Privacy Notice
Xiamen Airlines Privacy Notice
Last updated: 12 Mar 2019
Xiamen Airlines (“Xiamen Air” or “we”, “us”, “our”) respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights. This Privacy Notice applies to personal information that we collect through our websites at www.xiamenair.com, (“Websites”) as well as personal information that we collect when you use our services ("Services") such as booking travel with us.
If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.
What does Xiamen Air do?
Xiamen Air is headquartered in Xiamen, a coastal city in Fujian in Southeast China. It is the first airline in China to operate under the modern enterprise system. After years of steady development, Xiamen Air has become the most distinctive airline in China's civil aviation industry, and has been praised by President Xi Jinping as "the epitome of China's civil aviation development."
For more information about Xiamen Air, please see the “About Us” section of our Website.
What personal information does Xiamen Air collect and why?
The personal information that we may collect about you broadly falls into the following categories:
• Information that you provide voluntarily
In order to perform transportation services, and provide you with a better understanding and use our Services as well as Website, we may ask you to provide personal information voluntarily such as:
o Contact information such as your name, address, telephone number, WeChat ID, Weibo ID, mail address, email address, fax number. This information allows us to contact you when necessary, arrange your schedule, mail your itinerary or other products, verify your identity, invite your feedback on our services, receive your complaint or advise, get to know how you purchased our tickets, products or services, and send you marketing and promotional materials with your consent.
o Egret Miles member account number, half-body portrait, ID picture and ID number. We use this information to manage Egret Club, conduct identity authentication, process mile accumulation, redemption and award, allocate membership treatment and other special services.
o Information of the guardian of the underage members, including: name, contact information. This is used to manage the ticketing services for underage members and system of underage members.
o Image of identity document for business required, including ID card, passport, visa pages, etc., used in identify authentication during your flight reservation, ticket purchase, security check, boarding, visa exemption and other services including after-sales service and the proceed of complaint acceptance.
o Online payment information, including credit card number, billing address, expiration date, used in managing your purchase information and membership verification.
o Information of the contract of corporate contract, including name, job title, address, phone number, email address, for communicating with the contract and sending contract and relevant document.
o Name and contact of your contact person, to ensure that in special circumstances, flight information (including flight travel, security check, boarding, reimbursement, flight delay and accident notice, etc.) can be guaranteed to notice to the relevant contact person.
o Your preferences, including in-flight meal preferences, aircraft seat preferences, on-board service preferences, used to enhance the relevance of products and services and improve our services and provide you with more services that meet your requirements, as well as targeted advertising.
o Personal information you provide in the cabin, including the conversations with flight attendants before and during the flight, any requires for upgrades, baggage, on-board services.
• Information that we collect automatically
When you visit our Website, we may collect certain information automatically from your device. In some countries, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked.
Collecting this information enables us to better understand the visitors who come to our Website, where they come from, and what content on our Website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Website to our visitors.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies and similar tracking technology” below.
• Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources, but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
The types of information we collect from third parties include travel professionals and others who assist in booking and arranging travel. We use the information we receive from these third parties to provide services to you, and maintain the accuracy of the records we hold about you.
In general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your personal information. However, we may also use your personal information for other purposes that are not incompatible with the purposes we have disclosed to you (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) if and where this is permitted by applicable data protection laws.
Who does Xiamen Air share your personal information with?
We may disclose your personal information to the following categories of recipients:
• to our group companies, third party services providers and data processors who provide data processing services to us (for example, to support the delivery of our Services or to provide functionality on, or help to enhance the security of our Website), or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information. A list of our current service providers and partners is available as below:
TravelSky Technology Limited(中国民航信息网络股份有限公司)
Xiamen Renmai Human Resources Management Service Limited Company(厦门市人脉人力资源管理服务有限公司)
CHP Information Technology Services Co., Ltd.(海普信息技术服务有限公司)
Master Human Resources Service Co.,Ltd.(麦斯特(福建)人力资源服务有限公司)
Xiamen Tourism Group Corp.(厦门旅游集团)
Shanghai Huihan Commercial Factoring Co., Ltd.(上海汇涵商业保理有限公司)
Interglobe technologies(英谷信息技术有限公司)
Xiamen C&D Internaional Travel Service Co., Ltd.(厦门建发国际旅行社集团有限公司)
Xiamen Airlines Internaional Travel Service Co., Ltd.(厦门航空国际旅行社有限公司)
Amadeus IT Group S.A.
Everymundo
Travel-x
• to third parties, such as travel agents, airlines that have cooperation with us in code share, interline, and joint venture agreements, and other business partners. Travel agents arrange for discounts, purchase travel or provide other services on your behalf. Partner airlines provide you with more options of route and price in code sharing, interline and joint venture. We only share data with these third parties to the extent it is necessary for the performance of a contract with you.
• to any competent law enforcement body, regulatory, government agency, court or other third party, including civil aviation authority, customs, public security organ, court and procuratorate. We share data with them only for the following reasons and only if necessary: (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
• to any other person with your consent to the disclosure.
Legal basis for processing personal information
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our company and communicating with you as necessary to provide our services to you and for our legitimate commercial interest, for instance, when responding to your queries, improving our products and services, undertaking marketing, or for the purposes of detecting or preventing illegal activities. We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
Cookies and similar tracking technology
We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal information about you, including to serve interest-based advertising. For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Statement.
How does Xiamen Air keep your personal information secure?
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. . The Internet is inherently unsafe, but we have adopted industry-standard, reasonably practicable security measures to provide you with security that matches the risks posed by your personal information. We have improved the security of the entire system from many aspects including organizational construction, system design, personnel management, product technology , and we have obtained ISO27001 certification. The relevant information systems of importance have also passed the assessment of network security level protection and PCI DSS (third-party Payment Card Industry Data Security Standard) certification. In addition, we provide SSL protocol encryption protection during data exchange between your browser and the server, and provide secure browsing mode based on HTTPS protocol to the website; we use encryption to improve the security of personal information; we use trusted protection mechanisms to protect our personal information from malicious attacks; we strictly limit the range of people accessing information and require them to comply with confidentiality obligations.
International data transfers
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).
Specifically, our Website servers are located in the People's Republic of China, and our group locations and third party service providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group locations. Our Standard Contractual Clauses can be provided on request.
Our group locations will protect personal information we process as required by applicable laws.
Data retention
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Your data protection rights
You have the following data protection rights:
• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
• In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
• You have the right to cancel your account of Egret Miles member. After you cancel the account, we will stop providing you with the relevant products and/or services, and delete your personal information according to your request unless otherwise stipulated by laws and regulations. You can contact us by way using the contact details provided under the “How to contact us” heading below
• You have the right to opt-out of marketing communications we send you at any time. We will send you marketing communications by e-mail, SMS and other means with your consent, including personalized and precise marketing communications, such as personalised ads and special offers for airline related products and services. We will respect your choice as to what information you wish to receive and the means that you wish to receive. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mail or SMS we send you. To stop being sent marketing communications as an Egret member, you can use the setting on the Egret member interface by not checking the pushing notifications of the marketing communications. To opt-out of other forms of marketing , then please contact us using the contact details provided under the “How to contact us” heading below.
• Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area, Switzerland are available here.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will release an updated version on our Websites, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
How to contact us
If you have any questions or concerns about our use of your personal information, please contact us using the following details: dpo@xiamenair.com.
The data controller of your personal information is Xiamen Airlines.
Privacy Statement for flights to the United States
The Transportation Security Administration (TSA) requires you to provide your full name, date of birth, and gender for the purpose of watch list screening, under the authority of 49 U.S.C. section 114, the Intelligence Reform and Terrorism Prevention Act of 2004 and 49 C.F.R parts 1540 and 1560. You may also provide your Redress Number, if available. Failure to provide your full name, date of birth, and gender may result in denial of transport or denial of authority to enter the boarding area. TSA may share information you provide with law enforcement or intelligence agencies or others under its published system of records notice. For more on TSA privacy policies, or to review the system of records notice and the privacy impact assessment, please see the TSA Web site at www.tsa.gov.