The passengers communicates his personal data to Aircalin or his accredited travel agent in order to make a reservation, to obtain complementary services, and to facilitate immigration formalities and entry to a foreign State. This personal data which has been communicated to the transporter as part of the purchased transport contract may be subjected to digital processing. This data is collected and processed in accordance with the law n° 78 – 7 of 6th January 1978, notably amended by law of 6th August 2004 and the law of 20th June 2018, as well as the General Regulations on the Protection of Data (EU Regulation 2016/679) ou ‘RGPD’, relating to computing, files and liberties.
This confidentiality policy is designed to present the passenger with information about the conditions and the eventual uses of the personal data processed by Aircalin, as well as the measures which are taken to ensure the protection of the data, in accordance with the regulations detailed below.
Aircalin commits to collect and process the passenger’s personal data in accordance with the fundamental principles of the RGPD. Each processing of personal data is thus validated by at least one of the following principles:
- The principles of lawfulness, fairness and transparency (Article 5.1 a.) of the RGPD) : Aircalin commits to collect and process the passenger’s personal data lawfully, fairly and transparently;
- The principle of purpose limitation (article 5.1 b) of the RGPD) : Aircalin commits to collect and process the passenger’s personal data only for specified, clear and legitimate purposes;
- The data minimisation principle (Article 5.1 c) of the RGPD) : Aircalin commits to collect and process only the personal data which is adequate, relevant and limited to what is necessary to achieve the stated purposes;
- The principle of accuracy (Article 5.1 d) of the RGPD) : Aircalin commits to update the data collected in order to ensure it remains correct;
- The principle of data retention limitation (Article 5.1 e) of the RGPD) : Aircalin commits to retain the passenger’s data for only the duration which is strictly necessary for its processing purposes;
- The principles of integrity and confidentiality (Article 5.1 f) of the RGPD) : Aircalin commits to put in place the strict security measures necessary to protect the passenger against any loss, destruction or the non-authorised processing of his personal data.
As part of its activities, Aircalin may collect personal data on the following occasions:
- During the use of the Aircalin website: IP address, travel preferences, cookies, connection codes, data relating to social networks (according to the network parameters set by the passenger);
- During the reservation of flights or tickets: surname, given name, sex, age, passport, telephone number, email address, postal addresse, bank account details (card number, expiry date…) as well as all the data constituting the PNR (‘Passenger Name Record’) data or those which are necessary for the execution of the transport contract in accordance with the passenger’s wishes (baggage preferences, supplements, seating, etc.);
- During the subscription to the FlyingBlue loyalty programme: name, given name, number of members, number of miles or credits, PNR data and flight history.
- During communications between Aircalin and the passenger, which includes the commercial communications agreed to by the passenger: name, given name, postal and email addresses, dates of birth, commercial preferences, survey responses, email or postal exchanges (including the unique client profile generated by the form completed by the passenger concerning his interests), mobile telephone number, PNR data, the passenger’s actions on the Aircalin website.
- During the improvement of customer service and Customer Relationship Management (‘CRM’), name, given name, commercial preferences, personal data communicated by the ‘customer space’, survey responses, electronic or postal exchanges, passenger’s reservation history as well as the persons travelling with him on the same reservation.
- During special requests relating to on-board catering, sensitive data may be collected which could, in certain cases, allow the passenger’s religion to be determined.
- During assistance to a passenger with reduced mobility, certain data, sensitive or not, may be collected concerning the health of the passenger. This data will be combined with other data (notably PNR data) in order to be able to offer the passenger adequate assistance.
- During a flight, certain data relating to behaviour may be collected or processed as this data may be linked to security, safety or the improvement of on-board services or attention to passengers (children’s meals, cots, etc.);
- During medical assistance to a passenger on board an aircraft, certain data may be collected, notably concerning medical and/or medicinal treatment which may have been administered, particularly in order to keep a trace of the dose and the type of treatment administered..
- During the management of an irregularity (delay, cancellation, loss of baggage, etc.), certain supplementary data may be collected, notably concerning data relating to the rerouting of a passenger, lodging, services offered, communication with the passenger concerning the irregularity, baggage treatment, etc.
- During the processing of a complaint or a claim, all the data relating to the complaint and the flight or reservation which led to the complaint.
In accordance with article 6 of the RGPD, Aircalin collects and processes passengers’ personal data
(i) on the basis of explicit consent, (ii) in order to execute or allow the execution of the contract between Aircalin and the passenger, (iii) in order to respect the legal obligations which Aircalin is subject to, (iv) and in order to defend Aircalin’s legitimate interests.
In accordance with article 9 of the RGPD, Aircalin may also collect data which may be considered sensitive, which may reveal a passenger’s racial or ethnic origin, his religious convictions or even the state of health of the passenger in order to respond to certain requests from the passenger, such as a special meal (Kosher meal, Halal meal, diabetic meal), a special service in case of reduced mobility or for medical or medicinal assistance to a passenger on board an aircraft.
In this case, the data collected by Aircalin will only be collected and used after having obtained the explicit consent of the passenger and this in order to provide the passenger with the requested service.
This consent will, in principle, be requested from the passenger at the moment when the sensitive data is collected. In some cases, it is possible that this consent will be requested by our agent at the airport or on board the aircraft when the passenger makes a last minute request which requires the communication of sensitive data.
However, it may sometimes be possible that the passenger is not capable of giving consent at the moment when the sensitive data is collected, such as during emergency medical treatment on board an aircraft. In this case, and in accordance with the applicable regulations, Aircalin will make a note of this incapacity.
In the case that the personal data is collected on the basis of the explicit consent of the passenger (electronic prospecting or sensitive data), the passenger may later retract his consent to the processing of his data for such purposes by addressing an email to the following address: firstname.lastname@example.org.
Aircalin collects and processes personal data communicated by passengers for :
- The reservation and purchase of tickets, and the execution of the air transport contract;
The personal data concerning the passenger, such as his name, passport number, email address, postal address and bank account details are used by Aircalin to allow the passenger to reserve and buy tickets as well as to receive them.
This data is also used by Aircalin to execute the air transport contract by allowing the identification of the passenger when he checks in and boards the aircraft. For this purpose, Aircalin may send the personal data to its commercial partners, notably on code share flights (Air France, Air Tahiti Nui, Quantas, Air New Zealand, Air Vanuatu…)
- The provision of specific services connected to the transport service;
The personal data communicated by the passenger is also used by Aircalin to provide specific services requested by the passenger which are connected to the transport contract (‘à la carte services’ on Aircalin’s website), such as the ‘comfort seat’ service, ‘extra baggage’ or to buy travel insurance.
Aircalin also processes data considered sensitive, such as that defined in article 3 of this confidentiality policy in order to be able to provide passengers with reduced mobility with special meals or services when they are specifically requested by the passenger. This data is used in relation to the specific ancilliary services requested by the passenger.
For this purpose, data concerning the administration of medication or medical care, which, when provided, shows only the passenger’s state of health, is not considered to be sensitive data, whether or not it is linked to the execution of the flight (medication for a headache, for example).
- Ensure the safety and security of flights;
Aircalin also uses passenger data to ensure the safety and security of its flights by identifying and refusing to board passengers who cannot be permitted to fly, including those who have already been identified as unruly passengers on a flight or those who are not permitted to enter or leave the territory.
The passenger is also informed that any incident that occurs during the execution of a transport contract and which may prejudice the safety or security of a flight may be recorded and kept on file.
- For the proper performance of the FlyingBlue loyalty programme;
Aircalin belongs to the FlyingBlue loyalty programme, which allows passengers to take advantage of a number of advantages on flights operated by Aircalin and its partners. For this means, personal data communicated by the passenger during his subscription to the FlyingBlue programme is used by Aircalin in order to identify the passenger and to allow that passenger to use his advantages (flight reservations, reductions, use of miles…).
- Marketing and data and communication with the passenger;
Personal data which is collected during the use of the Aircalin website and during flight or ticket reservation is used by Aircalin to develop marketing activities, such as advertising campaigns.
Aircalin also uses the passenger’s personal data to allow its customer relations department to respond as effectively as possible to the passenger’s requests and claims.
- To carry out statistical analysis and improve Aircalin’s services;
The passenger’s personal data is used, in conjunction with the other passengers’ data, in order to carry out statistical analysis designed to improve Aircalin’s services (use of internet site, ticket reservation service…).
- To carrry out the administrative formalities imposed upon Aircalin and to ensure the safety and security of the flights
As with any air transport company, Aircalin is subject to legal responsibilities which oblige it to collect and then send personal data concerning a passenger to the competent authorities (PNR, API…).
So, the personal data collected by Aircalin may also be used to facilitate the administrative formalities for immigration and entry into the territory, the prevention of unpaid tickets and the fight against fraud, as well as to ensure the safety and security of flights.
- Commercial prospecting
Under reserve of the passenger’s explicit consent, Aircalin and its partners may use the passenger’s personal data for commercial prospecting purposes.
In accordance with Article L.237-7 of French Internal Security Code, Aircalin may be required to communicate personal data: booking, check-in and boarding data collected from their passengers (API/PNR) to the French authorities for the purposes and under conditions as defined in the Decret N° 2014-1095 dated 26/09/2014, modified by the Decret N° 2018-714 dated 03 August 2018.
The passenger may, and at any moment, take back his consent for the use of his data for such purposes, by addressing an email to the following address: email@example.com.
As regards minors in a member state of the European Union who have not attained the minimum age of consent, Aircalin only collects personal data requiring consent after having attained the consent of the parents or legal guardian.
To this effect, Aircalin commits to undertake all reasonable measures to obtain that consent.
The data collected may be sent to authorised Aircalin personal (notably in the Marketing and E-commerce departments), its partners or its associated service providers, with the aim of satisfying all or some of the above purposes.
In accordance with the current legislation, the transporter is sometimes obliged to make personal data available to the authorised French or foreign public authorites (customs, immigration departments, etc.), and in particular in order to fight against terrorism or other serious illegal acts.
We call to your attention that some of the above-mentioned receivers may be located outside of the European Union and may have access to some or all of the personal data collected by the transporter (surname, given names, passport number, travel details, etc.), and this, in order to correctly execute the passenger’s transport contract or as the result of a specific legal clearance. The transfer of data outside of the European Union is effected in accordance with the conditions stipulated in articles 44 and following of the RGPD and 68 and following of the ‘Computing and liberties’ law. More precisely, when a transfer takes place in a country not having been ratified by the European Commission in accordance with article 45 of the RGPD, the protection of passenger’s rights and liberties is assured by the implementation of the Binding Corporate Rules (BCRs) or the appropriate contractual clauses.
Aircalin stores the personal data collected in digital files for a duration which does not exceed that which is absolutely necessary to fulfill the purposes for which it was collected or until the passenger has exercised his right to delete his data in accordance with article 8 of this confidentiality policy.
In principle, the data communicated by the passenger will not be retained for more than 3 years, unless it is necessary to fulfill a legal obligation to which Aircalin is subject or for the resolution of a court case.
In particular, personal data collected for commercial purposes must be the object of a new request for consent every 3 years.
The passenger has (i) the right of access, (ii) of correction, (iii) of portability and (iv) the deletion of his data, and (v) the right to the limitation and (vi) refusal of the processing of his data under the conditions set by the ‘computing and liberties’ law of 6th January 1978, amended by the law of 6th August 2004 and the RGPD.
We call your attention to the fact that the processing of certain personal data is indispensable for the reservation and creation of the transport contract. The passenger may, naturally, exercise his right of refusal for the collection and processing of his personal data, but is informed that this step may lead to the cancellation of the flight or prevent him from accessing certain specific ancillary services that may have been requested (special meals, medical assistance).
We also remind you that, in accordance with the current regulations, the non-communication of certain data or the inaccuracy of certain data may lead to a decision to refuse boarding or entry into a foreign territory, and this, without the air transporter’s liability being engaged.
The passenger also has the right to withdraw his consent at any moment when the processing of his data is subject to his prior consent.
The passenger is informed that a request for modification, access, limitation or deletion may not be acted upon, either partially or totally, if the request goes against a legal or regulatory obligation imposed on Aircalin or one of its partners. Aircalin reserves the right to not delete or limit certain personal data deemed useful or necessary for the processing of a complaint or for a court case.
The passenger has the right to submit a complaint to the competent authority should Aircalin breach the applicable personal data laws.
These rights may be exercised by going to aircalin.com / nous contacter, tab ‘your personal data’.
Aircalin will inform the passenger of any breach in the protection of personal data as well as the national authority for the protection of personal data each time this is required by the RGPD.
In accordance with the RGPD, communication with the passenger will include a clear and simple description of the nature of the breach of the passenger’s personal data as well as:
- the surname and contact details of Aircalin’s protection of personal data delegate, allowing the passenger to obtain further information about the breach;
- the probable consequences of the personal data breach;
- the measures taken by Aircalin or the measures that Aircalin proposes to take in order to repair the breach of passenger’s personal data as well as measures to reduce the eventual negative impact of the breach.
In any case, the passenger is informed that such communication is not required in the situations described in article 34.3 of the RGPD, which covers situations when:
- Aircalin has implemented the appropriate technical and organisational protective measures and has applied them to the personal data which has been affected by the breach, especially the measures which make the personal data illegible to any person not having authorised access, such as through encryption;
- Aircalin has taken subsequent measures which guarantee that the heightened risk to the passenger’s rights and liberties is no longer likely to occur;
- Such communication requires a disporportionate effort from Aircalin. In this case, this communication will be replaced by a measure which will allow a passenger to be informed just as efficiently, such as by a public communication.
The protection and security of data communicated by passengers is one of Aircalin’s priorities.
To this end, Aircalin has implemented the following technical and computing data protection procedures:
- Limitation of the number of persons authorised to access passengers’ personal data;
Aircalin commits to share personal data communicated by a passenger only with persons cleared to handle this data and only in order to fulfill the purposes stipulated by article 3 of this confidentiality policy.
In particular, accounting or financial data is covered by access restricted to persons holding clearance and bound to dispose of this data.
- Destruction of passengers’ personal data at the end of the retention period
As specified in article 7 of this confidentiality policy, passengers’ personal data collected by Aircalin is only retained for the period strictly necessary to fulfill the purposes foreseen by article 4 of this confidentiality policy or until the passenger has requested the deletion of his personal data under the conditions set by article 8 of this confidentiality policy and the RGPD.
At the end of the retention period for the passenger’s personal data the passenger’s personal data is either destroyed or made inaccessible.
- Respect for the rules of proper use of computing, electronic and digital resources by Aircalin employees.
In order to best protect the confidentiality and security of passengers’ personal data, Aircalin has drawn up and implemented a charter of proper use of computing, electronic and digital resources which must be respected by all persons employed by Aircalin.
This imposes a certain number of obligations in terms of behaviour in order to prevent the loss or disclosure of data processed in the working environment (requirements for the complexity of passwords, use of secure hardware…)
This confidentiality policy for the protection of personal data may be modified.
Last updated on 20/03/2019