We, Scandinavian Airlines System Denmark-Norway-Sweden, (“SAS”) and SAS EuroBonus AB, (“EB”), are jointly determining the purposes and means of the processing of personal data relating to SAS’ loyalty program SAS EuroBonus (the “EuroBonus Program”).
By jointly determining the purposes and means of processing, SAS and EB are acting as joint controllers under the GDPR . We have entered into a joint controller agreement on the sharing of personal data relating to the EuroBonus Program.
The purpose of this information is to provide you with the essence of our arrangement, specifically describing how we have determined and allocated our respective responsibilities for compliance with the obligations under the GDPR.
When allocating responsibilities for compliance with the obligations under the GDPR, we have taken the following factors into consideration: which entity is best positioned to perform the obligation; physical access to the personal data; decisive powers over the design and content of the EuroBonus Program; expectations from data subjects; which entity holds the agreements with partner organisations; and which entity holds the agreements with processors.
Each of SAS and EB will at all times comply with its respective obligations under all applicable laws relating to privacy and the protection and processing of personal data in each relevant jurisdiction.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation)
We have jointly determined the purposes of means of the processing of personal data under the joint controller arrangement. Each of SAS and EB has undertaken to ensure that personal data will only be collected for specific, explicit and legitimate purposes, and is adequate, relevant and limited to what is necessary to fulfil each purpose.
When processing personal data, each of SAS and EB is responsible for ensuring that personal data is: processed fairly and lawfully; not further processed in a manner that is incompatible with the purposes for which it was collected; at all times kept accurate; not retained or processed longer than necessary to carry out the agreed purposes unless required to do so under applicable law; and only processed in a manner that ensures appropriate security of personal data.
Each of SAS and EB will ensure that it has a proper legal basis under applicable data protection laws for the processing of personal data and they will consult with each other before making any amendments to the legal basis.
In the event that SAS or EB processes personal data based on consent, it is the entity obtaining consent from the data subject that is responsible for providing the data subject with relevant information before collecting the personal data, including information about how to withdraw consent.
SAS and EB have agreed that SAS is responsible for ensuring that data subjects can exercise their rights under applicable data protection laws. This includes having documented routines for data subject access requests, and procedures for responding to requests within the time limits imposed by applicable data protection laws.
We have designated the Data Protection Officer for SAS and EB to be the contact point for data subjects and towards any supervisory authority for any processing activities pursuant to the joint controller arrangement. The contact point may be reached at firstname.lastname@example.org. However, we acknowledge that data subjects and any supervisory authority may communicate with either SAS or EB as they prefer.