Privacy statement

In our privacy statement, we explain how we collect and use your personal data when you travel with us, visit our website, use our mobile app, or otherwise interact with us. Make sure to read the policy carefully.

Our privacy commitment to you

When you use our products and services, you trust us with your information. We find this relationship extremely important and promise the following to you.

  • We always process your data in accordance with the EU Data Protection Rules and other applicable privacy legislation to protect it from unauthorised access and to ensure safe data transfers.
  • We are transparent about how we use the data collected from you.
  • We make clear to you what your benefit is for sharing your data with us and match our communication with your needs and preferences.
  • We do this in easy-to-understand language throughout the whole KLM and partner airline journey.
  • We put you in control of your data and will use your feedback to improve continuously.
  • We ensure that your data is safe with us. In the unlikely event that your data has been breached, we will make sure to stop the leak as soon as possible and inform you immediately.
  • If we need to disclose your data outside our organisation, we describe this explicitly in our privacy statement. We do not share, sell, or give your personal information to any outside organisation without your explicit consent.
  • We are trustworthy with your data and strive for international certifications (e.g. ISO-27001).

About this privacy statement

This privacy statement applies to all personal data that KLM processes when customers use our websites or mobile apps or contact us. We process your personal data primarily to handle your bookings, arrange your trips and purchases, and answer your questions. We may also use your data to send you offers adjusted to your interests and preferences.

In this privacy statement, we provide more information about the personal data we collect and use and what your rights are. For more information, please click on the relevant paragraph below.

Please check theFlying Blue privacy policyfor more information on the collection and use of your personal data in relation to our Flying Blue loyalty programme.

We are Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or KLM), a Dutch airline, with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands.

KLM is part of the Air France-KLM Group. For more information, please check our website under“Corporate”. KLM is responsible for the collection and use of your personal data described in this privacy statement.

We offer our corporate loyalty programme Bluebiz in partnership with our group company Air France. Air France (Société Air France, S.A.) is an airline with offices at Rue de Paris 45, F-95747 Roissy CDG Cedex, France. We are jointly responsible for the collection and use of your personal data for the Bluebiz loyalty programme. We have an arrangement in place setting out our respective responsibilities for complying with applicable privacy legislation. In short, we have agreed that you can contact either KLM’s or Air France’s Privacy Office (see 8 “Your rights” below) if you wish to exercise your rights or have any complaints about the collection or use of your personal data. KLM and Air France will assist each other when necessary so as to ensure that you can exercise your rights. We work together to ensure that your questions and complaints are properly addressed.

With our subsidiary Transavia Airlines CV ('Transavia', also part of the Air France-KLM Group) we exchange personal data of passengers who have caused (serious) nuisance and who have been refused boarding (see also 2.1 (J), 4.1 (G) and 5.3 below). Transavia is an airline with its office at Piet Guilonardweg 15, 1117 EE Schiphol, The Netherlands. Together with Transavia, we are responsible for the processing of your personal data that takes place in the context of this exchange. A mutual arrangement sets out our respective responsibilities for compliance with applicable privacy laws including the exercise of your rights (see section 8 “Your rights” below).

In addition, KLM is a member of the SkyTeam Alliance, a global network of airlines that process personal data to provide passengers with the best possible travel experience. KLM, together with SkyTeam Airline Alliance Management Coöperatie U.A. and the other members of the SkyTeam Alliance, is responsible for this processing of your personal data. For more information, please refer to the SkyTeam Alliance joint privacy statement (seehere). A mutual arrangement defines our mutual responsibilities for compliance with applicable privacy laws including the exercise of your rights (see section 8 'Your rights' below').

2.1. Загальні положення Ми можемо збирати та використовувати наступні категорії особистих даних: (А) Прізвище, паспортні дані та інші ідентифікаційні дані Коли Ви здійснюєте резервування або бронювання рейсу з нами, ми збираємо Ваше прізвище, звертання, стать, дату народження, національність, країну проживання та паспортні дані. Якщо Ви здійснюєте резервування або бронювання рейсу для інших осіб, ми також збираємо їхні ідентифікаційні дані. Будь ласка, переконайтесь в тому, що вони усвідомлюють, що ми збираємо їх особисті дані та яким чином ми їх використовуємо. (Б) Ваші контактні дані та Ваш особистий рахунок або реєстраційні дані Ми можемо збирати Вашу адресу, номер телефону та електронну адресу. Якщо Ви реєструєтесь на послугу, подію, конкурс або кампанію, або створюєте особистий рахунок, ми також можемо записати Ваші деталі входу та інші дані, які Ви надали протягом реєстрації або заповнення облікової форми. Якщо Ви подорожуєте у справах, ми також збираємо інформацію про Вашу організацію, як її назва та адреса. (В) Інформація про Ваші резервування, бронювання та придбання Коли Ви здійснюєте резервування або бронюєте у нас рейс, ми збираємо та використовуємо дані про ваше резервування та бронювання. Ці дані можуть включати інформацію про Ваш рейс, ціни та дату резервування або бронювання. До того ж, ми збираємо та використовуємо інформацію про додаткові послуги (як от додатковий багаж, підвищення класу та WiFi на борту) та продукти, які Ви придбаєте у нас. (Г) Інформація, пов‘язана з Вашою подорожжю Коли Ви подорожуєте з нами, ми збираємо та використовуємо інформацію про Вашу подорож, як от Ваш маршрут, реєстрація онлайн або в аеропорту, мобільний або друкований посадковий талон та інформацію про Ваших супутників. Ми можемо також записати особливі медичні потреби або дієтичні вимоги та будь-яку додаткову підтримку, яку Ви потребуєте. Зазвичай, ми отримуємо підтвердження від третіх сторін, що полегшує біометричну посадку (як от за допомогою розпізнавання обличчя), що Вашу особу підтверджено. Якщо не вказано інше, ми не отримуємо жодних Ваших ідентифікаційних даних (як от зображення обличчя), крім особистих даних, які вже є у нашому розпорядженні (як наприклад паспортні дані). Детальніше про збір та використання Ваших особистих даних, як складової біометричної посадки, дізнайтесь у правилах конфіденційності організації, що забезпечує біометричну посадку. Перед посадкою або висадкою ми також можемо проводити перевірку стану здоров‘я або використовувати Ваші дані про стан здоров‘я, тому що по закону ми зобов‘язані так діяти, з міркувань суспільного інтересу в сфері охорони здоров‘я або за Вашої явної згоди. (Д) Інформація, пов‘язана з нашою корпоративною програмою лояльності Коли Ви стаєте учасником нашої корпоративної програми лояльності bluebiz, ми збираємо та використовуємо Ваш номер учасника, баланс blue credits, нагороди та переваги, вид та рівень участі та іншу інформацію. Ми також записуємо операції, за допомогою яких Ви заробляєте або витрачаєте бали blue credits. Поміж інших, ми записуємо вид операції (наприклад, рейс), дату операції, зароблені або витрачені бали blue credits, та постачальника послуг (Air France, KLM або партнер bluebiz). Ми можемо використовувати Ваші дані учасника Flying Blue для надання або просування наших послуг для Вас (дивіться п. 4.1 нижче). Будь ласка, ознайомтесь зправилами конфіденційності Flying Blueдля детальнішої інформації про особисті дані, які ми збираємо у зв‘язку з членством у Flying Blue. (Е) Наша комунікація з Вами Коли Ви відправляєте нам електронні листи або переписуєтесь з нами онлайн чи в соціальних мережах, ми реєструємо Ваші повідомлення. Коли Ви телефонуєте нам, наша служба підтримки реєструє ваші запитання або скарги в нашій базі даних. Ми також записуємо телефонні розмови з тренувальною метою та для запобігання шахрайству. Ми реєструємо Ваші комунікаційні вподобання, наприклад, коли Ви підписуєтесь на одну з наших розсилок новин або коли Ви бажаєте отримувати інформацію чи нагадування стосовно Вашого бронювання (як от Ваш посадковий талон та оновлення статусу рейсу) через канали, відмінні від електронної пошти (наприклад, WhatsApp, Messenger або WeChat). (Є) Інформація, яку ми збираємо, коли Ви користуєтесь нашими веб-сайтами, мобільними додатками або іншими цифровими послугами і. Коли Ви відвідуєте наші веб-сайти, користуєтеся нашими мобільними додатками або іншими цифровими послугами, ми можемо реєструвати Вашу IP-адресу, тип браузера, операційну систему, сайт, поведінку веб-перегляду та користування додатком. Ми збираємо дану інформацію за допомогою кукі-файлів та подібних технологій. Для отримання додаткової інформації, ознайомтесь, будь ласка, з нашимиПравилами кукі-файлів. Коли Ви відвідуєте наші веб-сайти через посилання в електронній пошті або коли Ви входите у Ваш рахунок KLM чи обліковий запис Flying Blue, ми можемо додавати інформацію, яку ми отримали за допомогою кукі-файлів або подібних технологій, до іншої інформації. іі. Ми отримуємо автоматичне повідомлення, коли Ви відкриваєте наші електронні листи або натискаєте на посилання у цих листах. Ми можемо комбінувати дану інформацію з іншими даними, які ми вже маємо про Вас. ііі. З Вашого дозволу, ми можемо отримувати дані про Ваше місцезнаходження. iv. Ви можете надавати нам згоду на доступ до певних даних, які зберігаються на Вашому мобільному телефоні, таких як фотографії та контакти. (Ж) Інформація про соціальні мережі Залежно від Ваших налаштувань соціальних мереж ми можемо одержувати інформацію від провайдера Вашої соціальної мережі. Наприклад, коли Ви входите у нашу систему через обліковий запис у соціальній мережі, ми можемо зібрати дані Вашого профілю у соціальній мережі, включно з Вашими контактними даними, інтересами та контактами. Ми також отримуємо статистику відвідування від Facebook, пов‘язану з нашою сторінкою у Facebook. Хоча KLM та Facebook спільно відповідають за дану статистику відвідування, Вашою відправною точкою контакту та опрацювання запитів по дотриманню Ваших прав та будь-яких скарг є Facebook Ireland Limited. Де це необхідно, ми допоможемо Facebook надавати відповіді на Ваші запити чи скарги. Детальніше щодо особистих даних, які ми отримуємо від провайдера соціальної мережі, та про те, як змінити Ваші налаштування, Ви можете дізнатись на наших веб-сайтах та правилах конфіденційності провайдерів соціальної мережі. (З) Дані, якими Ви вирішили поділитися з нами Ми збираємо та використовуємо дані, якими Ви вирішили поділитися з нами, наприклад, коли ділитеся Вашими інтересами та уподобаннями на нашому веб-сайті, залишаєте коментар на нашій сторінці у Facebook, заповнюєте анкету клієнта або подаєте заявку на участь у конкурсі. (И) Неконтрольована поведінка KLM має перелік пасажирів, які є небажаними на борту нашого літака, внаслідок неконтрольованої поведінки на землі або в одному з наших літаків. Неконтрольована поведінка може включати втручання в безпеку, порушення громадського порядку, навмисне заподіяння шкоди наземним працівникам, команді або пасажирам, або заподіяння шкоди нашому майну. Те саме стосується пасажирів, які допускають нецільове використання наших послуг (включаючи наші програми лояльності Flying Blue або bluebiz). Перелік пасажирів з неконтрольованою поведінкою та зловживаннями включає імена пасажирів, дати народження та номери квитків, та короткий опис випадків та тяжкості поведінки чи зловживання. Для детальнішої інформації, ознайомтесь з п. 4.1 (Є) нижче. 2.2 Спеціальні категорії особистих даних Деякі категорії особистих даних, як от дані, що розкривають расове чи етнічне походження, дані, що розкривають релігійні чи філософські переконання, дані, пов‘язані зі станом здоров‘я, а також особисті дані, що пов‘язані з кримінальними справами, є предметом суворіших правил в рамках законів про застосування конфіденційності. Ми збираємо та використовуємо дані категорії особистих даних, наприклад, для надання Вам підтримки або обладнання, відповідно до Ваших медичних потреб протягом Вашої подорожі, щоб задовольнити Ваші запити, щоб гарантувати безпеку на борту або дотримуватись вимог закону. Біометричні дані є також предметом суворіших правил. Однак, як пояснено в п. 2.1 (Г), зазвичай, ми не збираємо і не використовуємо Ваші біометричні дані. 

Дані правила конфіденційності не стосуються будь-яких послуг, які надаються Вам KLM Health Services. Їхні послуги відокремлені від наших послуг. Для детальнішої інформації про те, як KLM Health Services обробляє Ваші особисті дані, ознайомтесь зправилами конфіденційності на веб-сайті KLM Health Services. 2.3 Діти віком до 16 років Ми збираємо дані про дітей, якщо Ви надаєте нам інформацію про Вашу дитину, щодо рейсу, який Ви бронюєте або послуги чи продукту, які Ви придбаєте. У випадку, коли діти подорожують наодинці, ми записуємо не тільки контактні дані їх батьків чи офіційних представників, але також контактні дані осіб, які проводжають або зустрічають їх в аеропорту. 2.4 Особливі послуги, мобільні додатки, події, конкурси або кампанії Для особливих послуг, мобільних додатків, подій, конкурсів або кампаній ми можемо збирати інші види даних, ніж описані у цих правилах конфіденційності. Ми інформуємо Вас про це, коли Ви реєструєтесь на послугу, подію, конкурс або кампанію, або завантажуєте додаток.

We collect the categories of personal data referred to above in the following ways: (A) Personal data provided by you When you book a flight with us, create an online account, register for our corporate loyalty programme Bluebiz, contact us via social media, fill out a customer survey, contact our customer service, subscribe to receive our e-mails or mobile push notifications, submit an entry for a contest, or register for one of our events or campaigns. (B) Personal data received from your travel agent, our airline partners, and other companies involved in facilitating your trips We receive your data from these parties to handle your reservations and bookings and to arrange your trips and purchases. For example, when you book a flight through a travel agent or an online platform, we receive your identifying data, contact details, and booking details from those third parties. (C) Personal data received from partners that participate in our corporate loyalty programme The Bluebiz corporate loyalty programme is offered by KLM and Air France (please also see “Who we are” above). The programme allows you to save and spend blue credits with KLM and Air France and our airline loyalty partners. To that end, Air France and KLM exchange the booking data collected as part of our airline booking procedures (see 2.1 (C) above). We also share your personal data with our loyalty partners. If, for example, you purchase a service from one of our loyalty partners, they will share the Credits you have earned with us, so that we can update your balance. You can find a list of our airline loyalty partners on theBluebiz website. Our airline loyalty partners are independently responsible for the collection and use of your personal data. You can find more information on how they handle your personal data in their respective privacy policies. (D) When you use our website or mobile apps, we collect information using cookies and similar technologies KLM uses its own cookies and third-party cookies. For more information, please read ourcookie policy. (E) If you use social networks or search engine platforms, we may also receive information from these parties For more information, see 2.1 (H) above. (F) We receive certain information from the government, government agencies, the airport or affiliated organisations to maintain onboard safety and security KLM receives the names of persons who have been put on a blacklist by the State of the Netherlands or government agencies. For example, the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. For more information, see 4.1 (G) below. At some airports, as part of applicable access controls, safety measures and security procedures (such as matching checked baggage to the correct passenger), your identity may be verified using biometric features. For more information, see 2(D) above. (G) If you exhibit unruly behaviour, we collect certain information for flight safety If you exhibit unruly behaviour before or during a flight, KLM will draw up an incident report. In addition to the data already provided to us in the context of your booking or reservation (e.g. name and date of birth), this report may also contain information originating from persons involved in the incident and/or charged with handling it. See also 2.1. (J) above.

4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.

If the persons in your booking are members of our Flying Blue loyalty programme, we will use the contact details they provided to inform them about their flight and any changes in their flight status. Information about your specific medical needs are needed and will only be used to be able to ensure that you receive appropriate medical care. (B) To facilitate our Bluebiz corporate loyalty programme (C) To provide you with our online services and mobile apps and to ensure an enjoyable digital experience i. For example, we use your name and flight details when you use our app to check in for your flight. ii. Some of our online services and apps use your location, for example, to show you the nearest location of interest. iii. To offer you the best possible digital experience, we analyse your use of digital media, so that we can tailor our communication towards the digital channel or device that you use most (see 2.1 (G)). iv. If you break off your booking session on our website, we will send you an e-mail with a link to your booking session, so you can continue where you left off. You will receive similar e-mails if you break off booking sessions on the websites of our partner Airtrade. We will only send you such e-mails at your request or if you have agreed to receive updates and special offers from us by e-mail (see 4.1 (E)). You can withdraw your consent for such e-mails at any time by clicking on the unsubscribe link in the e-mail, by changing your communication preferences in your account (if available), or by contacting us (see 8 “Your Rights” below). (D) For statistical research i. General: we research general trends in the use of our services, loyalty programmes, websites, mobile apps, and social media, as well as trends in the behaviour and preferences of our customers, loyalty members and users. We use our research results to develop better services and offers for our customers, improve our loyalty programme, provide better customer service, and improve the design and content of our websites and mobile apps. ii. Categories of data: to perform our research, we may use the categories of personal data described at 2.1 (A) to (I) and the personal data we collect when you are a Flying Blue member (see ourFlying Blue privacy policyfor more information). We only use 'aggregated data' or 'pseudonymised data' for our research. This is data that cannot be traced back directly to you because all directly identifiable elements (e.g. names and e-mail addresses) are removed or encoded and given a number. We take appropriate measures to ensure that only a limited group of employees has access to the data set. iii. Example: if our research into booking details and data about additional services purchased (extra baggage, upgrades) shows that passengers travelling long distances are more inclined to purchase extra legroom, we may use that information to offer extra legroom more prominently for long-distance flights. iv. Legal basis and right to object: we collect and use your personal data for our legitimate interests described above (see sub (i) “General”). You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data for statistical research (see 8 “Your rights” below). (E) Marketing purposes i. General: we may use your personal data for direct marketing purposes. In this paragraph, we explain how we use your data for these purposes. ii. Channels: we use various channels such as e-mail, mobile push notifications, our own websites and apps and websites and apps of third parties, social media and postal mail for marketing purposes. For example: – Booking related e-mails: if you book a flight, you will receive multiple e-mails regarding your booking (e.g. your booking confirmation, information about checking in and boarding). Those e-mails contain advertisements and offers tailored to you and your flight. You can always unsubscribe from personalised advertisements and offers (see point iv below). – E-mails from KLM with KLM updates and offers: when you book a flight with us, you will also receive e-mails from us containing KLM updates and offers tailored to your interests, such as our newsletter. You will also then receive e-mails from us on specific occasions, such as a special offer on your birthday or personalised offers for your next trip within a few months of your return. You can unsubscribe from these emails during the booking process and at any time thereafter (see point iv below). In some countries, you will receive these e-mails only if you have opted in beforehand. – E-mails from KLM with third-party updates and offers: you can subscribe to receive e-mails from KLM with third-party updates and offers. In addition to offers for our own services, these e-mails contain offers from our partners, such as offers for hotels from our partner Booking.com or car rental options from our partner Hertz. – Direct messages through other communication channels: with your consent, we use other communication channels to send you direct messages with personalised advertisements and special offers, such as postal mail, mobile push notifications or social channels (e.g. Messenger, WhatsApp, or WeChat). You can also sign up for push notifications with updates and offers from KLM partners in the KLM mobile app. - Display relevant information and personalised advertisements on our own websites and apps and on third-party websites and apps: see our cookie policy. We may also use your personal data to exclude you from advertisements which are no longer relevant for you. - Custom audience targeting through social media platforms: you may choose to receive personalised advertisements and offers on the social media platforms you use. In order to display relevant information and personalised advertisements through various channels and to measure the reach and effectiveness of our advertisements, we may share certain identifiers (such as your e-mail address, telephone number or your IP address) with third parties. Where possible, we share these identifiers only in pseudonymised ('hashed') format. For marketing purposes, we use Meta's Custom Audience programme, for example. This programme allows us, among other things, to display personalised advertisements and offers in your newsfeed on Meta platforms, such as Facebook Messenger and Instagram. We only provide identifiers to Meta so that Meta can check whether you have an account on one of Meta's platforms. Meta, in turn, only provides us with aggregated data about the effectiveness of an advertising campaign. This is data that cannot be traced directly back to you. This way, we try to make every effort to keep your personal data secure and confidential. To determine our audience for a specific ad campaign, we may use your booking details or the data we collect when you use our websites, mobile apps, or other digital media. In addition, Meta may use the personal data it collects about you to compile a similar audience. This allows us to reach a new audience through Meta. Learn more about howMeta uses your data for its custom audience programmeandhow you can control how information about you is used by Meta to personalise the ads you see. You can also checkMeta's privacy policy. We may participate in similar programmes offered by other third parties to display relevant information and personalised advertisements via other channels. These may for example include programmes offered by other social media platforms (such as Twitter, LinkedIn and Pinterest), but also search engine platforms (such as Google and Microsoft Bing) and third-party websites (such as Partnerize, Skyscanner and TripAdvisor). Please check the privacy policies of these third parties for more information. If you no longer want us to include you in the programmes we use to display relevant information and personalised advertisements via various channels, please send an e-mail toKLMPrivacyOffice@klm.comto withdraw your consent. When sending this e-mail, please use the e-mail address for which you would like to withdraw your consent.

iii. Personalised offers: we aim to make advertisements and offers as relevant as possible for you. To that end, we may analyse the categories of personal data described in 2.1 (A) to (I), 4.1 (C) (statistical research data) and the personal data we collect when you are a Flying Blue member (see ourFlying Blue privacy policyfor more information). We use the results of this analysis to personalise advertisements and offers. For example, with your consent, we may send you an e-mail after you return from a trip with offers based on your booking history, to offer you inspiration for your next trip. We may also use your booking history (e.g. travel for pleasure or business, cabin class, destination, Flying Blue member) to provide you with a discount for an upgrade or extra baggage. iv. Legal basis and right to object: unless indicated otherwise, we collect and use your personal data as described in this section 4.1 (E) for our legitimate interests and the interests of third parties. You have the right to object to the use of your personal data for direct marketing purposes, including related profiling activities, at any time (see 8 “Your rights” below). v. Unsubscribe: you can always unsubscribe from receiving personalised advertisements and offers. Please find below an explanation of how you can unsubscribe. – E-mails: you may unsubscribe at any time from advertisements and offers in our e-mails regarding your booking and our e-mails with KLM updates and offers and our loyalty programmes and from e-mails to which you have subscribed by clicking the unsubscribe link in the email. In many cases, you can also unsubscribe by changing your communication preferences in your account. If you unsubscribe, you will only receive e-mails necessary to be able to use our services (such as your booking confirmation, e-ticket or communication about a change in your flight schedule) and to participate in our loyalty programme (such as a welcome message to members). – Postal mail: you may unsubscribe from receiving personalised advertisements and special offers by postal mail by contacting us (see 8 “Your rights” below). – Other communication channels: if you have opted to receive personalised advertisements and offers through mobile push notifications, you can unsubscribe by changing your smartphone settings (for mobile push notifications). Visit the website of the social media platform for more information on how to unsubscribe from receiving personalised advertisements and offers through social channels (e.g. Messenger, WhatsApp, and WeChat). – Contact our Privacy Offices: you may always contact us to unsubscribe from receiving messages containing advertisements and offers (see 8 “Your rights” below).

(F) To communicate with you We use your contact details to communicate with you about our services or loyalty programme, to answer your questions, or to address your complaints. 

(G) Passengers who exhibit unruly behaviour or misuse our services i. General: KLM maintains lists of passengers who have exhibited unruly behaviour or misused our services (see 2.1 (J) above). Depending on the severity of the behaviour, KLM may (i) for a period of three years attach additional conditions to their admission on board or (ii) for a period of (in principle) five years refuse them on board. In case of aggravating circumstances (such as repeated misconduct), KLM may decide to refuse a passenger for a period exceeding five years. In very severe cases, KLM may even decide to refuse a passenger permanently. We apply different guidelines for processing this special information in respect of children. Children under the age of 15 who exhibit unruly behaviour are not registered on the list. As for children aged 15 to 16, KLM may attach conditions to their admission for a maximum period of one year. Passengers who have been refused entry for five years or more will be personally informed (if possible, by e-mail) of the fact that they have been placed on the list, the reason for placement, what security measures have been imposed on them, how long these measures will be effective and where they can file a complaint or object to the placement. More information about access to or correction of this data can be found below under 8 'Your rights'. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request. 

(H) To conduct our business operations or to comply with statutory obligations We collect, use and retain your personal data to conduct our business operations, such as conducting flights, ensuring flight safety and for record-keeping purposes. We also process your data to improve our business operations. For example, we use recordings of telephone calls to train our customer service staff (see 2.1 (F)). Furthermore, we process your personal data to comply with our legal and tax obligations and for the purposes of fraud prevention and control, and dispute resolution. In the case of fraud or misuse of our services, we may enter your personal data in our internal fraud control and warning systems (see 4.1 (G) above). 4.2 Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy statement. We will inform you about those purposes when you register for the service, event, contest, or campaign, or when you download the relevant app. 4.3 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we need your personal data to receive your booking, arrange your flight or purchases, facilitate your participation in our loyalty programmes, or to answer your questions (see 4.1 (A), (B) and (G) above). In those cases, the legal basis for processing your data is 'necessary for the performance of a contract'. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. Based on our legitimate interest, we will collect and use your data for, for instance, flight safety, statistical research, or direct marketing purposes, or to offer personalised discounts and offers (see 4.1 (C), (D),(E) and (G) above for more information). We may have a legal obligation to collect and use your data, for example, to satisfy immigration formalities (see 4.1 (H). If you refuse to provide the personal data that we need to perform the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested. If you provide incomplete or inaccurate information, we may be forced to deny you boarding or entry into a foreign territory.

5.1. General We may share your personal data with third parties in the following cases: (A) To facilitate your bookings and trips To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (see 3.1 (B) above, “How we collect your data”). We also exchange your data with SkyTeam and SkyTeam Alliance members to provide you with a more seamless travel experience (see section 1 above). (B) For our Bluebiz corporate loyalty programme For more information, see “Who we are” and 3.1 (C) under “How we collect your data”. (C) Regarding corporate accounts If you book a flight using your employer's corporate account, your employer will have access to certain booking details, such as the ticket price, travel dates, and your destination. Your employer is independently responsible for how it collects and uses your personal data and informs you about it. (D) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy statement. (E) Regarding payment services To process payments for your trips and purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data. (F) Personalised marketing through social media platforms For more information, see 4.1 (E) under “Purposes for which we use your data”. (G) To enable our partners to tailor their services to your trip We may share your non-personalised information (destination, travel date, and duration of the trip) with partners that offer additional services (e.g. hotel accommodations, car rental services) so that they can provide you with offers tailored to your trip. Our partners operate their own privacy policies in terms of the way in which they use your personal data. 5.2. Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy statement, for example, when we organise a campaign or an event in collaboration with a partner or when we integrate their services into our apps. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app. 5.3. Data exchange with Transavia

Airlines have an obligation to guarantee flight safety. For this purpose, KLM takes certain (necessary) security measures. For example, KLM keeps a list of passengers who have exhibited unruly behaviour on the ground or on board (see 2.1. (J) and 4.2 (G) above). Based on this list, KLM can (i) for a period of three years attach additional conditions to their admission on board or (ii) for a certain period refuse them on board. Transavia, KLM’s subsidiary, maintains a similar list. To increase the scope of the internal security measures taken, KLM and Transavia exchange the personal data of passengers of whom has been decided that they must be refused boarding (see 4.1. (G) above). A person who is refused by KLM will now also be refused on board Transavia flights (and vice versa). If you have exhibited unruly behaviour and this has led to registration on the list, you will be personally informed about this by the airline where the unruly behaviour took place.

5.4 Government agencies (A) General We may be legally required to collect your personal data before you travel to another country and share it with the government agencies in the countries on your itinerary. For example, we may be legally required to collect and share your identifying data and your booking and travel information with those agencies for purposes of border control, immigration formalities, entering a country, or combatting terrorism or other serious crimes (see 5.4 (B) below). If you depart from certain countries, in specific cases we are required by law to make a copy of your passport and provide it to the Dutch government upon request. We may also be statutorily required to share your health data with the government agencies in the countries on your itinerary for public health purposes (see 2.1 (D) above). (B) PNR and API data i. General: under applicable European and local laws and regulations, we are required to disclose PNR and API data to certain government agencies.

ii. PNR (Passenger Name Record) data: These are data we collect from you for the purpose of processing your booking and carrying out your flight, including your name and contact details, booking number and booking date, travel and ticket information (such as travel dates and itinerary, flight number and ticket number), payment information, information on your travel status (check-in or no-show information), seat information, baggage information and your Flying Blue number. European Directive 2016/681 and applicable local laws and regulations require us to provide your PNR data to certain government bodies. For example, for each flight to the Netherlands or from the Netherlands to another country (both within and outside the EU), we are required to provide PNR data of passengers to the Passenger Information Unit of the Netherlands (seehere) and the EU country of destination or from which the flight departs. Which foreign Passenger Information Unit we transfer your PNR data to therefore depends on your travel itinerary.Hereyou will find a list with the names of all EU Passenger Information Units. For flights from the Netherlands to a country outside the EU and of flights from outside the EU to the Netherlands, we also provide PNR data of passengers to Dutch Customs.

iii. API (Advance Passenger Information) data: These are data about you, your travel document and your flight and booking, including your name, gender, date of birth and nationality, the nature, number, date and place of issue and expiry of the travel document, flight number, dates and route of travel, and booking number. Pursuant to European Directive 2004/82 and applicable local laws and regulations, for every flight from a country outside the EU or Schengenareato the Netherlands, we are obliged to provide API data to (the API centre of) the Royal Netherlands Marechaussee. iv. Country specifics:  - France: under Article L 237 -7 of the French Homeland Security Code, KLM may need to transmit your reservation, checking and boarding data (API/PNR) to the French national public services and competent authorities for the purposes of and subject to conditions as defined in Decree No 2014-1095 dated 26 September 2014, as amended by Decree No 2018/714 dated 3 August 2018. 5.5. Third-party websites Our websites and mobile apps contain links to third-party websites. If you follow those links, you will leave our websites or mobile apps. This privacy statement does not apply to the websites of third parties. For more information on how they handle your personal data, please check their privacy and/or cookie policies (if available).

6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular Article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre). 

(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention 

We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.

7.1. KLM may transfer your personal data to countries other than your country of residence including to countries outside the European Economic Area. This is done to handle your booking or arrange your trip, or because our group companies, partners, or service providers provide their services from other countries. You can find the destinations we fly to on our website under “Flight Status”. The laws of the countries to which we transfer your personal data may not always offer the same level of personal data protection. 7.2. If you fly to a destination in a country other than your country of residence, transferring your personal data to that country is often necessary to provide our services to you. If no adequacy decision under Article 45 AVG has been adopted by the European Commission for the country to which your personal data will be transferred (European Commission website with current adequacy decisions), KLM will ensure that appropriate safeguards are in place, to meet the requirements for the international transfer of personal data. For the transfer of personal data to countries outside the European Economic Area, KLM will in most cases use standard contractual clauses approved by the European Commission within the meaning of Article 46(2)(c) AVG as appropriate safeguards. For more information on the standard contractual clauses, please refer to the European Commission'sImplementing Decision. If you would like more information on the appropriate safeguards provided by KLM, please contact KLM's Privacy Office (see section 8 'Your rights' below). 7.3. We may be obliged to transfer your personal data to government agencies in the countries of your itinerary (see 5.4 above).

8.1. You may contact our Privacy Office (see 8.4 below) to exercise any of the rights you are granted under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data, (C) to erase your data, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing. We explain more about these rights below. Please note that there may be circumstances in which we cannot or may not fully comply with your request. See section 8.3 for more information. (A) Right to access You may ask us whether we collect or use any of your personal data and, if so, to receive access to that data in the form of a copy. (B) Right to rectification You have the right to have your data rectified if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement. (C) Right to erasure You have the right to have your personal data erased. This means that we will delete your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data is no longer necessary for the purposes for which it was originally processed and situations where your data was processed unlawfully. Due to the way in which we maintain certain services, it may take some time before backup copies are erased. (D) Right to restriction of processing You have the right to obtain a restriction on the processing of your personal data. This means that we will suspend the processing of your data for a certain period. Circumstances which may give rise to this right include situations where the accuracy of your personal data is contested, and we need some time to verify its (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted. (E) Right to data portability Your right to data portability entails that you may ask us to provide you with your personal data in a structured, commonly used and machine-readable format, and have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller. (F) Right to object You have the right to object to the processing of your personal data. This means you may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). You can object to direct marketing at any time and at no cost to you if your personal data is processed for this purposes, which includes profiling to the extent that it is related to direct marketing. If you exercise this right, we will no longer process your personal data for such purposes. 8.2. Withdrawal of consent You may withdraw your consent at any time by following the specific instructions concerning the processing for which you provided your consent. For example, you can withdraw consent by clicking the unsubscribe link in the e-mail, adjusting your communication preferences in your account (if available), or changing your smartphone settings (for mobile push notifications and location data). You may also contact KLM’s Privacy Office. In relation to Bluebiz e-mails, you may also contact Air France’s Privacy Office. For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our websites or use our mobile apps, please check ourcookie policy. 8.3. Denial or restriction of rights There may be situations where we are entitled to deny or restrict your rights as described in 8.1 above. In all cases, we will carefully assess whether such an exemption applies, and inform you accordingly. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals, or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply if the personal data was not provided by you or if we process the data on grounds other than your consent or for the performance of a contract. 8.4. Privacy Office (A) General If you wish to exercise your rights, please send your request to KLM’s Privacy Office: KLM Royal Dutch Airlines Privacy Office - AMSPI PO Box 7700 NL-1117 ZL Luchthaven Schiphol The Netherlands E-mail:KLMPrivacyOffice@klm.com(B) Bluebiz If you wish to exercise your rights concerning the processing of your personal data in relation to Bluebiz, you may also contact Air France’s Privacy Office: Air France Délégué à la Protection des Données / Data Protection Officer - ST.AJ IL 45, rue de Paris 95747 Roissy CDG Cedex France E-mail:mail.data.protection@airfrance.fr

(C) Transavia flight If you want to exercise your rights with regard to the processing of your personal data as a result of unruly behaviour exhibited by you before or during a Transavia flight, you can contact the Transavia Privacy Office: Transavia Privacy Office PO Box 7777 1118 ZM Schiphol Airport The Netherlands E-mail:privacyoffice@transavia.com

(D) Skyteam Alliance If you wish to exercise your rights regarding the processing of your personal data within the framework of the SkyTeam Alliance, please contact KLM's Privacy Office:

KLM Privacy Office - AMSPI Postbus 7700 1117 ZL Luchthaven Schipol The Netherlands E-mail:KLMPrivacyOffice@klm.com

8.5. Questions, comments or complaints If you have any questions, comments or complaints about this privacy statement, please feel free to contact us. If your concerns have not been addressed to your satisfaction, you have the right to file a complaint with the competent supervisory authority. In the Netherlands, theDutch Data Protection Authority (Autoriteit Persoonsgegevens)in The Hague is responsible for monitoring compliance with privacy regulations.

9.1. This privacy statement took effect on 1 February 2024 and replaced our previous privacy policy of 15 September 2022. This privacy statement is amended from time to time. We will notify you of any changes before they take effect.