Privacy policy

Scandinavian Airlines System Denmark-Norway-Sweden is responsible for the processing of your personal data via SAS websites and in association with the use of SAS services. In this Privacy Policy, “SAS” refers to Scandinavian Airlines System Denmark-Norway-Sweden and all companies in which SAS AB (publ) directly or indirectly, from time to time, owns or controls more than 50 per cent of the shares. You can find our contact information in section 14 below.

SAS is the legal entity that is responsible for personal data in accordance with prevailing laws on data protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data Protection Regulation, “GDPR”).

SAS has appointed a Data Protection Officer to help SAS ensure that your personal data is processed in the correct manner. You are welcome to contact our Data Protection Officer with questions or requests concerning our processing of your personal information by sending an email to data protection officer@sas.se. 

SAS collects personal data about you that you provide to us when you use our websites or our services, for example when you book a trip, when you contact our customer service or use our mobile app. 

In connection with your trip, SAS will process your personal data in accordance with a common industry standard for reservation and travel data in the airline and travel industry, referred to as Passenger Name Record (“PNR”) in electronic reservation systems. PNR data contains the passengers' name, address, contact information and relevant information regarding any such additional services requested, as well as travel data for a passenger or group of passengers who are traveling together. The purpose of a common industry standard is to create standardized processes for exchanging reservation and travel data between different airlines for passengers who are flying with more than one airline to reach their destination and to facilitate airport services for passengers, such as check-in and luggage handling. 

With your consent, we may also collect personal data about you from external sources, for example SAS partners (these can be companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners or data from client registers that we have purchased from third parties. Data may also be obtained from social networks such as Facebook or Google that you have connected to some of our services.

Depending on how and to what extent you use SAS websites and SAS services, SAS may process different categories of information about you. We will only process information about you to fulfill an agreement with you, to meet a legal requirement, if SAS has a legitimate interest or if we have been given your consent to do so. See below for more information about which data we collect and why.

SAS collects your personal data for different purposes. The personal data that we collect and how we use it depends on which services you use and which (if any) membership and/or logins you have. SAS will use your personal data for the following purposes:

• To provide and administer the services that you have requested from us and to meet our commitments to you in your use of SAS services, for example in association with the management and administration of your bookings and payments. This may include the processing of information regarding travel arrangements and services that have not been provided by SAS but which constitute a part of the travel arrangements you have chosen, such as data about connections, airport arrangements and customs and immigration formalities.
• For administrative purposes, for example in order to be able to process your membership, accounting, invoicing and auditing, verification and control of debit cards, necessary immigration and customs checks, matters concerning health and safety, as well as other administrative and/or legal purposes (e.g. complaints and grievances) when justified.
• To be able to fulfill our agreement with you, for example by sending such information to you that is necessary with respect to the service you have purchased from us, for example information about booking status, any changes to your travel arrangements and similar.
• With your specific consent to one or more of the purposes below, we will also process your personal information in accordance with the following: 
• To market our services and those of our partners, for example by sending or offering newsletters, campaigns, special offers and other marketing offers that we think are relevant or might be of interest to you and to be able to offer you an individually customized and personal experience when you visit our websites, use our mobile app or make use of our services. See point 5.5 below on profiling. 
• Some general information about you and your profile may be shared with SAS partners in order for you to receive an individually customized experience when you visit our partners' websites.
• To improve, analyze, develop and maintain our services for the purpose of continuously improving our customer offer. This may occur, for example through internal analyzes or by involving external advisers.

To be able to fulfill our agreement with you (for example so that you can carry out your travel), we must process certain data about you. The information we process depends on which type of agreement we have concluded but in general we will process the following information: 

• Information that identifies you, such as name, address, date of birth, email address, telephone number, payment details, gender and passport number.
• Information about your bookings, your travel plans, your travel company, any booking preferences that require assistance or special diet and other information linked to your booking.
• Information that we obtained from external sources for example, information from SAS partners and other similar information, as well as information that we have obtained from someone else who has made a booking in your name.
• Information that you provide when you contact us in association with your travel, for example luggage check-in and aboard our flights, contact with our customer services (including audio recordings) or when you contact SAS via social media.
• Information attributable to any membership you have such as EuroBonus and if you are traveling under a company agreement, e.g. SAS Corporate Agreement and SAS Travel Pass.

When SAS has a legitimate interest

We may also process personal data based on a so-called balancing of interests. In such cases, processing occurs only when SAS or a third party has a legitimate interest that is greater than your interests or fundamental rights and freedoms for the protection of your personal data. 

We process the following personal data based on a balancing of interests:

• For internal business purposes and to the extent necessary to develop the SAS general customer offers and business model, we may process booking and travel data (for example booking history and purchase behavior) and customer service data. Our use of such information for statistical and analytical purposes will occur solely on an aggregated and non-individual level. 
• When you book a trip with us you will receive a confirmation from us. If you consent to this in accordance with the information below, in this confirmation you may also receive offers connected to the booking you have just made.

We will also process your personal data to prevent, examine or report cases of fraud or security issues and to cooperate with law enforcement bodies. It is usually in both parties’ interest that your data is processed. 

In order to meet legal requirements

SAS may also be statutorily liable to process and save certain personal data about you and will do so to the extent required by law. For example, the legal requirements with which SAS must comply may concern reporting, customs and immigration issues and law enforcement. 

If we have been given your consent

SAS will also process your personal data when we have been given your consent for processing. You have the right to revoke your consent at any point in time, please refer to point 13.1 below. 

We will only process the following data if we have been given your express, specific, informed and unambiguous consent:

• Your contact details in order to be able to contact you for marketing purposes (e.g. offers regarding EuroBonus membership), if you have booked a trip with us or registered to receive newsletters or offers via email.
• Information about your use of our services, including travel and booking history. 
• Information that we collect through cookies or other technologies in your computer or smartphone, includes type of web browser, operating system, type of device, how much time you have spent on SAS websites and which of our pages you visited, when you last visited SAS websites and which page led you there. Identification data for the devices (computers, smartphones, etc.) you use to make use of our services (device ID). See section 11 for more information about the use of cookies by SAS.
• We may also collect information about your personal characteristics (including your behavior and personal preferences), for example what interested you on other websites, for the purposes of being able to provide you with more relevant offers. This may involve so-called segmented information, meaning non-individual information, for example about a group of individuals and its preferences (in other words, we will not have detailed information about which pages you have visited or searches you have done). This may also be individual-based information about you that we have obtained from external sources, for example purchase history and other information from SAS partners, demographic data, price sensitivity and other similar information. We collect and link this information to be able to create an individual profile about you. For more information about profiling, see section 5.5 below.
• If you use our mobile app, we may collect information about your geographical position. Such location information is used, for example, to make your trip easier, to display advertisements that are relevant for your current location and for statistical compilation. 
• If you consent to us processing your geographical information but not to the information being collected via location services in your mobile, we can get information about your approximate geographical position from your use of our websites. For example, this can help us determine in which language we should present our websites for you.

What is profiling?

For those who have provided consent to additional processing of your personal data, the data will also be used to create a profile about you. Profiling means that your personal data is used to assess certain personal aspects about you, for example to analyze or predict your ability to pay, your personal preferences, interests, reliability, behavior, permanent residence or relocation. SAS does this to provide you with more personal assistance and offers that are of interest just to you, both through a personal, customized experience of our websites and through marketing distributions.

Information that is obtained from a SAS EuroBonus member or a visitor who is logged in is used to build an individual profile in order to make it possible for SAS to fulfill its obligations to you through agreements or in another manner and to provide you with a more flexible and individually customized experience when you use our services. Read more in our Privacy Policy for EuroBonus members and in our Privacy Policy for Profile Account Holders.

Some of the profiling that is conducted is based on so-called predictive models or “scoring.” For example, this may mean that we follow up on the outcome of earlier offers on the basis of a number of different variables (for example, who has opened it and who then went on to make a purchase), in order to then be able to target the right type of offer to the right category of recipient. 

SAS will only share your personal data with companies within the SAS Group except in the exemption situations described below. 

Because of mandatory requirements from foreign authorities and to make possible the execution of the travel plans you have chosen, SAS and other airlines may be under an obligation to provide foreign authorities access to certain PNR data and Advanced Passenger Information (“API”), with respect to passengers who are flying to, from or over countries both within and outside the European Union (“EU”) and the European Economic Area (“EEA”), including the USA. Such data is used primarily to prevent and combat terrorism and other serious crime. In addition, PNR and API are governed through Directive 2016/681/EU. For further information, including information about which countries that request access to this reservation data, please email our Data Protection Officer.

If it is necessary in order for us to be able to carry out your flight in accordance with the terms and conditions for travel, your personal data will also be shared with: 

• Other airlines and other companies that are involved in the provision of the service that you will make use of;
• Companies that are part of the booking and performance of your flight, e.g. travel agencies, freight forwarders and agents;
• IT providers and developer who ensure the operation and security of our IT systems on behalf of SAS;
• Credit card companies with which SAS collaborates to offer different payment solutions, such as MasterCard and American Express;
• Security companies and businesses that work with preventing and combating fraud; and 
• Authorities and law enforcement bodies.

If you have expressly and specifically consented to this or if you are a EuroBonus member, your personal data will be shared with SAS partners (for example, companies that provide such services that you may consider purchasing in association with your trip, such as hotel chains and car rental companies), SAS EuroBonus partners, credit reporting companies, social media providers and search engines. 

Personal data will be transferred between companies in the SAS Group, including for the implementation of our international flights, to administer and maintain your account and membership and for statistical purposes. 

Personal data that is shared within the SAS Group in this way will sometimes be transferred to countries that are not members of the EU or the EEA and that do not ensure a satisfactory level of security for personal data. Such transfers will be carried out in accordance with the prevailing law on data protection. 

When personal data is transferred to a non-EU/EEA country without satisfactory levels of protection for personal data, we will apply appropriate measures, usually by including a standard contractual clause that has been adopted by the European Commission. These standard contractual clauses can be found at the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

If there is a lack of both a decision on adequate levels of protection by the European Commission and established appropriate security measures in the form of standard contractual clauses in accordance with the above, we will transfer your personal data to companies within the SAS Group, based on the fact that it is necessary in order to fulfill the agreement we have with you. If you are an EuroBonus member, this will be EuroBonus terms and conditions and if you are the account holder, this will be profile account terms and conditions. 

We have taken extensive technical and organizational measures to protect your data from loss, abuse and unauthorized access. Processing and transfer of data between your web browser and our server is properly protected by encryption and we are continuously updating our security measures.

When you pay for any of our services using a card, all information is sent via a secure connection to ensure that your personal data cannot be read by third parties. The actors with whom we collaborate in terms of card payments are all certified in accordance with the international security standard PCI-DSS, which means a very high level of security for the processing of your card details.

We use subcontractors to be able to provide our services to you. Our subcontractors process your personal data only on behalf of SAS and in accordance with instructions issued by SAS. All subcontractors that process personal data on behalf of SAS have concluded personal data processing agreement with SAS in accordance with applicable law. SAS hires subcontractors in several different areas, for example for IT services like storage and operation. 

We will save your personal data as long as it is necessary with regard to the purpose of the processing. 

If you are an EuroBonus member or if you have created a profile account on our website, information about you will be saved as long as you are a member of EuroBonus or have an active account with SAS. 

If you book a trip with SAS, we will save your data for ten years after the trip is completed in order to meet legal and regulatory requirements and process any grievances and complaints. If you visit SAS websites without booking a trip, see section 10 for storage times with respect to cookies.

We use cookies on SAS websites. Cookies are small text files with information that is stored on your computer (or other internet connected devices, such as smartphones or tablets) when you visit a website. 

Cookies are used to get web pages to work more effectively but also to provide certain information to the owner of a home page. Cookies make it possible to differentiate different users from each other, which in turn can give respective users a more tailored and positive experience of the website.

SAS uses cookies that are necessary for the websites to work correctly so that you can navigate a website and use its functions.

SAS websites also use cookies to make it possible to optimize the functions of the websites, to improve your experience and to individualize future visits by remembering your user preferences. Such cookies are further intended to confirm when you log in to “My Pages” and to verify users. If you have consented to it, we will also use cookies for marketing and marketing surveys, including demographic studies, so that we can optimize and adapt the quality of our service for you. Furthermore, cookies are used to compile anonymous, aggregated statistics in order to understand how users use the websites and to help us improve the structure and content of these.

Some of the cookies used on SAS websites are so-called third party cookies, which are set by some of the partners of SAS. If you have consented to it, these third party cookies use information about your use of SAS websites, as well as other websites, for example which pages you visit or which advertisements you are interested in, in order to be able to provide advertisements later that are more customized for you, both on SAS websites and on other websites, so-called interest-based advertising. 

For more detailed information about our use of cookies, see our Cookie Policy.

We may change this Privacy Policy from time to time. In any case, we will communicate the change in good time before then and the updated version will always be available on SAS home pages. 

You have many rights concerning how we process your personal data. For example, you have the right to revoke your consent to a certain processing at any point in time, see next section. If you are an EuroBonus member or a profile account holder, by logging into your account you can easily revoke your consent for certain processing. The same applies to other rights in accordance with the information below. 

If you do not have any accounts with us or you need help, please contact our Data Protection Officer. 

Revocation of consent

If we process information about you based on your consent, you have the right to revoke your consent at any point in time by contacting our Data Protection Officer. We will then terminate the processing of the personal data that is based on your consent. You can only revoke your consent for future processing and not for processing that has already happened. If you revoke your consent, this may mean that for example, you can no longer receive similar tailored offers and that you cannot fully use some of our services.

You also have the right to decline marketing notifications. Every marketing notification that we send to you will contain a link that you can use if you wish to unsubscribe from further marketing distributions. 

Otherwise, at any time you can change your mind regarding the type of marketing notification that you wish to receive from SAS by contacting us.

If you are an EuroBonus member you can log in to your EuroBonus profile to change your marketing preferences. If you have registered on the SAS home page, you can change your preferences regarding marketing distribution by logging in to your profile account on our home page.

Note that although you have informed us of your wish to no longer receive marketing notifications, SAS will still send you such information that is necessary for SAS to be able to meet its commitments to you, for example booking confirmations and other information in connection with your booking with us. If you are an EuroBonus member, you will still receive such information that is necessary for us to be able to administer your membership.

Correction and deletion

If your personal data that SAS processes are incorrect, incomplete or irrelevant, you can either log in to your account and correct  the data or request that the data are corrected or deleted by emailing securedata@sas.se . Please note that deletion may mean that SAS cannot perform booked services and that your account may be terminated.

Right to restrict the processing 

You have the right to restrict the use of your personal data or request the termination of the use of your personal data. This will probably mean that SAS can no longer provide its services to you.

Right to read the data

If you want to get more information about how we process your personal data or if you want to know what kind of personal data about you that we process, you can request to obtain your personal data. You have the right to request a copy of your personal data from our register. If you are an EuroBonus member or have a site profile account, you can request an excerpt when you are logged in.

If you are not an EuroBonus member or have an account, you can email securedata@sas.se In order for us to be able to verify your identity your written request should include your name and address and other such information that will help us identify you, for example:

•  Any email addresses that you have used in communication with SAS
•  EuroBonus number or TravelPass number
•  Any telephone number you have used in communication with SAS (for example customer service cases)
•  Booking number and/or flight number and date.

SAS must always ensure that it is the right person who is receiving the information about how we process their personal data. SAS will only disclose personal data if we can verify your identity in accordance with the above. 

Right to complain

It is important for us that you feel safe and we will process your personal data with the utmost respect. If you still consider that SAS is processing your personal data in an incorrect manner, you are welcome to contact us. You also have the possibility of submitting a grievance to the Swedish Data Protection Authority.

Right to object

You have the right to raise an objection at any point in time to the processing of your personal data that is based on our legitimate interest in accordance with point 5.2 above. If SAS cannot demonstrate compelling legitimate grounds for the processing of your data that outweighs your interests, rights and freedoms or that the processing is done for the establishment, exercise or defence of legal claims, then SAS will no longer process your personal data. 

Right to data portability

You have the right to request to receive your personal data that we process in a machine-readable format, which you have the right to transfer to another Data Protection Officer.

Right to be forgotten

Your right to erasure means that you can request that we delete the personal data we have about you without undue delay, if it is no longer necessary for the purpose for which it was collected, if you revoke your consent and there is no other legal ground for the processing, if you object to the processing, or the erasure is necessary due to compliance with a legal obligations. However, this does not apply if the processing is necessary in order to exercise the right to freedom of expression and information, fulfill a legal obligation or a task of public interest or in order to determine, make applicable, establish, exercise or defend legal claims.

If you have any questions or points of view concerning SAS processing of personal data, SAS marketing or this Privacy Policy in general or if you request such information as specified in section 13 above, please contact our Data Protection Officer by email on dataprotectionofficer@sas.se

Privacy policy for profile account holders

In this privacy policy for profile account holders we explain how we collect and use your personal information. This  policy applies to all personal information we process about you when you travel with us, purchase or use our services, visit our websites, use our mobile applications or otherwise interact with us. View our full version of privacy policy for profile account holders.

Privacy policy for EuroBonus members

In this privacy policy for EuroBonus Members we explain how we collect and use your personal information. This  policy applies to all personal information we process about you when you travel with us, purchase or use our services, visit our websites, use our mobile applications or otherwise interact with us. View our full version of privacy policy for EuroBonus members.