Privacy statement

We are Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or KLM), a Dutch airline, with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands.

KLM is part of the Air France-KLM Group. For more information, please check our website under“Corporate”. KLM is responsible for the collection and use of your personal data described in this privacy statement.

We offer our corporate loyalty programme Bluebiz in partnership with our group company Air France. Air France (Société Air France, S.A.) is an airline with offices at Rue de Paris 45, F-95747 Roissy CDG Cedex, France. We are jointly responsible for the collection and use of your personal data for the Bluebiz loyalty programme. We have an arrangement in place setting out our respective responsibilities for complying with applicable privacy legislation. In short, we have agreed that you can contact either KLM’s or Air France’s Privacy Office (see 8 “Your rights” below) if you wish to exercise your rights or have any complaints about the collection or use of your personal data. KLM and Air France will assist each other when necessary so as to ensure that you can exercise your rights. We work together to ensure that your questions and complaints are properly addressed.

With our subsidiary Transavia Airlines CV ('Transavia', also part of the Air France-KLM Group) we exchange personal data of passengers who have caused (serious) nuisance and who have been refused boarding (see also 2.1 (J), 4.1 (G) and 5.3 below). Transavia is an airline with its office at Piet Guilonardweg 15, 1117 EE Schiphol, The Netherlands. Together with Transavia, we are responsible for the processing of your personal data that takes place in the context of this exchange. A mutual arrangement sets out our respective responsibilities for compliance with applicable privacy laws including the exercise of your rights (see section 8 “Your rights” below).

In addition, KLM is a member of the SkyTeam Alliance, a global network of airlines that process personal data to provide passengers with the best possible travel experience. KLM, together with SkyTeam Airline Alliance Management Coöperatie U.A. and the other members of the SkyTeam Alliance, is responsible for this processing of your personal data. For more information, please refer to the SkyTeam Alliance joint privacy statement (seehere). A mutual arrangement defines our mutual responsibilities for compliance with applicable privacy laws including the exercise of your rights (see section 8 'Your rights' below').

2.1. Obecná ustanovení Můžeme shromažďovat a používat následující kategorie osobních údajů: (A) Jméno, údaje o cestovním pasu a další identifikační údaje Když si u nás uděláte rezervaci nebo rezervujete let, shromažďujeme vaše jméno, oslovení, pohlaví, datum narození, národnost, zemi trvalého pobytu a údaje o cestovním pasu. Pokud děláte rezervaci anebo rezervujete let pro jiné osoby, shromažďujeme také jejich identifikační údaje. Ujistěte se, že vědí o tom, že jejich osobní údaje shromažďujeme a jak je používáme. (B) Vaše kontaktní údaje a váš osobní účet nebo registrační údaje Můžeme shromažďovat vaši adresu, telefonní číslo a e-mailovou adresu. Pokud se registrujete ke službě, akci, soutěži nebo kampani nebo si vytvoříte osobní účet, můžeme také zaznamenávat vaše přihlašovací údaje a další informace, které uvedete při registraci nebo vyplňování formuláře k vytvoření účtu. Pokud jste cestující na služební cestě, shromažďujeme také informace o vaší organizaci, jako je její název a adresa. (C) Informace o vašich rezervacích a nákupech Když si u nás uděláte rezervaci nebo rezervujete let, shromažďujeme a používáme podrobnosti o vaší rezervaci. Tyto údaje mohou zahrnovat informace o vašem letu, cenách a datu vaší rezervace. Kromě toho shromažďujeme a používáme informace o dalších službách (jako je dodatečné zavazadlo, upgrade a WiFi na palubě) a produktech, které si od nás zakoupíte. (D) Informace související s vaší cestou Když s námi cestujete, shromažďujeme a používáme informace o vaší cestě, jako je váš itinerář, online odbavení nebo odbavení na letišti, palubní vstupenka v mobilu nebo v papírové podobě a informace o vašich spolucestujících. Můžeme také zaznamenávat vaše specifické zdravotní potřeby nebo stravovací omezení a požadovanou další asistenci. Obvykle dostáváme potvrzení od třetí strany, která provádí biometrické ověřování vaší totožnosti při nástupu do letadla (například prostřednictvím systému rozpoznávání obličeje). Pokud není uvedeno jinak, nedostáváme jiné vaše identifikační údaje (např. snímek obličeje) než osobní údaje, které již máme k dispozici (např. údaje o cestovním pasu). Více informací o shromažďování a používání osobních údajů při biometrickém ověřování totožnosti při nástupu do letadla naleznete v zásadách ochrany osobních údajů společnosti, která toto biometrické ověřování provádí. Před nástupem do letadla nebo výstupem z letadla můžeme také kontrolovat zdravotní stav nebo shromažďovat či používat údaje o vašem zdravotním stavu, protože máme zákonnou povinnost tak činit z důvodu veřejného zájmu v oblasti veřejného zdraví nebo jsme k tomu obdrželi váš výslovný souhlas. (E) Informace v souvislosti s naším firemním věrnostním programem Když se stanete členem našeho firemního věrnostního programu bluebiz, shromažďujeme a používáme informace o vašem členském čísle, stavu blue credits, odměnách a výhodách, typu a úrovni členství a další informace ohledně vašeho členství. Zaznamenáváme také transakce, prostřednictvím kterých jste získali nebo použili své blue credits. Zaznamenáváme mimo jiné typ transakce (např. let), datum transakce, získané nebo použité blue credits a poskytovatele (společnost Air France, KLM nebo partner bluebiz). Informace o vašem členství Flying Blue můžeme použít, abychom vám poskytli či propagovali naše služby (viz 4.1 níže). Více informací o osobních údajích, které shromažďujeme v souvislosti s vašim členstvím Flying Blue najdete vzásadách ochrany osobních údajů programu Flying Blue. (F) Naše komunikace s vámi Když nám pošlete e-mail nebo s námi chatujete online či prostřednictvím sociálních médií, zaznamenáváme vaše zprávy. Pokud nám zavoláte, naše zákaznické centrum služeb zaznamená do databáze vaše dotazy nebo stížnosti. Dále můžeme nahrávat telefonické hovory pro účely školení nebo za účelem prevence či boje proti podvodu. Zaznamenáváme váš upřednostňovaný způsob komunikace, například když se přihlásíte k odběru některého z našich newsletterů nebo když zvolíte, že chcete získávat informace či upozornění ohledně svých rezervací (například aktualizace vaší palubní vstupenky nebo stavu letu) prostřednictvím jiných informačních kanálů než e-mailu (např. WhatsApp, Messenger nebo WeChat). (G) Informace, které shromažďujeme, když používáte naše internetové stránky, mobilní aplikace nebo jiné digitální služby i. Když navštívíte naše internetové stránky, použijete naše mobilní aplikace nebo využijete nějaké jiné digitální služby, můžeme zaznamenat vaši IP adresu, typ prohlížeče, operační systém, internetové stránky, z nichž jste se k nám dostali, chování při prohlížení internetu a používání aplikace. Tyto informace shromažďujeme prostřednictvím souborů cookie nebo podobných technologií. Další informace naleznete v našichzásadách ohledně souborů cookie. Když navštívíte naše internetové stránky prostřednictvím odkazu v e-mailu nebo když se přihlásíte k svému účtu KLM nebo Flying Blue, můžeme informace, které shromažďujeme prostřednictvím souborů cookie nebo podobných technologií, přidat k informacím, jež již o vás máme k dispozici. ii. Dostáváme automatická upozornění, jakmile otevřete e-mail od nás nebo v takovém e-mailu kliknete na odkaz. Můžeme tyto informace spojit s ostatními údaji, které již o vás máme k dispozici. iii. S vaším souhlasem můžeme získávat údaje o vaší poloze. iv. Můžete nám poskytnout svůj souhlas s přístupem k určitým údajům uloženým ve vašem mobilním telefonu, jako jsou fotografie a kontakty. (H) Informace týkající se sociálních médií V závislosti na nastavení vaší sociální sítě můžeme dostávat informace od poskytovatele vaší sociální sítě. Když se například přihlásíte k našim službám prostřednictvím účtu na sociální síti, můžeme získat váš profil na této sociální síti, včetně vašich kontaktních údajů, zájmů a kontaktů. Taktéž získáváme statistiky návštěvníků z Facebooku v souvislosti s naší fanouškovskou stránkou na Facebooku. Přestože za tyto statistiky návštěvníků odpovídají společnosti KLM a Facebook společně, je společnost Facebook Ireland Limited vaším primárním kontaktním místem a vyřizuje vaše žádosti o uplatnění vašich práv a veškeré vaše možné stížnosti. V případě potřeby budeme se společností Facebook při vyřizování vašich žádostí nebo stížností spolupracovat. Další informace o osobních údajích, které získáváme od poskytovatelů sociálních sítí, a o tom, jak změnit vaše nastavení, získáte na internetových stránkách a v zásadách ochrany osobních údajů poskytovatelů sociálních sítí. (I) Informace, které se rozhodnete nám předat Shromažďujeme a používáme informace, které se rozhodnete nám předat, například když sdílíte své zájmy a preference na našich internetových stránkách, necháte komentář na naší Facebookové stránce, vyplníte zákaznický průzkum nebo se přihlásíte do soutěže. (J) Neukázněné chování Společnost KLM vede seznam cestujících, kteří nejsou vítání na palubě našich letadel z důvodu neukázněného chování na zemi nebo v některém z našich letadel. Neukázněné chování může zahrnovat narušování bezpečnosti, narušování veřejného pořádku, ublížení na zdraví našemu pozemnímu personálu, letecké posádce nebo cestujícím nebo poškození našeho majetku. Totéž platí pro cestující, kteří zneužijí našich služeb (včetně našich věrnostních programů Flying Blue nebo bluebiz). Na seznamu cestujících, kteří se dopustili neukázněného chování a zneužití, jsou uvedena jména cestujících, datum narození, čísla letenek a krátký popis incidentů a závažnosti jejich chování či zneužití. Více informací naleznete v části 4.1 (G) níže. 2.2 Zvláštní kategorie osobních údajů Na některé kategorie osobních údajů jako například údaje o rasovém nebo etnickém původu, údaje o náboženském nebo filozofickém přesvědčení, údaje týkající se zdravotního stavu a trestněprávních záležitostí se vztahují přísnější pravidla podle platných právních předpisů na ochranu osobních údajů. Tyto kategorie osobních údajů shromažďujeme a používáme například k tomu, abychom vám během cesty poskytli asistenci či vybavení odpovídající vašim zdravotním potřebám, abychom vyhověli vašim požadavkům, zajistili bezpečnost na palubě nebo abychom splnili zákonné požadavky. Přísnějším pravidlům podléhají také biometrické údaje. Nicméně, jak je vysvětleno v bodě 2.1 (D), vaše biometrické údaje běžně neshromažďujeme ani nepoužíváme. 

Tyto zásady ochrany osobních údajů se nevztahují na žádné služby, které vám poskytuje společnost KLM Health Services. Tyto služby jsou poskytovány odděleně od našich služeb. Další informace o tom, jak společnost KLM Health Services zpracovává vaše osobní údaje, naleznete vzásadách ochrany osobních údajů na internetových stránkách společnosti KLM Health Services. 2.3 Děti mladší 16 let Údaje o dětech shromažďujeme tehdy, pokud nám poskytnete informace o svém dítěti v souvislosti s letem, který rezervujete, nebo zakoupenou službou či produktem. Pokud děti cestují samy, zaznamenáme nejen kontaktní údaje jejich rodiče(ů) nebo zákonného(ých) zástupce(ů), ale také kontaktní údaje osob, které je přivezou na letiště nebo vyzvednou na letišti. 2.4 Konkrétní služby, mobilní aplikace, akce, soutěže nebo kampaně U konkrétních služeb, mobilních aplikací, akcí, soutěží nebo kampaní můžeme shromažďovat jiné typy údajů než ty, které jsou uvedeny v těchto zásadách ochrany osobních údajů. O tom vás budeme vás informovat, když se budete registrovat k službě, akci, soutěži či kampani nebo si budete stahovat aplikaci.

We collect the categories of personal data referred to above in the following ways: (A) Personal data provided by you When you book a flight with us, create an online account, register for our corporate loyalty programme Bluebiz, contact us via social media, fill out a customer survey, contact our customer service, subscribe to receive our e-mails or mobile push notifications, submit an entry for a contest, or register for one of our events or campaigns. (B) Personal data received from your travel agent, our airline partners, and other companies involved in facilitating your trips We receive your data from these parties to handle your reservations and bookings and to arrange your trips and purchases. For example, when you book a flight through a travel agent or an online platform, we receive your identifying data, contact details, and booking details from those third parties. (C) Personal data received from partners that participate in our corporate loyalty programme The Bluebiz corporate loyalty programme is offered by KLM and Air France (please also see “Who we are” above). The programme allows you to save and spend blue credits with KLM and Air France and our airline loyalty partners. To that end, Air France and KLM exchange the booking data collected as part of our airline booking procedures (see 2.1 (C) above). We also share your personal data with our loyalty partners. If, for example, you purchase a service from one of our loyalty partners, they will share the Credits you have earned with us, so that we can update your balance. You can find a list of our airline loyalty partners on theBluebiz website. Our airline loyalty partners are independently responsible for the collection and use of your personal data. You can find more information on how they handle your personal data in their respective privacy policies. (D) When you use our website or mobile apps, we collect information using cookies and similar technologies KLM uses its own cookies and third-party cookies. For more information, please read ourcookie policy. (E) If you use social networks or search engine platforms, we may also receive information from these parties For more information, see 2.1 (H) above. (F) We receive certain information from the government, government agencies, the airport or affiliated organisations to maintain onboard safety and security KLM receives the names of persons who have been put on a blacklist by the State of the Netherlands or government agencies. For example, the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. For more information, see 4.1 (G) below. At some airports, as part of applicable access controls, safety measures and security procedures (such as matching checked baggage to the correct passenger), your identity may be verified using biometric features. For more information, see 2(D) above. (G) If you exhibit unruly behaviour, we collect certain information for flight safety If you exhibit unruly behaviour before or during a flight, KLM will draw up an incident report. In addition to the data already provided to us in the context of your booking or reservation (e.g. name and date of birth), this report may also contain information originating from persons involved in the incident and/or charged with handling it. See also 2.1. (J) above.

4.1. Main purposes for which we use your personal data (A) To provide our services to you We use the information described under 2.1 (A) to (G) to handle your reservations and bookings and to arrange your trips and purchases. For example, we use your name, passport number, and other identifying information to issue your ticket. We use your contact details to inform you about changes in your flight status.

If the persons in your booking are members of our Flying Blue loyalty programme, we will use the contact details they provided to inform them about their flight and any changes in their flight status. Information about your specific medical needs are needed and will only be used to be able to ensure that you receive appropriate medical care. (B) To facilitate our Bluebiz corporate loyalty programme (C) To provide you with our online services and mobile apps and to ensure an enjoyable digital experience i. For example, we use your name and flight details when you use our app to check in for your flight. ii. Some of our online services and apps use your location, for example, to show you the nearest location of interest. iii. To offer you the best possible digital experience, we analyse your use of digital media, so that we can tailor our communication towards the digital channel or device that you use most (see 2.1 (G)). iv. If you break off your booking session on our website, we will send you an e-mail with a link to your booking session, so you can continue where you left off. You will receive similar e-mails if you break off booking sessions on the websites of our partner Airtrade. We will only send you such e-mails at your request or if you have agreed to receive updates and special offers from us by e-mail (see 4.1 (E)). You can withdraw your consent for such e-mails at any time by clicking on the unsubscribe link in the e-mail, by changing your communication preferences in your account (if available), or by contacting us (see 8 “Your Rights” below). (D) For statistical research i. General: we research general trends in the use of our services, loyalty programmes, websites, mobile apps, and social media, as well as trends in the behaviour and preferences of our customers, loyalty members and users. We use our research results to develop better services and offers for our customers, improve our loyalty programme, provide better customer service, and improve the design and content of our websites and mobile apps. ii. Categories of data: to perform our research, we may use the categories of personal data described at 2.1 (A) to (I) and the personal data we collect when you are a Flying Blue member (see ourFlying Blue privacy policyfor more information). We only use 'aggregated data' or 'pseudonymised data' for our research. This is data that cannot be traced back directly to you because all directly identifiable elements (e.g. names and e-mail addresses) are removed or encoded and given a number. We take appropriate measures to ensure that only a limited group of employees has access to the data set. iii. Example: if our research into booking details and data about additional services purchased (extra baggage, upgrades) shows that passengers travelling long distances are more inclined to purchase extra legroom, we may use that information to offer extra legroom more prominently for long-distance flights. iv. Legal basis and right to object: we collect and use your personal data for our legitimate interests described above (see sub (i) “General”). You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data for statistical research (see 8 “Your rights” below). (E) Marketing purposes i. General: we may use your personal data for direct marketing purposes. In this paragraph, we explain how we use your data for these purposes. ii. Channels: we use various channels such as e-mail, mobile push notifications, our own websites and apps and websites and apps of third parties, social media and postal mail for marketing purposes. For example: – Booking related e-mails: if you book a flight, you will receive multiple e-mails regarding your booking (e.g. your booking confirmation, information about checking in and boarding). Those e-mails contain advertisements and offers tailored to you and your flight. You can always unsubscribe from personalised advertisements and offers (see point iv below). – E-mails from KLM with KLM updates and offers: when you book a flight with us, you will also receive e-mails from us containing KLM updates and offers tailored to your interests, such as our newsletter. You will also then receive e-mails from us on specific occasions, such as a special offer on your birthday or personalised offers for your next trip within a few months of your return. You can unsubscribe from these emails during the booking process and at any time thereafter (see point iv below). In some countries, you will receive these e-mails only if you have opted in beforehand. – E-mails from KLM with third-party updates and offers: you can subscribe to receive e-mails from KLM with third-party updates and offers. In addition to offers for our own services, these e-mails contain offers from our partners, such as offers for hotels from our partner Booking.com or car rental options from our partner Hertz. – Direct messages through other communication channels: with your consent, we use other communication channels to send you direct messages with personalised advertisements and special offers, such as postal mail, mobile push notifications or social channels (e.g. Messenger, WhatsApp, or WeChat). You can also sign up for push notifications with updates and offers from KLM partners in the KLM mobile app. - Display relevant information and personalised advertisements on our own websites and apps and on third-party websites and apps: see our cookie policy. We may also use your personal data to exclude you from advertisements which are no longer relevant for you. - Custom audience targeting through social media platforms: you may choose to receive personalised advertisements and offers on the social media platforms you use. In order to display relevant information and personalised advertisements through various channels and to measure the reach and effectiveness of our advertisements, we may share certain identifiers (such as your e-mail address, telephone number or your IP address) with third parties. Where possible, we share these identifiers only in pseudonymised ('hashed') format. For marketing purposes, we use Meta's Custom Audience programme, for example. This programme allows us, among other things, to display personalised advertisements and offers in your newsfeed on Meta platforms, such as Facebook Messenger and Instagram. We only provide identifiers to Meta so that Meta can check whether you have an account on one of Meta's platforms. Meta, in turn, only provides us with aggregated data about the effectiveness of an advertising campaign. This is data that cannot be traced directly back to you. This way, we try to make every effort to keep your personal data secure and confidential. To determine our audience for a specific ad campaign, we may use your booking details or the data we collect when you use our websites, mobile apps, or other digital media. In addition, Meta may use the personal data it collects about you to compile a similar audience. This allows us to reach a new audience through Meta. Learn more about howMeta uses your data for its custom audience programmeandhow you can control how information about you is used by Meta to personalise the ads you see. You can also checkMeta's privacy policy. We may participate in similar programmes offered by other third parties to display relevant information and personalised advertisements via other channels. These may for example include programmes offered by other social media platforms (such as Twitter, LinkedIn and Pinterest), but also search engine platforms (such as Google and Microsoft Bing) and third-party websites (such as Partnerize, Skyscanner and TripAdvisor). Please check the privacy policies of these third parties for more information. If you no longer want us to include you in the programmes we use to display relevant information and personalised advertisements via various channels, please send an e-mail toKLMPrivacyOffice@klm.comto withdraw your consent. When sending this e-mail, please use the e-mail address for which you would like to withdraw your consent.

iii. Personalised offers: we aim to make advertisements and offers as relevant as possible for you. To that end, we may analyse the categories of personal data described in 2.1 (A) to (I), 4.1 (C) (statistical research data) and the personal data we collect when you are a Flying Blue member (see ourFlying Blue privacy policyfor more information). We use the results of this analysis to personalise advertisements and offers. For example, with your consent, we may send you an e-mail after you return from a trip with offers based on your booking history, to offer you inspiration for your next trip. We may also use your booking history (e.g. travel for pleasure or business, cabin class, destination, Flying Blue member) to provide you with a discount for an upgrade or extra baggage. iv. Legal basis and right to object: unless indicated otherwise, we collect and use your personal data as described in this section 4.1 (E) for our legitimate interests and the interests of third parties. You have the right to object to the use of your personal data for direct marketing purposes, including related profiling activities, at any time (see 8 “Your rights” below). v. Unsubscribe: you can always unsubscribe from receiving personalised advertisements and offers. Please find below an explanation of how you can unsubscribe. – E-mails: you may unsubscribe at any time from advertisements and offers in our e-mails regarding your booking and our e-mails with KLM updates and offers and our loyalty programmes and from e-mails to which you have subscribed by clicking the unsubscribe link in the email. In many cases, you can also unsubscribe by changing your communication preferences in your account. If you unsubscribe, you will only receive e-mails necessary to be able to use our services (such as your booking confirmation, e-ticket or communication about a change in your flight schedule) and to participate in our loyalty programme (such as a welcome message to members). – Postal mail: you may unsubscribe from receiving personalised advertisements and special offers by postal mail by contacting us (see 8 “Your rights” below). – Other communication channels: if you have opted to receive personalised advertisements and offers through mobile push notifications, you can unsubscribe by changing your smartphone settings (for mobile push notifications). Visit the website of the social media platform for more information on how to unsubscribe from receiving personalised advertisements and offers through social channels (e.g. Messenger, WhatsApp, and WeChat). – Contact our Privacy Offices: you may always contact us to unsubscribe from receiving messages containing advertisements and offers (see 8 “Your rights” below).

(F) To communicate with you We use your contact details to communicate with you about our services or loyalty programme, to answer your questions, or to address your complaints. 

(G) Passengers who exhibit unruly behaviour or misuse our services i. General: KLM maintains lists of passengers who have exhibited unruly behaviour or misused our services (see 2.1 (J) above). Depending on the severity of the behaviour, KLM may (i) for a period of three years attach additional conditions to their admission on board or (ii) for a period of (in principle) five years refuse them on board. In case of aggravating circumstances (such as repeated misconduct), KLM may decide to refuse a passenger for a period exceeding five years. In very severe cases, KLM may even decide to refuse a passenger permanently. We apply different guidelines for processing this special information in respect of children. Children under the age of 15 who exhibit unruly behaviour are not registered on the list. As for children aged 15 to 16, KLM may attach conditions to their admission for a maximum period of one year. Passengers who have been refused entry for five years or more will be personally informed (if possible, by e-mail) of the fact that they have been placed on the list, the reason for placement, what security measures have been imposed on them, how long these measures will be effective and where they can file a complaint or object to the placement. More information about access to or correction of this data can be found below under 8 'Your rights'. ii. Illegal drugs: KLM receives from the State of the Netherlands the names of passengers who have disembarked at Amsterdam Airport Schiphol and who have been found by the Royal Netherlands Marechaussee to be carrying illegal drugs. KLM may refuse to enter into any transport contract with these persons for a period of 3 years for direct flights from Amsterdam Airport Schiphol to Suriname, Aruba, Bonaire, St. Maarten, or Curaçao and direct flights from these countries to Schiphol. You may request permission to access or rectify this data by submitting a written request to that effect to the Royal Netherlands Marechaussee, PO Box 90615, 2509 LP The Hague, The Netherlands. If you reside in Aruba, the Netherlands Antilles, Suriname or Venezuela, you must enclose a copy of your passport with your written request. 

(H) To conduct our business operations or to comply with statutory obligations We collect, use and retain your personal data to conduct our business operations, such as conducting flights, ensuring flight safety and for record-keeping purposes. We also process your data to improve our business operations. For example, we use recordings of telephone calls to train our customer service staff (see 2.1 (F)). Furthermore, we process your personal data to comply with our legal and tax obligations and for the purposes of fraud prevention and control, and dispute resolution. In the case of fraud or misuse of our services, we may enter your personal data in our internal fraud control and warning systems (see 4.1 (G) above). 4.2 Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy statement. We will inform you about those purposes when you register for the service, event, contest, or campaign, or when you download the relevant app. 4.3 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases, we need your personal data to receive your booking, arrange your flight or purchases, facilitate your participation in our loyalty programmes, or to answer your questions (see 4.1 (A), (B) and (G) above). In those cases, the legal basis for processing your data is 'necessary for the performance of a contract'. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. Based on our legitimate interest, we will collect and use your data for, for instance, flight safety, statistical research, or direct marketing purposes, or to offer personalised discounts and offers (see 4.1 (C), (D),(E) and (G) above for more information). We may have a legal obligation to collect and use your data, for example, to satisfy immigration formalities (see 4.1 (H). If you refuse to provide the personal data that we need to perform the contract we have concluded with you or to comply with a legal obligation, we may not be able to provide all the services you have requested from us. Consequently, we may have to cancel your flight, or we may not be able to provide you with the additional services you have requested. If you provide incomplete or inaccurate information, we may be forced to deny you boarding or entry into a foreign territory.

5.1. General We may share your personal data with third parties in the following cases: (A) To facilitate your bookings and trips To handle your reservations and bookings and to arrange your trips and purchases, we often need to share your personal data with our partner airlines, airport operators, and other companies involved in facilitating your trip (see 3.1 (B) above, “How we collect your data”). We also exchange your data with SkyTeam and SkyTeam Alliance members to provide you with a more seamless travel experience (see section 1 above). (B) For our Bluebiz corporate loyalty programme For more information, see “Who we are” and 3.1 (C) under “How we collect your data”. (C) Regarding corporate accounts If you book a flight using your employer's corporate account, your employer will have access to certain booking details, such as the ticket price, travel dates, and your destination. Your employer is independently responsible for how it collects and uses your personal data and informs you about it. (D) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers, social media providers, marketing agencies, and screening service providers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy statement. (E) Regarding payment services To process payments for your trips and purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data. (F) Personalised marketing through social media platforms For more information, see 4.1 (E) under “Purposes for which we use your data”. (G) To enable our partners to tailor their services to your trip We may share your non-personalised information (destination, travel date, and duration of the trip) with partners that offer additional services (e.g. hotel accommodations, car rental services) so that they can provide you with offers tailored to your trip. Our partners operate their own privacy policies in terms of the way in which they use your personal data. 5.2. Specific services, apps, events, contests, or campaigns For specific services, apps, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy statement, for example, when we organise a campaign or an event in collaboration with a partner or when we integrate their services into our apps. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app. 5.3. Data exchange with Transavia

Airlines have an obligation to guarantee flight safety. For this purpose, KLM takes certain (necessary) security measures. For example, KLM keeps a list of passengers who have exhibited unruly behaviour on the ground or on board (see 2.1. (J) and 4.2 (G) above). Based on this list, KLM can (i) for a period of three years attach additional conditions to their admission on board or (ii) for a certain period refuse them on board. Transavia, KLM’s subsidiary, maintains a similar list. To increase the scope of the internal security measures taken, KLM and Transavia exchange the personal data of passengers of whom has been decided that they must be refused boarding (see 4.1. (G) above). A person who is refused by KLM will now also be refused on board Transavia flights (and vice versa). If you have exhibited unruly behaviour and this has led to registration on the list, you will be personally informed about this by the airline where the unruly behaviour took place.

5.4 Government agencies (A) General We may be legally required to collect your personal data before you travel to another country and share it with the government agencies in the countries on your itinerary. For example, we may be legally required to collect and share your identifying data and your booking and travel information with those agencies for purposes of border control, immigration formalities, entering a country, or combatting terrorism or other serious crimes (see 5.4 (B) below). If you depart from certain countries, in specific cases we are required by law to make a copy of your passport and provide it to the Dutch government upon request. We may also be statutorily required to share your health data with the government agencies in the countries on your itinerary for public health purposes (see 2.1 (D) above). (B) PNR and API data i. General: under applicable European and local laws and regulations, we are required to disclose PNR and API data to certain government agencies.

ii. PNR (Passenger Name Record) data: These are data we collect from you for the purpose of processing your booking and carrying out your flight, including your name and contact details, booking number and booking date, travel and ticket information (such as travel dates and itinerary, flight number and ticket number), payment information, information on your travel status (check-in or no-show information), seat information, baggage information and your Flying Blue number. European Directive 2016/681 and applicable local laws and regulations require us to provide your PNR data to certain government bodies. For example, for each flight to the Netherlands or from the Netherlands to another country (both within and outside the EU), we are required to provide PNR data of passengers to the Passenger Information Unit of the Netherlands (seehere) and the EU country of destination or from which the flight departs. Which foreign Passenger Information Unit we transfer your PNR data to therefore depends on your travel itinerary.Hereyou will find a list with the names of all EU Passenger Information Units. For flights from the Netherlands to a country outside the EU and of flights from outside the EU to the Netherlands, we also provide PNR data of passengers to Dutch Customs.

iii. API (Advance Passenger Information) data: These are data about you, your travel document and your flight and booking, including your name, gender, date of birth and nationality, the nature, number, date and place of issue and expiry of the travel document, flight number, dates and route of travel, and booking number. Pursuant to European Directive 2004/82 and applicable local laws and regulations, for every flight from a country outside the EU or Schengenareato the Netherlands, we are obliged to provide API data to (the API centre of) the Royal Netherlands Marechaussee. iv. Country specifics:  - France: under Article L 237 -7 of the French Homeland Security Code, KLM may need to transmit your reservation, checking and boarding data (API/PNR) to the French national public services and competent authorities for the purposes of and subject to conditions as defined in Decree No 2014-1095 dated 26 September 2014, as amended by Decree No 2018/714 dated 3 August 2018. 5.5. Third-party websites Our websites and mobile apps contain links to third-party websites. If you follow those links, you will leave our websites or mobile apps. This privacy statement does not apply to the websites of third parties. For more information on how they handle your personal data, please check their privacy and/or cookie policies (if available).

6.1. Security (A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organisational measures as required by applicable legal provisions (in particular Article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorised access to these data. (B) The security measures we have taken i. Banking transactions: we are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information so as to reduce the fraudulent use of payment instruments. All KLM service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card. ii. Organisational measures: we have implemented and maintain various organisational measures intended to strengthen the awareness and accountability of our employees. We have programmes in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees. iii. Technical measures: we strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) in order to prevent and limit the risk of cybercrime. (C) The evolution of our security systems To maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre). 

(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. When you make a reservation, you will be sent file references . These booking references must remain confidential at all times. Disclosing them to other passengers may allow them access to your booking information through our systems or those of third parties involved in delivering your trip (e.g. travel agencies or online search and booking sites). If you are travelling with others and do not want your personal information disclosed to them, we recommend making separate reservations. We also advise you not to disclose the passwords you use to access our services to third parties, to log out of your profile and social account systematically (especially in the case of linked accounts), and to close the browser window at the end of your session, especially if you are accessing the Internet from a public computer. This will prevent other users from accessing your personal data. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. In addition, we strongly recommend that you do not distribute to third parties documents issued by KLM containing your personal data (your boarding pass, ticket number, etc.) or other information related to your trip or to publish these on social networks. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms. To find out more about our IT security measures, please consult our IT security portal. (E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed. 6.2. Retention 

We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods.

7.1. KLM may transfer your personal data to countries other than your country of residence including to countries outside the European Economic Area. This is done to handle your booking or arrange your trip, or because our group companies, partners, or service providers provide their services from other countries. You can find the destinations we fly to on our website under “Flight Status”. The laws of the countries to which we transfer your personal data may not always offer the same level of personal data protection. 7.2. If you fly to a destination in a country other than your country of residence, transferring your personal data to that country is often necessary to provide our services to you. If no adequacy decision under Article 45 AVG has been adopted by the European Commission for the country to which your personal data will be transferred (European Commission website with current adequacy decisions), KLM will ensure that appropriate safeguards are in place, to meet the requirements for the international transfer of personal data. For the transfer of personal data to countries outside the European Economic Area, KLM will in most cases use standard contractual clauses approved by the European Commission within the meaning of Article 46(2)(c) AVG as appropriate safeguards. For more information on the standard contractual clauses, please refer to the European Commission'sImplementing Decision. If you would like more information on the appropriate safeguards provided by KLM, please contact KLM's Privacy Office (see section 8 'Your rights' below). 7.3. We may be obliged to transfer your personal data to government agencies in the countries of your itinerary (see 5.4 above).

8.1. You may contact our Privacy Office (see 8.4 below) to exercise any of the rights you are granted under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data, (C) to erase your data, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing. We explain more about these rights below. Please note that there may be circumstances in which we cannot or may not fully comply with your request. See section 8.3 for more information. (A) Right to access You may ask us whether we collect or use any of your personal data and, if so, to receive access to that data in the form of a copy. (B) Right to rectification You have the right to have your data rectified if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement. (C) Right to erasure You have the right to have your personal data erased. This means that we will delete your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data is no longer necessary for the purposes for which it was originally processed and situations where your data was processed unlawfully. Due to the way in which we maintain certain services, it may take some time before backup copies are erased. (D) Right to restriction of processing You have the right to obtain a restriction on the processing of your personal data. This means that we will suspend the processing of your data for a certain period. Circumstances which may give rise to this right include situations where the accuracy of your personal data is contested, and we need some time to verify its (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted. (E) Right to data portability Your right to data portability entails that you may ask us to provide you with your personal data in a structured, commonly used and machine-readable format, and have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller. (F) Right to object You have the right to object to the processing of your personal data. This means you may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). You can object to direct marketing at any time and at no cost to you if your personal data is processed for this purposes, which includes profiling to the extent that it is related to direct marketing. If you exercise this right, we will no longer process your personal data for such purposes. 8.2. Withdrawal of consent You may withdraw your consent at any time by following the specific instructions concerning the processing for which you provided your consent. For example, you can withdraw consent by clicking the unsubscribe link in the e-mail, adjusting your communication preferences in your account (if available), or changing your smartphone settings (for mobile push notifications and location data). You may also contact KLM’s Privacy Office. In relation to Bluebiz e-mails, you may also contact Air France’s Privacy Office. For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our websites or use our mobile apps, please check ourcookie policy. 8.3. Denial or restriction of rights There may be situations where we are entitled to deny or restrict your rights as described in 8.1 above. In all cases, we will carefully assess whether such an exemption applies, and inform you accordingly. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals, or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply if the personal data was not provided by you or if we process the data on grounds other than your consent or for the performance of a contract. 8.4. Privacy Office (A) General If you wish to exercise your rights, please send your request to KLM’s Privacy Office: KLM Royal Dutch Airlines Privacy Office - AMSPI PO Box 7700 NL-1117 ZL Luchthaven Schiphol The Netherlands E-mail:KLMPrivacyOffice@klm.com(B) Bluebiz If you wish to exercise your rights concerning the processing of your personal data in relation to Bluebiz, you may also contact Air France’s Privacy Office: Air France Délégué à la Protection des Données / Data Protection Officer - ST.AJ IL 45, rue de Paris 95747 Roissy CDG Cedex France E-mail:mail.data.protection@airfrance.fr

(C) Transavia flight If you want to exercise your rights with regard to the processing of your personal data as a result of unruly behaviour exhibited by you before or during a Transavia flight, you can contact the Transavia Privacy Office: Transavia Privacy Office PO Box 7777 1118 ZM Schiphol Airport The Netherlands E-mail:privacyoffice@transavia.com

(D) Skyteam Alliance If you wish to exercise your rights regarding the processing of your personal data within the framework of the SkyTeam Alliance, please contact KLM's Privacy Office:

KLM Privacy Office - AMSPI Postbus 7700 1117 ZL Luchthaven Schipol The Netherlands E-mail:KLMPrivacyOffice@klm.com

8.5. Questions, comments or complaints If you have any questions, comments or complaints about this privacy statement, please feel free to contact us. If your concerns have not been addressed to your satisfaction, you have the right to file a complaint with the competent supervisory authority. In the Netherlands, theDutch Data Protection Authority (Autoriteit Persoonsgegevens)in The Hague is responsible for monitoring compliance with privacy regulations.

9.1. This privacy statement took effect on 1 February 2024 and replaced our previous privacy policy of 15 September 2022. This privacy statement is amended from time to time. We will notify you of any changes before they take effect.