Data processing: Shopping

Which personal or other data do we process?
Schiphol offers space and facilities to various retailers. These retailers are controllers of the data they process about you. Schiphol does not play a role in this.

You can order products via the Click & Collect webshop and pick them up on the day of your departure. For more information about this, read the privacy statement regarding Click & Collect.

When making purchases in the terminal, your boarding pass will most likely be scanned.
Reason for this is that retailers need to know whether they need to pay taxes. In case your destination is outside EU, your purchase is tax-free. This means that the retailer does not have to pay taxes. On each receipt the (possible) tax is indicated. This is needed in case of any check by Customs.

When your boarding pass is scanned, the flight number, flight route and travel class is processed. With this information the retailer can define to which destination you fly. Flight number, destination and a unique anonymous code (combination of boarding card info and key that is unknown to Schiphol) are shared with Schiphol, jointly with some details about your purchase (shop, till id, articles and amount).

Schiphol cannot use this information to trace your identity.

Why do we process your (personal) data?
The retail units send the till data to Schiphol so that we can identity which products sell well and which do not. We use this information to optimise the services offered in the retail units. We therefore have a legitimate interest in processing these data.

How long do we retain your details?
The (anonymous) till data is processed for analytical purposes with no retention.

Who do we share your data with?
The retail units themselves have access to the data regarding the purchases made at their establishments, such as date and time of the purchase of specific items. Schiphol does not have insight in for example payment information, loyalty card information, etc. This information is processed and managed by the retailer.

Furthermore, we only share data with retailers at Schiphol that cannot be traced to a single individual.

Who is the controller?
The retail units at Schiphol are responsible for the data they share. Schiphol Nederland B.V. does not process personal data.

Processing personal data outside the European Union

Schiphol processes personal data as much as possible within the European Union. Schiphol may engage a processor who delivers IT services whereby data are processed in countries outside the European Union, including the United States of America or India. We do this only in a manner that complies with the requirements of the General Data Protection Regulation.

Which rights do you have?

Access to, amendment and deletion of your personal data
You have the right to know what personal data on you are processed by Schiphol. If we have not obtained the data directly from you, you also have the right to know from what source they derive and to receive a copy thereof.

If your personal data prove to be incorrect, you can ask us to amend your data. You can also request us to delete personal data and to discontinue their use. If we process your personal data on the basis of your consent, and there is no other legal basis for the processing, you have the right to withdraw that consent and we will comply with your request to delete them. In some cases, we may refuse your request.

Restriction of processing and right to transfer your data
If in your opinion we are not processing your data in a correct manner, you can request a restriction of the processing.

You can also ask us to transfer your digital personal data to you or to another party in a readable and usable form.

Lodging an objection
Besides requesting deletion or restriction of the processing, you can also object to the processing of personal data by Schiphol. First, you can do so if you do not agree to Schiphol using your personal data for direct marketing (for instance by profiling).

Second, you can object to the use of your personal data owing to your specific situation. If you lodge an objection, we will in principle temporarily discontinue or restrict the processing. If your objection is accepted, we will definitively discontinue or restrict the processing.

Your request and our response
If you have a question, a request or if you wish to lodge an objection, email our Data Protection Officer (DPO) via dpo@schiphol.nl. We will do our utmost to respond to your request in a timely manner.

We may ask you to send us a copy of a valid ID if this is necessary in order to confirm your identity.

If any part of your request is unclear to us, we may ask you to specify your request and/or to supplement it, to enable us to provide you with the best possible service.

Whose privacy statement is this and how can you contact us?

Who is the controller?
This privacy statement is issued by Schiphol Nederland B.V. Our contact details:

Schiphol Nederland B.V.
P.O. Box 7501
1118 ZG Schiphol

How to contact our Data Protection Officer (DPO)
Schiphol has a Data Protection Officer (DPO) for all your questions concerning privacy. The DPO also provides advice to us and monitors compliance with the privacy laws and regulations by Schiphol.

Do you have any questions or requests concerning your data? If so, you can send an email to the DPO via dpo@schiphol.nl or send a letter to our postal address, for the attention of the Data Protection Officer. Together with your request, please provide your name, address, email address and telephone number.

How to lodge a complaint with the Dutch Data Protection Authority

If you are dissatisfied with the way in which we treat your privacy or handle your request or objection, you can file a complaint with the Dutch Data Protection Authority.

Where can you find the latest version of this privacy statement?

If necessary, we will update this privacy statement. This may be due to changes in policies, changes in the data processing operations or changes in the systems we use to process data.

This version was issued 12 September 2024.