Joint controller arrangement

Information on the essence of SAS’ and EB’s joint controller arrangement

We, Scandinavian Airlines System Denmark-Norway-Sweden, (“SAS”) and SAS EuroBonus AB, (“EB”), are jointly determining the purposes and means of the processing of personal data relating to SAS’ loyalty program SAS EuroBonus (the “EuroBonus Program”).

By jointly determining the purposes and means of processing, SAS and EB are acting as joint controllers under the GDPR . We have entered into a joint controller agreement on the sharing of personal data relating to the EuroBonus Program.
The purpose of this information is to provide you with the essence of our arrangement, specifically describing how we have determined and allocated our respective responsibilities for compliance with the obligations under the GDPR.

Please note that this summary is provided to you for information purposes only and does not represent the joint controller agreement in full. It should not be construed as prescribing any obligations by SAS or EB in relation to any data subject. For information regarding the processing of personal data relating to the EuroBonus Program, please see the privacy policy or contact the Data Protection Officer.

When allocating responsibilities for compliance with the obligations under the GDPR, we have taken the following factors into consideration: which entity is best positioned to perform the obligation; physical access to the personal data; decisive powers over the design and content of the EuroBonus Program; expectations from data subjects; which entity holds the agreements with partner organisations; and which entity holds the agreements with processors.

Each of SAS and EB will at all times comply with its respective obligations under all applicable laws relating to privacy and the protection and processing of personal data in each relevant jurisdiction.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation)

We have jointly determined the purposes of means of the processing of personal data under the joint controller arrangement. Each of SAS and EB has undertaken to ensure that personal data will only be collected for specific, explicit and legitimate purposes, and is adequate, relevant and limited to what is necessary to fulfil each purpose.

When processing personal data, each of SAS and EB is responsible for ensuring that personal data is: processed fairly and lawfully; not further processed in a manner that is incompatible with the purposes for which it was collected; at all times kept accurate; not retained or processed longer than necessary to carry out the agreed purposes unless required to do so under applicable law; and only processed in a manner that ensures appropriate security of personal data.

Each of SAS and EB will ensure that it has a proper legal basis under applicable data protection laws for the processing of personal data and they will consult with each other before making any amendments to the legal basis.

SAS and EB acknowledge the obligation to inform data subjects about the processing of their personal data under Articles 13 and 14 of the GDPR, and have agreed that all such information must at all times be reflected in the privacy policy. SAS is responsible for keeping the privacy policy at all times available at www.flysas.com/en/legal-info and EB is responsible for ensuring that the content of the privacy policy correctly reflects the processing of personal data under the EuroBonus Program.

In the event that SAS or EB processes personal data based on consent, it is the entity obtaining consent from the data subject that is responsible for providing the data subject with relevant information before collecting the personal data, including information about how to withdraw consent.

SAS and EB have agreed that SAS is responsible for ensuring that data subjects can exercise their rights under applicable data protection laws. This includes having documented routines for data subject access requests, and procedures for responding to requests within the time limits imposed by applicable data protection laws.

Moreover, we have agreed that data subjects wishing to exercise their rights under applicable data protection laws should send their request to the contact point who may be reached at dataprotectionofficer@sas.se and as specified in the privacy policy.

Under the joint controller arrangement, personal data may be shared with third parties as set out in the privacy policy. With regard to processors and third party controllers, it is the entity, SAS or EB, that has entered into the data processor agreement or transfers personal data to a third party controller that is responsible for compliance with applicable data protection laws in relation to such processor or third party controller, including provisions for lawful transfers of personal data to a country outside the EU/EEA.

We have designated the Data Protection Officer for SAS and EB to be the contact point for data subjects and towards any supervisory authority for any processing activities pursuant to the joint controller arrangement. The contact point may be reached at dataprotectionofficer@sas.se. However, we acknowledge that data subjects and any supervisory authority may communicate with either SAS or EB as they prefer.