Privacy Statement Digital Travel Credential Pilot

This privacy statement applies to personal data that KLM collects and processes as part of the DTC-1 pilot (hereinafter “the DTC pilot”).

Please read theinformation pagefor more general information about this pilot.

Regarding the aspect of biometric boarding during the DTC pilot, the controller is KLM NV (Koninklijke Luchtvaart Maatschappij, also known as KLM Royal Dutch Airlines), a Dutch airline having its registered office and principal place of business at Amsterdamseweg 55, 1182 GP, Amstelveen, the Netherlands. The processor involved in the biometric boarding activities is Idemia the Netherlands B.V., having its registered office at Oudeweg 32, Postbus 5300, 2000 GH Haarlem, the Netherlands.

The aspect of biometric boarding during this pilot is on top of the regular process you will experience when flying with KLM of which data processings are described in our regularKLM Privacy Policy.

During this DTC Pilot, passengers with Canadian or Belgian nationality on KLM flights from Montréal to the Netherlands are invited by KLM to participate in the DTC Pilot. By participating in the DTC Pilot, you can choose to create a Digital Travel Credential via an app published and controlled by the Dutch Government, the so-called DTC. Please read theprivacy policy from the Dutch Governmentfor more information on the creation of the DTC.

What are KLM’s data processing responsibilities?

We are the data controller responsible for the personal data processed during biometric boarding.

Which personal data do we process?

If you participate in the biometric boarding for your flight, the following data will be processed by us during the DTC pilot:

  • Your biometric data (passport photo, live facial photo, and the result of the facial comparison)
  • Your DTC

On what legal basis do we process your personal data?

Participation in the pilot is entirely voluntary. All processing takes place based on your explicit consent (article 6.1 (a) and article 9.2.(a) GDPR), which is clearly elucidated during the steps explained in the DTC 1 app. You can withdraw your consent at any time, after which your participation in the pilot will be terminated, and your personal data will be erased. You can also decide to have your boarding done manually at any point in your journey, even without revoking your consent. If you give your consent, your data will be provided to KLM for the boarding process.

The purpose for which we use your personal data?

The personal data processed during biometric boarding is used for (i) identification purposes and (ii) evaluation purposes. Your personal data will not be used for any purposes other than those described in this privacy policy. We do not share, sell, or give your personal information to any outside organisation without your explicit consent.

How and for how long do we store your personal data?

We have taken appropriate and organisational measures to protect your personal data. We use an integrated security system consisting of physical, informational, and personnel security measures. Moreover, an authorisation policy applies: only necessary and screened employees are allowed to access your personal data.

Your personal data processed for biometric boarding is stored for a maximum of 96 hours. After 96 hours, your personal data processed for the biometric boarding process is destroyed. This period is necessary because flights can take place up to 3 days after registration for the pilot and also takes into account the flight time and arrival at Amsterdam Airport Schiphol.

Processor

In order to provide our services, we use the support and/or additional services of a third party, Idemia the Netherlands B.V., Idemia is required to adequately safeguard your personal data and only use such data in accordance with our instructions.

Data transfer

During the biometric boarding process, your DTC is transferred from the servers of Idemia in France to a system of Idemia in the boarding gate in Montréal, Canada. Canada is country for which the European Commission has taken an adequacy decision. This constitutes a data transfer based on art 45 GDPR. If no adequacy decision has been taken by the European Commission on the basis of Article 45 GDPR for the country to which your personal data is transferred (see the website of the European Commission for a list of current adequacy decisions), KLM ensures that appropriate safeguards are in place so that they meet the requirements for the international transfer of personal data.

What are your rights?

You may contact KLM to exercise any of the rights you are granted under applicable data protection laws, including the right to withdraw your consent, the right to access/provision, the right to rectification, the right to erasure, the right to object, the right to data portability, and the right not to be subject to automated individual decision-making. You can contact KLM viadtc1pilot@klm.com.

You have the right to withdraw your previously given consent to participate in biometric boarding at any time. After withdrawing, your participation will be stopped, and your personal data will be erased.

The right to access/provision

You have the right to access the personal data collected from you and request a copy of your personal data.

The right to rectification

You have the right to request the modification of personal data that you believe is incorrect or incomplete.

The right to erasure

You have the right to request the erasure of your personal data. Please note: your personal data is only retained for 96 hours, whereafter it is destroyed.

The right to object

You have the right to object to the processing of your personal data. You can refuse to participate in the pilot or remove your DTC, and you can retract your participation at any time.

The right to data portability

You have the right to request that our organisation provides your personal data to another organisation. During the pilot, it is not possible to request the transfer of your DTC to another organisation. In addition, we are the only party that can perform your boarding, and your data cannot be transferred to another party during the boarding process.

The request is adhered to where technically feasible. We will answer your questions as soon as possible. Please note: as your personal data is retained for 96 hours, performing data portability might not be feasible.

The right not to be subject to automated individual decision-making

There is no automated individual decision-making within the pilot. Although facial recognition will take place with your consent, it will not lead to decisions with legal consequences or significantly affect you. Even if facial recognition fails, it will not prevent you from boarding manually outside the pilot.

Contact

If you have any questions about this privacy policy or the pilot in general, you can contact us viadtc1pilot@klm.com.

If you have any questions regarding the generalKLM Privacy Policy, you can contact us via the contact information below.

KLM

You can contact KLM’s Data Protection Office.

General e-mail address:klmprivacyoffice@klm.com

E-mail address regarding personal data breaches:databreach_notification@klm.com

Other processings of KLM are reflected in the KLM Privacy Policy.

View the general KLM Privacy Policy

Postal address

PO Box 7700, 1117 ZL

Amsterdam Airport Schiphol

The Netherlands

View the general KLM Privacy Policy

Complaints to the supervisory authority

If you want to file a complaint about the processing of your personal data or if you believe that a request regarding this matter has not been handled correctly, you can contact theDutch Data Protection Authority (Autoriteit Persoonsgegevens).

Website:www.autoriteitpersoonsgegevens.nl/en

E-mail address:info@autoriteitpersoonsgegevens.nl

Postal address

Autoriteit Persoonsgegevens

Postbus 93374

2509 AJ The Hague

The Netherlands

How this privacy policy is updated

This privacy statement took effect on 6 November 2023. This privacy statement can be amended from time to time. We will notify you of any changes before they take effect.