using the location of your device. Such data is not collected or saved by SAS and you can control you consent in the SAS app settings of your device. The legal basis for this processing is your consent, see GDPR art. 6 no 1 a. The data is saved for as long as we have your consent.

You have several rights related to your personal data. You can exercise your rights at Manage Personal Data.

Revocation of consent

If we process information about you based on your consent, for example through cookies or in the SAS App, you have the right to revoke your consent at any point in time. We will then terminate the processing of the personal data that is based on your consent.

Correction

If your personal data that SAS processes are incorrect or incomplete, you can call our customer service that will help you correct or complete your data. You can find the contact information to our customer service here.

Right to restrict the processing

In certain circumstances, you have the right to restrict our use of your personal data, which means you can limit the way SAS use your personal data. This is an alternative to requesting the erasure of your data, see below. This means that SAS will stop using the data except for storing it.

Right to access

You have the right to request a copy of your personal data Use following link to send a request for accessing your data. If you have any issues using the template online, contact the DPO that will assist you. You can read more about this process on our website under “manage my data”.

Right to complain

It is important for us that you feel confident that SAS process your personal data with the utmost respect. If you are uncertain as to how SAS is processing your personal data or have any complaints, you are welcome to contact our Data Protection Officer. You also have the possibility of submitting a grievance to the Swedish Data Protection Authority or the data protection authority of your country.

Right to object

You have the right to raise an objection at any point in time to the processing of your personal data that is based on our legitimate interest. If SAS cannot demonstrate compelling legitimate grounds for the processing of your data that outweighs your interests, rights and freedoms or that the processing is done for the establishment, exercise or defense of legal claims, then SAS will no longer process your personal data.

Right to data portability

You have the right to request to receive your personal data that we process in a machine-readable format, which you have the right to transfer to another company. This can be done if you want to reuse your personal data for your own purposes across different services.

Right to be forgotten

Your right to erasure means that you can request that we delete the personal data we have about you. We will do so without undue delay, unless we are legally required to process the information, e.g. for financial or accounting purposes, or we have another lawful reason to continue processing the data, e.g. for carrying out a requested travel. You can exercise your right here.

We may update this Privacy Policy at our discretion every now and then. The latest version will always be available on SAS home pages.

Processing of personal data in china

This section is applicable to customers located in the People's Republic of China (hereafter China) and describes how we collect, use, store, share and disclose your personal data in China and supplements other generally applicable sections of this Privacy Policy. If any inconsistency or deviation occurs, the provisions provided in this China section take precedence over provisions set out in other generally applicable sections of this Privacy Policy.

It applies to personal data we collect from or about you when you use SAS services, visit SAS websites, SAS WeChat official account or use any other internet sites operated by SAS that may be linked to this Privacy Policy, or contact our customer service team by calls, emails etc. By continuing to use our services, you agree to the collection and use of your personal data in accordance with the provisions of this Privacy Policy.

Updates

SAS reserves the right to modify the China section of this Privacy Policy and will post updated version of this policy in accordance with laws and regulations regarding data protection of China. To the extent SAS materially changes the China section of this Privacy Policy, SAS will inform you of such changes and, to the extent this affects the purposes and processing for which we have obtained your consent, we will re-seek your consent.

For the exercise of data protection rights and/or if you have any questions or comments regarding this China section of Privacy Policy, you are welcome to contact our Data Protection Officer at dataprotectionofficer@sas.se.

How does SAS collect & receive your information?

This part supplements “When and how do we process your personal data” of this Privacy Policy and section 3 of this China section. SAS may collect and receive personal data from the App users located in China through the Software Development Tools (SDKs) deployed on the SAS App. Depending on the SDK, the type of personal data collected and received via the SDKs may include, without limitation, the App user’s name, email address, phone number, mailing address, EuroBonus number, credit card information (to the extent a credit card transaction is being made through the App), passenger flight information, App usage metrics, and device information such as IP address. SAS may use such information to verify and authorize credit card transactions, to receive feedback about the App and services, and to track and analyze usage of the App.

Please find below list of the SDKs that are currently deployed on the SAS App operating in China. SAS may update this list of SDKs from time to time if any changes take place.

List of the SDKs deployed on the SAS App operating in China as of November 1, 2021:

SDKs (PDF, 98KB)

How sas uses your data

This part describes what personal data we collect about or from you, the purposes for which we use it, and why we use it for our basic and expanded business functions. Your personal data will be collected and processed in accordance with Personal Information Protection Law (“PIPL”) which came into force as of November 1, 2021, and any other laws and regulations of China that govern this area. Any processing of personal data that we perform is in accordance with the provisions of the privacy laws in China, and this data may only be used for the limited purposes discussed in this part.

Scandinavian Airlines System Denmark-Norway-Sweden is responsible for the processing of your personal data via SAS websites and in association with the use of SAS services.

In order to provide you with travel ticketing services and other SAS services and products, we need to collect and use certain personal data. Below lists the personal data that we may request you to provide to us or we may collect and use about you. Please understand that some service feature requires some personal data before it can be provided. After you exercise your right to object, we will be unable to continue providing the service corresponding to the personal data involved in the objection and we will no longer process your corresponding personal data.

We may request you to provide to us the following personal data:

Identification and contact information

Your gender, date of birth, ID No., passport No., nationality; your name, address, phone No., E-mail address; and the personal data of any other persons that you travel with (including their contact information). Such information will be used to pass to you or your contact person messages on flights and orders (including flight departure, security check, boarding, reimbursement, flight delay, insurance services and notification of accident), organize your itinerary, e-mail itinerary or other products to you, verify your identity, receive your comments on service quality, receive your complaints and suggestions, provide you with SAS services and products, and push to you, if you agree to receive, promotional and marketing messages. Please be noted, when you book for others the relevant services, you need to provide such passengers’ personal data, and, before providing us with their information, please make sure such passengers understand and agree to this Privacy Policy.

EuroBonus information

Your EuroBonus member account No. and flight information, mileage redemption recipient’s information, and minor member’s guardian information. Such information will be used to maintain you as our EuroBonus member, verify member identity and process your accumulation, reward and redemption of points and other services.

Profile account holder information

Your site profile account No., name, age, address and contact information. Such information will be used to maintain you as our profile account holder and manage your account and travels.

Data and images of identity documents required in business processing

ID card, passport, visa page, papers required by authorities for taking a flight, validity period, authorities of issuance, age or date of birth, gender, and their corresponding images. Such information and images will be used, in accordance with laws and regulations, to verify your identity when you book a ticket, check in, take a flight, process entry/exit formalities, purchase air insurance, enjoy SAS services and any other services.

Payment information

Your credit card No., billing address, credit card validity, orders and operation records, log and risk control information. Such information will be used, when you purchase a ticket, to maintain your payment information, verify your identity and provide you with SAS services.

Information to improve travel and other services

Emergency contact person, special service requirements and personal likes and dislikes (in-flight meals, location of seats in cabin, in-flight services). Such information will be used to improve and promote our service so that we can provide you with services that better address your needs and may push to you, subject to your agreement, our promotional and marketing messages.

Information required by public health authorities or other government agencies or collected to demonstrate your fitness to take the flight

Contact information, information regarding the presence or absence of possible COVID-19 or other global pandemic symptoms; information regarding potential exposure to COVID-19 or other global pandemic; information collected by our ground or reservations staff pursuant to directives by public health organizations or other government agencies. Such information will be used to comply with legal and regulatory requirements, determine your fitness to travel consistent with applicable government regulations and guidelines.

Any other personal data

We collect for the purpose of: making and operating connections between multiple flights and expediting baggage clearance across international borders; complying with certain regulatory requirements regarding emergencies and otherwise in relation to operating passenger flights; complying with certain regulatory requirements for verifying and authenticating your identity and have a legitimate business interest in complying with applicable legal and regulatory requirements; using this information to perform our contract with you; complying with certain requirements in the public interest such as to protect against risks to passenger and public health, and passenger and aircraft safety.

Please be noted that we will collect, store, use, and transfer your sensitive personal data for the purposes for which it was provided and otherwise in accordance with the terms of this privacy policy if you provide your explicit consent at the time of collection.

On what legal basis does sas process your personal data

Our legal basis for processing your personal data described above will depend on the personal data concerned and the specific circumstances where we process it. And we will generally collect personal data from you only where:

• we have obtained your consent to do so;

• such data is necessary for us to perform a contract with you;

• the processing is in our legal interests and not overridden by your rights;

• we have legal obligations to process your personal data from you or may otherwise need the personal data to protect your vital interest or that of other persons;

• it is necessary for responding to a public health emergency or for protecting life, health and property safety of a natural person;

• acts, such as news reporting and supervision by public opinions, are carried out for the public interest, and the processing of personal data is within a reasonable scope;

• it is necessary to process the personal data disclosed by the individual concerned or other personal data that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL and related laws and regulations; and

• other circumstances prescribed by laws and administrative regulations.

With whom does sas share your information?

We may share your personal data we collect or receive with:

• Other airlines and other companies that are involved in the provision of the service that you will make use of;

• Companies that are part of the booking and performance of your flight, e.g., travel agencies, freight forwarders and agents;

• IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;

• Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard;

• Security companies and businesses that work with preventing and combating fraud;

• Companies within the SAS Group, including but not limited to SAS EuroBonus AB, SAS Link AB, Scandinavian Airlines Ireland Ltd, SAS Ground Handling A/S, SAS Ground Handling AS, SAS Ground Handling AB, SAS Cargo Group A/S, SAS Cargo Norway AS and SAS Cargo Sweden AB.

• Government agencies and authorities, law enforcement officials, law courts; or

• Third parties: (a) if we believe disclosure is required by applicable law, regulation or legal process (such as pursuant to judicial order); or (b) to protect and defend our rights, or the rights or safety of third parties, including to establish, make, or defend against legal claims.
  

Exercising your rights

SAS fully respects your right to know, access, rectify, restrict the processing of, delete your personal data etc.

Right of access

You have the right to obtain from us confirmation as to whether or not personal data about you is being processed, and, where that is the case, to request access to the personal data. The access information includes the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.

You have the right to obtain a copy of the personal data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on our costs.

Right to rectify

You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to delete

You have the right to request us to delete your personal data.

Right to object

You have the right to object at any time to the processing of your personal data by us for certain purposes. If you exercise this right to object, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any costs.

However, such a right to object may not exist in certain circumstances, e.g., if the processing of your personal data is necessary to take steps prior to entering a contract or to perform a contract already concluded.

Right to cancel account

You have the right to cancel a previously registered account at any time. Once completion of the cancellation of your account, all information therein will be deleted or anonymized and we will no longer collect, use or provide to third parties the personal data relating to the account. Nevertheless, the information provided by you or generated during your use of our services will need to be retained by us for the period required by laws and regulations, and authorities will have the right to access such information according to law during that legal retention period.

To exercise these rights, you can request erasure of personal data. For us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, such as:

• Any email addresses that you have used in communication with SAS

• EuroBonus number or TravelPass number

• Any telephone number you have used in communication with SAS (for example customer service cases)

• Booking number and/or flight number and date.

SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above. After we receive a request to exercise one of these rights, we will provide information on the action we take on the request without undue delay and in any event within 30 days of receipt of the request. This time may be extended by a further 30 days in certain circumstances, for example, where requests are complex or numerous.

Security

Information security is important to SAS. We have adopted proper measures such as separate storage, encryption, access control, de-identification etc., in accordance with the requirements of data classification and categorization, to protect your information security from unauthorized access, disclosure, loss, misuse, alteration, and improper use of your information and avoid negative impact on your personal rights and interests.

Minors

SAS attaches great importance to the protection of minors' personal data. If you are a minor under the age of 14, you should obtain the written consent of your parents or legal guardians before using our products and/or services. For the collection of personal data of minors with the consent of their parents or legal guardians, we will only use or disclose this information with the permission of the law, the explicit consent of their parents or guardians or the necessary protection of the minors. If a minor has provided us with personal data without parental or guardian consent, the parent or guardian may contact us by emailing us at dataprotectionofficer@sas.se. We will remove the information and unsubscribe the child from any of our electronic marketing lists.