JAL Group Airlines: Processing of Personal Data in GDPR

Japan Airlines Co., Ltd., Japan Transocean Air Co., Ltd., J-AIR Co., Ltd., Japan Air Commuter Co., Ltd., Ryukyu Air Commuter Co., Ltd., and Hokkaido Air System Co., Ltd. (hereinafter referred to as "JAL Group Airlines") process and protect customers' personal data as follows, pursuant to the General Data Protection Regulation (hereinafter referred to as "GDPR") and the JAL Group's Basic Policies for Information Security and Personal Data Protection.

1. Protection and Management of Personal Data

JAL Group Airlines properly manage and protect customers' personal data pursuant to the JAL Group's Basic Policies for Information Security and Personal Data Protection.

2. Personal Data Controller and Data Protection Officer

  1. Personal Data Controller
    Japan Airlines Co., Ltd.
    Address: 2-4-11 Higashishinagawa, Shinagawa-ku, Tokyo, 140-8637
  2. Data Protection Officer
    Address: 2-4-11 Higashishinagawa, Shinagawa-ku, Tokyo, 140-8637
    E-mail: dpo@jal.com

3. Purpose and Legal Basis for Processing Personal Data

JAL Group Airlines properly process customers' personal data within the scope of the following purposes:

Please scroll horizontally.

  Purpose of Processing Legal Basis
(1)

To provide air transportation services (Reservations, sales, check-in, airport handling, cabin services, etc., including cases of interline transportations, joint operations, code-sharing, contract operations, etc., in addition to normal transportation services)

Contract performance
(2)

To provide services relating to JAL Mileage Bank (hereinafter referred to as "JMB") services

Contract performance
(3)

To provide other products and services

Contract performance
(4) To provide information and communications; to conduct questionnaires relating to products, services, various events, campaigns, and such Legitimate interests
(5) To conduct sales analysis, investigations and research; to develop new services and products Legitimate interests
(6) To conduct operations relating to (1) - (5) above; to respond to inquiries, etc.

Contract performance

Legal obligations

Legitimate interests

4. Personal Data Categories

JAL Group Airlines process customers' personal data necessary for the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Such personal data includes:

  • Basic Data
    Name, address, contact details (TEL/FAX numbers, e-mail address), gender, date of birth, country/region of residence, passport number, credit card number, information on employment (company name, department, job title, address, TEL/FAX numbers), etc.
  • Data for Making Reservations and Itineraries
    Reservation/boarding information (flight name, etc.), itinerary information, copy of e-ticket, EMD, (online) check-in, accompanying passengers, incidental services (upgrades, additional baggage, etc.), mailing address of items sent to customers, e.g. ticket, itinerary, etc.
  • JMB Membership Data
    Membership number, member's service qualifications, membership region, accumulated mileage, data-related mileage awards, etc.
  • Communications Data
    Records of communications with the JAL Group Airlines (recordings of phone calls to the call center, records of responses to questions submitted via e-mail or web inquiry forms, etc. Where necessary, records of questions or complaints, etc. received at airport counters or when boarding may be kept)
  • Data Collected from Websites and Apps, etc.
    Website access logs (IP address, Cookies, etc.) and data collected by apps, etc.

Where a customer reserves the JAL Group Airlines' air transportation services via a third party such as travel agents or other airline companies, some of the above-stated personal data may be collected from such third party. This policy also applies to personal data collected in such ways.

Collection and Use of Sensitive Personal Data

JAL Group Airlines may collect and use sensitive personal data on customers when providing air transportation services. The collection and use of such sensitive personal data is limited to cases in which customers request special assistance when using air transportation services, and such data is not used for any other purpose.

Examples of Processing Sensitive Personal Data

  • Where requesting escort from check-in counter to departure gates for passengers that use a wheelchair or are visually impaired
  • Where requesting rental medical oxygen bottles or permission to carry on a medical oxygen bottle
  • When requesting permission to carry on syringes or other medical equipment for a chronic disease
  • When a pregnant passenger requests to board a flight within 28 days of expected delivery date

Where a customer requests a special inflight meal, etc., data may be processed that is not sensitive personal data but may indicate a customer's religious beliefs or state of health.
Customers have the right to withdraw consent for the processing of sensitive personal data. Customers wishing to withdraw consent should contact the location where he or she applied for the service. It may not be possible to provide all or some services if consent is withdrawn.

5. Refusal to Provide Personal Data

The provision of personal data on customers is necessary for customers to be provided with services by JAL Group Airlines (air transportation services, JAL Mileage Bank services, etc.). JAL Group Airlines may not be able to provide a service in whole or in part if personal data is not provided.

6. Legitimate Interests of JAL Group Airlines

JAL Group Airlines have a legitimate business interest in the use of personal data they collect to provide effective services and to perform the operations as airline companies.

7. Disclosure and Provision of Personal Data to other Companies

  1. JAL Group Airlines disclose and provide customers' personal data to JAL Group companies to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".
    Refer to the following website for details on group companies. *1
  2. Customers' data may be disclosed or provided to partner airlines or companies entrusted with ground handling and check-in operations to provide air transportation services such as when using code share flights or connecting flights, and to achieve purposes such as mileage accumulation.
  3. Where customers have made reservations via a travel agent, customer data is disclosed and provided to such travel agent in relation to the reservation.
  4. Customers' data is transmitted to a server operated by Amadeus, a company in Germany that manages the passenger service system used by JAL Group Airlines.
  5. JAL Group Airlines may conduct surveys relating to their services, etc. using an external web service. When a customer answers a survey, some personal data on customers is disclosed or provided to the operator that provides the web service. When requesting a response to a survey JAL Group Airlines indicate the name of the operator and matters concerning the processing of personal data by the operator.
  6. JAL Group Airlines uses Google Analytics, a web analytics service provided by Google, Inc. (hereinafter referred to as "Google") on their websites to grasp the situation surrounding access to the sites. Cookies, web beacons, and other similar technology may be used to provide services. Cookies and web beacons, etc. are used to statistically analyze anonymous information and, as part of membership services, etc. may also be used to associate information that identifies customers so as to provide more customized services. JAL Group Airlines use user attribute and interest category reporting functions that respond to Google's advertising functions. Customers can opt-out of these (suspend functions) at their discretion
    Visit the following sites for an explanation of how to opt-out: *2 *3
  7. Where JMB member customers request exchange of awards, etc., customer data necessary to provide awards (address, etc.) is disclosed and provided to related corporations (award providers, delivery companies, etc.).
  8. Where required by law, customer data relating to reservations and itineraries (including passport, visa, and API data) may be submitted to the customs authorities or immigration bureaus in the customers' countries to be flown from, into or over, or in countries of transit and transfer.
  9. Customers' personal data may be disclosed or provided to authorities or recipients specified in laws and regulations where necessary to comply with EU law or the laws and regulations of members of the EU/EEA.

*1

*2

*3

8. Transfer of Personal Data to Non-EU Third Countries

JAL Group Airlines may transfer customers' personal data from within the EU/EEA to non-EU/EEA countries and regions where there are JAL Group Airlines establishments or airports serviced by JAL Group Airlines in order to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".
In such case, except when the European Commission determines that the country or region has secured data protection at an adequate level, in principle, customers' personal data is transferred after executing standard data protection clauses as an appropriate protection measure in accordance with the provisions of the GDPR and the laws and regulations of EU/EEA member states.
Contact the inquiries section stated in "12. Inquiries" with questions, etc. regarding the above stated protection measures.

9. Management of Personal Data

JAL Group Airlines retain customers' personal data for the period necessary to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Records concerning boarding by customers, such as reservations records and ticket information, are normally retained after boarding for a maximum of three years.
For a JMB member, data is retained as membership data for a maximum 10 years after withdrawing membership, in addition to the period as a member. Furthermore, records concerning contracts and invoices are retained for the period necessary to meet legal obligations. If it is necessary for the establishment, exercise or defense of legal claims, we may keep personal data for a longer period.
Data collected during communication with customers (customer service records, records of e-mails received, etc.) is retained for the period necessary to provide even better services to customers.
Access logs, etc. recorded when the JAL website is accessed are retained for the period necessary for analysis by JAL.

10. How to Request Disclosure, etc. and Make Inquiries

When a data subject or his or her representative makes a request concerning personal data retained by JAL Group Airlines, the Company shall respond as follows in accordance with GDPR:

  • Disclosure
    The Company discloses retained personal data that identifies the data subject. (The Company will inform the data subject to such effect if there is no retained personal data that identifies the data subject.) However, where corresponding to any of the following, the Company may notify the data subject of the reason and refuse to disclose data in whole or in part.
  1. Where the data subject's or a third party's life, health, property, or other rights or interests are likely to be harmed
  2. Where the proper implementation of JAL Group Airlines' operations are likely to be hindered
  3. Where disclosure will violate laws and regulations
  • Rectification
    Where requested to rectify or make additions (hereinafter referred to as "Rectification, etc.") to retained personal data due to the retained personal data that identifies the data subject being incorrect, unless special procedures are specified in the provisions of laws and regulations regarding the Rectification, etc. of such details, the Company shall conduct necessary investigations without delay within the scope necessary to achieve purpose of processing. The Company shall give notice of details without delay when all or a part of the retained personal data is Rectified, etc. as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Rectification, etc.
  • Erasure
    Where requested to erase retained personal data that identifies the data subject, the Company shall conduct necessary checks without delay such as where personal data is necessary in light of the purpose of processing. The Company shall notify of details without delay when all or a part of the retained personal data is erased as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out erasure.
  • Suspension of Use, etc.
    Where requested to suspend use, erase, or suspend provision to a third party (hereinafter referred to as "Suspension of Use, etc.") of retained personal data, and when there is discovered to be grounds for such a request, the Company shall Suspend Use, etc. of such retained personal data without delay, to the extent necessary; provided, however, that where Suspension of Use, etc. of such retained personal data requires a considerable expense, or where Suspension of Use, etc. is otherwise difficult, the Company may substitute Suspension of Use, etc. with alternative measures necessary to protect the rights and interest of the data subject. The Company shall notify the data subject of such effect without delay when it has Suspended Use, etc. of all or a part of the retained personal data. The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc.
  • Data Portability
    Where legal requirements are fulfilled, the Company shall provide personal data provided by data subjects that has been structured, generally used, and is in a machine readable format. Furthermore, where technically possible, personal data provided by data subjects shall be transmitted to other data controllers. The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to provide or transmit personal data.

Procedure for Making Requests

Send the applicable request form (*1) and the necessary documentation (*2) (when requesting “disclosure” or “data portability”) to the following address:

Personal Information Handling Desk
Japan Airlines Co., Ltd.
2-4-11 Higashishinagawa,
Shinagawa-ku, Tokyo, 140-8637

*1 Download an application form from one of the following links:

*2 Necessary documentation

Attach the following documents to confirm the identity of the data subject. Where requests are made by a representative, attach documents to confirm the identity of the representative together with documents to confirm the right to represent.

[Data Subject Identify Confirmation Documents] (Where requests are made by a representative, attach documents concerning the representative)
A copy of a driver's license, passport, health insurance card, or any other document issued by a public agency that can used to confirm the identity customer

[Address Confirmation Documents]
Where the above document (from a government or public office) does not include an address, in order to confirm the addressee, attach a document issued by a public agency that indicates a current address (issued within three months of making the request).

[Right of Representation Confirmation Documents]
Parental Authority:

Document that confirms the representative has parental authority

Guardian of Adult:

Document that confirms the representative is a guardian of an adult

Statutory Agent:

Document that proves the representative is a statutory agent

Voluntary Representative:

Letter of proxy (signed by data subject)

In the case of requests from voluntary representatives, the Company may confirm delegation with the data subject or directly disclose, etc. personal data to the data subject.

11. Complaints Concerning Personal Data

  1. Customers have the right to lodge an objection to the processing of their personal data retained by JAL Group Airlines if legal requirements are fulfilled concerning a particular situation. Where an objection is lodged and such objection fulfills legal requirements, JAL Group Airlines shall delete or suspend use of retained personal data in whole or in part, and notify the data subject to such effect without delay.
    Where objections are lodged regarding direct marketing, JAL Group Airlines shall promptly suspend such direct marketing and notify the data subject to such effect without delay.
    The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc. due to the lodging of an objection.
  2. Customers have the right to make complaints concerning the processing of their personal data, against the EU/EEA member country in which the customer lives or works, or EU/EEA member countries' supervisory authorities that have engaged in illegal conduct. Contact each supervisory authority concerning specific complaint procedures, etc.

12. Inquiries

If you have any inquiries regarding "JAL Group Airlines: Processing of Personal Data in GDPR", please send your letter to the following address:

Personal Information Handling Desk
Japan Airlines Co., Ltd.
2-4-11 Higashishinagawa,
Shinagawa-ku, Tokyo, 140-8637