Privacy policy for Widerøe
This privacy policy describes how Widerøe AS and other subsidiaries (“Widerøe”, “we” and “our”) process personal data about you.
We will not process personal data about you unless this is in accordance with your wishes, agreements you have entered into with us, this privacy statement or applicable legislation. Please note that in some cases you will not be able to fully benefit from our services without providing personal data about yourself.
If you provide us with other people's personal data, you are obliged to inform the person(s) that Widerøe will process this personal data in accordance with this privacy statement and any other terms and conditions that apply to the services in question.
1. Definitions
Widerøe's websites, Widerøe's app or other communication channels, as well as services we offer, such as booking flights, check-in, customer service, Reward, online profiles, newsletters, freight services and other flight-related services are referred to as our "services".
"Personal data" means any information that can be linked to an identifiable natural person (the latter is referred to as a "data subject").
"Processing" means everything that is done with personal data. For example, collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, compilation or interconnection, restriction, deletion, or destruction.
In order to process your personal data, we must have a lawful basis for processing personal data ("basis for processing"). This may, for example, be performance of a contract, your consent, and legal requirements we must meet.
As an alternative to deletion, we will occasionally anonymize personal data to create statistics to improve our services, such as route services. "Anonymization" means that all identifying or possibly identifying characteristics are removed from data sets that are preserved.
2. Responsibility for the processing of personal data
Widerøe AS or the relevant subsidiary you are in contact with is the data controller, i.e. they decide why and how the personal data should be processed.
Entities within the Widerøe Group or third parties, such as Widerøe's partners, may process or act as joint controllers of personal data about you in connection with your use of certain services, for example if you have booked several airline tickets.
All processing of personal data takes place in accordance with the privacy regulations in force at any given time, including the Personal Data Act and the General Data Protection Regulation (GDPR).
For any questions you may have about our processing of your personal data, please contact us at:Widerøe AS
Address: Widerøe AS, by Data Protection Officer, Mailbox 247, 8001 Bodø
E-mail: personvern@wideroe.no
Organisation number: 917 281 629
3. Processing of personal data
Information about personal data we process about you, the legal basis for the processing, the purpose of the processing, how long we process the personal data, etc. is included below sorted by which services you use. Widerøe may use personal data about you for the purposes specified below, as well as for any purposes you were informed of in connection with your use of the service(s) in question. This Privacy Policy covers only your use of Widerøe`s services. If there are links to third-party websites on Widerøe's websites, Widerøe is not responsible for the content or the processing of personal data that may occur on such linked home pages or applications.
3.1.Customers/passengers
3.1.1. Booking; travel and check-in management
When you book flights or use other travel-related services or products offered by Widerøe, Widerøe processes your personal data.
Why we process your data: The processing of personal data is necessary for the performance of an agreement for the purchase of air transport services. The purpose will be to manage your travels.
What we process: Name, address, gender, telephone number, e-mail address, Reward number and any other membership number. For some airline tickets, Widerøe also processes the date of birth. Passport information is processed for travel to/from countries that require this.
Widerøe does not intend to process special categories of personal data, which may be health information, information about religion, etc., and we encourage you not to provide such personal data. However, if you provide special categories of personal data as part of the ordering process, we will always treat such data with extra care and security.
How we process: For example, we will process your personal data to carry out check-in, dissemination of information about past and future trips, seat reservation, use of Reward number, cancellation or rebooking. The information about your trip will also be used in anonymous statistics to improve our services, such as route offers. Some countries also require the submission of personal data in order to complete the trip.
How long do we process: We delete or anonymize information about customers after 3 years after the end of the trip. This is in accordance with pan-European legislation relating to customers' rights and deadlines for claiming compensation in the event of irregularities, as well as for use in services related to customer service (receipts, etc.) and travel history. Even after 3 years, we will still keep statistics about travelers in order to improve our services, these are anonymized and cannot be linked to you.
3.1.2. Payment
You have to provide certain payment information, such as card number and expiration date, to complete a payment for our services.
Widerøe has implemented measures to ensure that your payment information is safe and processed in accordance with applicable legislation. The information processed about your booking, such as name, travel and payment information, is both registered and stored by our selected service providers, who meet all the requirements of applicable legislation (PCI DSS).
We will also process your personal data to prevent, investigate or report cases of fraud or security problems. The information may include name, address, email address, telephone number, IP address and payment information. For this purpose, the information is stored up to 3 years.
3.1.3. Profiles and my travels
Why we process your data: If you wish, you can consent to create a profile with us. The purpose will be to give you tools to easily manage your travels, and so we can provide you with relevant information and offers. You may at any time manage your personal account by logging in with your email and your password and set up how you like us to communicate with you.
What we process: Widerøe will process the personal data you provide in your profile such as gender, first name, last name, date of birth, e-mail address, telephone number, address, postcode/city, country, Reward number.
If you choose to add travel to your profile, information about the trips (such as origin, destination, airline, date and time) and your receipt will be stored in your profile.
If you choose to link a payment card to your profile, your payment information will be processed and stored by our service providers.
How we process: For example, you will then have access to historical travel information, favorite airport and similar personalized services. Your profile will also ensure that this information is completed the next time you order. The information about you will also be used in anonymous statistics to improve our services, such as route offers.
How long: Your profile will be deleted after 3 years of inactivity or by selecting "Delete profile". Deletion then takes place 60 days after we have received notification of the desired deletion. If you remove optional fields in your profile, such as Reward , the information will be deleted when you save the profile again. Booking information will nevertheless always be kept in the database for 3 years for reasons of EU Passenger Directive, unless you consent to longer storage to view previous trips.
3.1.4. Widerøe APP
Why we process your data: To provide an efficient and customer-friendly overview of your trip, you can choose to download and use our APP. The purpose will be to give you tools to easily manage your travels.
What we process: Necessary information to provide the services included in the APP. This will be your name, address, telephone number, e-mail address, Reward number, passport details and travel information. Examples of services included in the APP are information about past and future trips, ordering additional services such as food and luggage, as well as check-in services.
If the settings on your mobile device allow our APP to collect information about your location, we will collect that information automatically. You can manage how your mobile device share location with us through the settings on your phone.
We use technology features (similar to cookies) such as unique identifiers associated with your device in our APP. The purpose is to improve and help administer functions in the APP. We will also be able to use information related to your previous behavior in the APP so that your latest search, favorite airport etc will be stored in the APP for your next visit. We will ask for your consent before such features are enabled, and you can control your settings at any time in the APP under settings. The data is saved for as long as we have your consent.
With your consent, we will send you push notifications with flight related service information such as opening of check-in, change of gate, delays as well as special offers. We will store your device ID backend to enable push notifications. You can control your settings at any time in the APP if you do not want us to send you any push notifications.
How we process: In order for us to be able to deliver the services included in the APP and give you correct and relevant information about your trip, we will process personal data about you.
How long: Information is stored in the APP until the trip is completed. Information about your booking will still be stored in our database for 3 years, unless you consent to longer storage to view previous trips.
3.1.5. Customer service
Why we process your information: If you contact Widerøe's customer service via e-mail, chat, phone, SMS or other channels, we will process your personal data to fulfill our agreement to provide you with services or your consent.
What we process: Widerøe processes personal information you choose to provide to us via e-mail, chat, phone, SMS or other channels, as well as necessary information about your booking to be able to solve problems you have with your trip.
How we treat: Contacting our customer service is voluntary. If you contact Widerøe's customer service, we will process the personal information you provide (as well as travel information) in order to provide customer service or deliver the services you have requested. The processing will be limited to what is necessary to assist you with your problems. We will never ask for identification with bankID or credit card information via email or chat.
How long do we process: 3 years according to the EU Passenger Directive.
3.1.6. Communication to you: Information about your trip
Why we process your data: When you order certain services, it will be necessary for us to provide you with additional information that is necessary. For example, we will send an e-mail about check-in to the aircraft or the possibility of Duty Free on board or pre-ordering of Duty Free goods for flights where this is available. If you contact us without this being covered by "customer service" above, we will respond to you on the basis that you have consented to this by contacting us.
What we process: Widerøe process your name, e-mail address and possibly telephone number.
How we process: We will then use your personal data to reach out to you with relevant information about your travels. For example, we will send out emails with a link to check-in in advance of travel and other relevant information about your upcoming trip with us.
How long do we process: This is a one-time processing that occurs automatically when we provide a service to you or until you have received requested information.
3.1.7. Communications to you: Surveys, newsletters and other communications for marketing purposes
We send out surveys, newsletters and other communications to both private and corporate customers.
Why we process your data: Shortly after your trip we will send out surveys about your travel experience with us. The processing is based on our legitimate interests to follow-up the customer after a trip and to improve and operate our business.
We occasionally send out newsletters or similar communications for marketing purposes, only with your consent. These e-mails may contain tracking pixels that register whether and when the email is opened and whether any links are clicked. The information is used to manage and measure the marketing effect so we can be able to improve our digital channels and deliver more relevant content to you.
If you wish to opt out of receiving marketing communications via email, you can withdraw your consent here.
3.1.8. Statistics, analysis and testing
Personal data collected in connection with your use of our services, e.g. booking and travel data, may be used in statistics and analyzes for internal business purposes and to further develop, improve and operate our services. Your personal data may also be used for system functionality testing to improve the user experience of our system platform or fault detection. The data will only be used on an aggregated and non-individual level.
3.2. Company portal, company account and Widerøe Bisniss
When you create a company account, Widerøe will process your personal data in accordance with the description above (Profiles). See also the contract for supplementary terms.
Why we process your data: We process personal data on the basis of an agreement with your company. The purpose of the processing is to offer an efficient and customer-friendly ordering process and offer you discounts.
What we process: Widerøe will process the personal data you provide in your profile: gender, first name, last name, employer, date of birth, e-mail address, telephone number, address, postcode/city, country, Reward number.
If you are the company's contact person, you will be able to invite other employees to the portal. You will then have access to their personal data if they accept the invitation to the portal. You are responsible for processing this information in a secure manner and in accordance with applicable legislation.
Especially about employee profiles: The company's contact person will, if you accept the invitation and create an employee profile, have access to the personal data in your profile for administration.
How we process: For example, you will then have access to historical travel information and similar personalized services. Your profile will also ensure that this information is completed the next time you order. The information about your travels will also be used in statistics to improve our services, such as route offers.
How long do we process: If you have an employee profile, you can remove your employer's access to your personal data at any time by deleting your profile. As a Travel Manager, you can also delete an employee profile and travel related to it. If you are your company's travel manager, you can always contact us to delete or deactivate the company profile in its entirety, this will ensure deletion of employee profiles, and business trips older than 3 years.
3.3. Suppliers and other partners, etc.
We process personal data about contact persons of our suppliers and other partners.
Why we process your information: The basis for processing will in some cases be to fulfill our legal obligations pursuant to, for example, accounting and tax legislation or the Transparency Act. In other cases, it will be to administer a possible or existing agreement between us.
What do we process: In these cases, we will process name, contact information (name, address , telephone number and e-mail address), company name and information related to the contact with the company in which the person works and other information these contact persons may provide us.
How we process: It is voluntary for the contact persons if they wish to provide us with personal data. In some cases, we obtain references from others to assess the suitability of suppliers and partners in order to comply with legal requirements, such as the Transparency Act.
How long do we process: If the basis for processing is an agreement between us, we will process personal data as long as it is a prerequisite for the performance of a contract or administration. However, certain legal obligations or documentation requirements may mean that we store personal data for a longer period. In any case, we will delete the personal data of relevant contact persons if we become aware that they have left the supplier or corporate customer, or that the supplier or company customer has appointed a new contact person.
3.4. Especially about shipping services
Why we process your information: If you are a private customer, corporate customer, freight agent, or a private customer who has shopped with one of our partners online, we offer freight services with our aircraft. We then process your personal data to carry out deliveries, handle problems with delivery or transport the package to the correct destination according to the agreement, we need personal data.
What do we process: We only process information that is necessary to transport the package to the correct destination. These will be addresses and contact details. If you provide other information, this will also be processed.
How we process your data: Your personal data is only used to administer our shipping services in designed systems. However, we process anonymous statistics to improve our shipping services. For example, the number of requests for new and current destinations. Personal data is only shared with relevant partners such as airports, ground handling suppliers, IT suppliers and carriers to fulfill our part of the agreement. We may also be required to disclose personal data to relevant customs and law enforcement agencies. Our suppliers process your data in accordance with the Data Processing Agreement with us.
How long do we process: We delete data related to shipping no later than after 3 years. If it concerns shipping to private customers who have purchased from one of our partners online, we delete the personal information after 90 days.
3.5. Our Website
Why we process your data: The use of cookies on the website can either be to carry out important functions on the website, such as booking flight tickets. If the cookies are not necessary for important functions on the website, we will always ask for your consent to tracking.
How we treat: We use cookies on our websites to give you a better experience when using the websites and using our services, as well as to increase security and improve our services. Personal data collected by means of cookies (for example, your IP address can show where you are) is in some cases anonymised and used as a basis for improvements and in statistics and analyses. We use this information to analyse trends so that we can make our website and services more user-friendly.
For more information about what kind of cookies Widerøe uses, what information we collect and how long these are stored, and other information, see our statement on the use of cookies.
3.6. Recruitment
Why we process your information: The processing takes place on the basis of consent that you have given in the job search service we use or that the processing is necessary to implement measures before an employment contract with the job seeker is entered into. If investigations are carried out by us beyond contacting persons who are given as a reference, investigating by applying for history, etc., personal data is processed on the basis of our necessary legitimate interest to ensure that the right candidate for the position. (GDPR Article 6 (1) b).
What do we process: When recruiting for new positions with us, applications, CVs, certificates, notes from interviews, results from surveys of references, family relationships and interests will be processed that will contain personal data. In interviews, we ask questions to determine if the job seeker is a good fit for the position. We also use tests and question forms for this purpose. If it becomes relevant to hire the job seeker, we may ask for additional information, as well as for documentation of information we have already received. It is voluntary to provide us with information. We encourage you not to include special categories of personal data, such as health, religion, political opinions, trade union membership, etc. in your application.
How we process: We use job search services to manage submitted applications. This service is as our data processor any profiles with them will be based on consent.
How long do we process: Personal data is deleted after 6 months. We may retain the information longer if you have consented to longer storage.
Read more about the processing of personal data when recruiting in our privacy policy for job applicants
3.7. Events
Why we process your data: Processing of personal data will take place on the basis of fulfilling an agreement with a participant. In case food and/or drinks are served, we may collect information about any preferences, in which case the data will be processed on the basis of consent.
What do we process: We will then process your contact information, any food preferences, and the arrangement in question.
How we process: For participants at events, contact information will be registered and processed, as well as which event they will participate in, so that they can identify as registered and that necessary communication and, if applicable, invoicing of participation fees can be carried out. In the event that food and/or drinks are served, we may collect information about any preferences, which may indicate health and/or religion based on your preferences. This is information that will only be processed by us and will be deleted immediately after the event.
How long do we process: Until the event is completed, or invoicing and other payments have been arranged.
3.8. Social Media
Why we process your data: We process personal data in social media on the basis that we believe we have a necessary legitimate interest in communicating with the outside world and will then process personal data in this context. We have considered that this is necessary for us to communicate with our customers and stakeholders, and handle inquiries we receive, and that the data subjects' privacy does not take precedence over these interests.
What we process: Through these pages, personal data will be processed if you post on the site, comment on posts or "like" / follow the page. We then process your name and link to other information that you have posted associated with your name / account in this medium. In addition, what you share through records and comments is processed. We ask you not to share personal data in posts or comments on the website, and in particular not to share personal data about others, for example by "tagging" or referring to people. What you share in our social media is up to you and volunteer.
How we treat: We want to be available to our customers on social media. Among other things, we have established a Facebook page and an Instagram account, where we are responsible for the processing of personal data in this connection together with Facebook and Instagram. Our purpose in processing personal data through social media is to have contact with you who wish to communicate with us or interact with / against us in other ways.
In the use of certain services, you can choose to connect your social media profiles to our websites for a better user experience. If you choose to connect your social media profiles to our services, we will use information from the profiles to fill in blank fields (for example, when ordering), with information such as name, date of birth, phone number and address.
How long do we process: The information will be processed as long as postings / comments are available on the social media, and you can delete this at any time.
4. Generally
Transfers or disclosure of personal data to others
We do not pass on personal data to others other than what is mentioned in this statement or there is a legal basis for this. Examples of such a basis may be a legal obligation that requires us to disclose the information to public entities such as tax collection, accountant / auditor, as well as others that we need in our business as a provider of aviation-related services. If it is required by law or there is a suspicion that an offense has been committed in connection with the use of our services, personal information we have stored about you may be disclosed to public authorities. Because of mandatory requirements from foreign authorities, we may be under an obligation to provide foreign authorities access to certain PNR and API data. Such data is used primarily to prevent and combat terrorism and other serious crime.
Your personal data may also be shared with other airlines and other companies that are involved in the provision of the service that you will make use of, such as travel agencies, Ground Handling suppliers or providers of Tax-free goods. This is necessary for us to be able to carry out and deliver services and products you have ordered.
We use data processors to collect, store or otherwise process personal data on our behalf. Such data processors may be Widerøe's subcontractors and partners. In these cases, we have entered into data processing agreements to safeguard your rights and security for your personal data at all stages of the processing.
If personal data may be subject to transfer to another organisation in connection with a merger, financing, reorganisation or dissolution transaction of all or part of us, we will only do so if the parties involved have entered into an agreement where the collection, use and sharing of the personal data is limited to the purposes of the transaction, including a provision on whether or not to proceed with the transaction; and the personal data shall only be used by the parties involved to carry out and complete the transaction. If another company acquires us or our business or assets, that company will have access to the personal information collected by us and will assume the rights and obligations regarding your personal information as described in this Privacy Policy.
Transfer of personal data to recipients in countries outside the EU/EEA
It is our goal that all processing of personal data should take place within the EEA, but it may be that we use suppliers or process personal data outside the EEA.
In such cases, the transfer and processing outside the EEA (third countries) will take place in countries approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data pursuant to GDPR Chapter V. If the transfer does not take place to countries approved by the European Commission, the transfer will only take place according to the guarantees set out in Article 46 (2) of the GDPR. You can be informed of the grounds used for the transfer if you contact us. We will also carry out risk assessments in connection with transfers in order to implement additional security measures if necessary.
Security of processing
We give high priority to the security of personal data in our business and will implement several technical and organizational measures to secure your personal data.
We handle information so that it is correct, accessible, and handled according to the degree of sensitivity of the information. We also employ a variety of security technologies and information security procedures to protect your personal information from unauthorized access, use, or disclosure. Risk assessments are carried out for the processing of personal data.
We have entered into data processing agreements with our suppliers who process personal data, where they assume the same level of security as we have for our processing of personal data.
We restrict access to personal data to the personnel or third parties who will process the data on our behalf. These parties are subject to a duty of confidentiality.
Routines have been established for handling breaches of information security and routines (privacy breaches), and we will, if there are breaches that entail a risk to the privacy of the personal data concerned, send a deviation notification to the Data Inspectorate as quickly as possible and no later than 72 hours after the breach was discovered. If the breach entails a high probability of privacy for the data breaches, we will also notify them.
5. Your rights
Information
You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.
The right to access
You have the right to demand access to the personal data processed about you. Please contact us if you want access.
Change and deletion
You can also ask us to correct incorrect information we hold about you or ask us to delete personal information.
Processing on the basis of consent
If we process personal data on the basis of your consent, you may withdraw your consent at any time. The easiest way to do this is to use the way stated when you gave your consent or contact us.
Right to restrict or object to processing
You have the right to have the processing restricted in certain cases, see article 21 of the GDPR.
The right to data portability
For information that you have provided to us and is necessary for the performance of an agreement with us, and which is processed automatically (i.e., not manually by us), you can request to have your personal data provided or transferred to another supplier in a structured, commonly used and machine-readable format (data portability).
Automated processing, including profiling
There will be no automated processing, including profiling, based on your personal data that has legal effects or significantly affects those to whom the personal data relates. See GDPR Article 22 no. 1 and 4.
6. Complaints
If you find that our processing of personal data is not in accordance with what we have described here or that we in other ways violate privacy laws, you can complain to the Data Inspectorate. However, we ask you to contact us first so that we can process any incorrect treatment as quickly as possible.
You can find information about your rights and how to contact the Data Inspectorate on the Data Inspectorate's website: www.datatilsynet.no.
7. Changes to this privacy policy
We reserve the right to change our privacy policy. In the event of a change in our services or changes in the regulations on the processing of personal data, updated information will always be available on our website.
Updated