Royal Schiphol Group Privacy Statement: Privacy
Royal Schiphol Group (Schiphol) operates in line with its key values of efficiency, hospitality, inspiration, sustainability and reliability. For Schiphol, it is very important that you feel welcome at Schiphol and that your personal data is treated in a reliable and sustainable manner.
With this Privacy Statement, Schiphol wants to offer transparency on how Schiphol treats your personal data and for what purposes these data are used. This Privacy Statement applies to all processing of personal data by or on behalf of Schiphol and its subsidiaries at the Schiphol location (Schiphol Nederland B.V., Schiphol Real Estate B.V. and Schiphol Telematics B.V.).
This Privacy Statement does not apply to data processing by other organisations based at Amsterdam Airport Schiphol, such as airlines, ground handlers, lessees, operators of shops and catering outlets at Schiphol, security companies, the Royal Netherlands Marechaussee and Customs. Schiphol has no access to this data processing by third parties or to the data involved, and is not the controller for it. We refer to the privacy statements of those organisations for more information on the way in which they treat personal data.
For what purposes does Schiphol process your data?
Prior to processing, Schiphol determines the purpose of the processing and the legal basis on the grounds of which we process the data.
The purposes for and bases on which Schiphol processes personal data are:
1. To implement statutory regulations and tasks in the public interest
There are a number of legal obligations that require personal details to be processed to comply with that obligation.
The safety of all visitors and Schiphol staff is paramount to us. Personal data that may be processed for that purpose include, for instance, camera images that are recorded in the terminal. The camera images are removed after 28 days, unless there are good reasons for storing the images for a longer period, for example for an investigation of an incident.
Civil aviation security
Since 1 April 2003, the government has tasked Schiphol with carrying out preventative security checks on passengers and baggage. Schiphol has outsourced the implementation of those tasks to security companies. Final responsibility for these security checks lies with the Minister of Security and Justice and the Royal Netherlands Marechaussee. In performing its task as the operator of the airport, Schiphol processes personal data for civil aviation security purposes, such as for access control purposes. Schiphol processes this data in a number of ways as described below.
Schiphol has to verify that access to the area behind the security checkpoints is only granted to passengers that depart the same day. For this purpose, Schiphol checks boarding pass data that are processed at the security checkpoints (Self Service Boarding Pass control). Those data are only processed, not stored.
Airport employees working in the area behind the security checkpoints, are granted access to that area only by a special Schiphol ID, the Schiphol Pass. The Schiphol Pass is one of the controls to prevent the risk of unauthorized access of persons and vehicles to the security areas. Schiphol has to comply with the relevant (inter)national (security) legislation in order to perform its tasks with regard to the security of civil aviation.
Personal data are processed in the context of the provision of a Schiphol Pass to persons who obtain a valid certificate of no objection from the Security Screening Office of the Ministry of the Interior and Kingdom Relations.
The processing of personal data is necessary for the registration and issuance of passes granting access to the protected and secured areas that are regulated by the access control system. Access control is carried out via controlled passageways in combination with a valid Schiphol Pass, in accordance with the requirements of Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security, Article 4, paragraph 1.2.
The Schiphol Pass (for persons as well as those for vehicles) have been designed in accordance with the requirements set out in the National Civil Aviation Security Programme.
With respect to the Schiphol Pass Schiphol processes the following personal data: name, address, date and place of birth, nationality, sex, photo, employee number (optional), name and contact details of the employer (address, email, telephone number). Next to this, a template of the iris-scan from the pass-user will be stored at the pass itself. These personal data will be stored for a period of 5 years after the moment that the Schiphol Pass has been returned, unless there are valid reasons for storing the personal data for a longer period, for example for an investigation of an incident.
2. Supply of services to customers and passengers
Schiphol uses the following personal data for the performance of parking agreements that Schiphol enters into with customers via its website or app: name and address details, arrival date/arrival time, departure date/departure time, email address, flight numbers, vehicle registration number, payment details such as a credit card number (last four digits), purpose of travel, choice of parking product, Privium ID (if applicable) and, in case of reservation of a Valet-service, the colour, brand and type of vehicle. A retention period of two years after the booking has been established for these personal data.
Schiphol enters into parking agreements in a number of ways. For example, parking spaces can be reserved via the website, by telephone, via a voucher or at a kiosk. Furthermore, Secure Valet Parking Schiphol offers parking facilities and we have special parking spaces for staff.
We process personal data not only when performing parking agreements but also for matters directly related to parking agreements, such as complaints handling, customer service, parking space security and payment refunds. Depending on the parking product purchased, we may process the following data.
- Name and address details: First and last names/address (street name, house number, postcode, town/city)/email address/telephone number/date of birth;
- Flight information:
Arrival date/arrival time/departure date/departure time/flight number(s);
- Vehicle information:
Vehicle registration number/colour, model, vehicle type (National Vehicle and Driving Licence Registration Authority);
- Financial information:
Last four digits of credit card used/payment ID/name of account holder/international bank account number (IBAN)/bank identification code (BIC)/VAT number;
- Customer and transaction information:
Privium ID/reservation number/company name/Card number (subscription)/entry date/time/employee number/subscription type/employer/Schiphol Pass/parking pass number;
- Other data:
Schiphol also processes the data of Privium members that are required to perform the Privium services. These data are removed two years after the end of the Privium participation agreement. Click here for the Privium Privacy Statement.
After explicitly agreeing to the terms and conditions, visitors to Schiphol may use the Wi-Fi network (via Schiphol Telematics B.V.) as a free or paid service. In order to activate this service, Schiphol processes the MAC address of the device and/or the usernames and/or certificates used. In addition, for activating the paid service, Schiphol processes your name, email address, credit card number or PayPal username. If you make use of the free Wi-Fi network, your data are immediately deleted after the session is ended. If you make use of the paid network, your data are stored for the period of validity of the purchased Internet period (for example, 24 hours).
We also use Wi-Fi data for marketing purposes, though this data is aggregated and consequently cannot be traced back to individuals. For example, we use Wi-Fi data to measure how many people have seen advertising at Schiphol.
A retention period of no more than two years applies to this data. We retain the data which demonstrates that customers have given their consent to receive marketing messages or emails in this regard for a period of five years. Personal data used for financial purposes (e.g. invoices) is subject to a retention period of seven years.
It is possible to apply for a voucher via the website with which you can obtain discounts on products. If you apply for this voucher via the website, the personal data you provide when doing so are collected in order to send you the voucher and, if you have given your consent for this, to provide you with further information on products and services of Schiphol. The collected data is deleted two years after being collected.
Product and service improvement
Schiphol processes your personal data in order to improve our services and to keep you informed about the services and products you purchase or may purchase from us, as explained in further detail in this Privacy Statement, unless you have objected to this use of your data.
If you are a Schiphol customer, and you have given your consent for this, we combine information we obtain when you purchase one or more products or services from us, such as Schiphol Parking, Privium and See Buy Fly. We do this for administrative purposes and in order to gain a complete overview of the products and services you have purchased from Schiphol. In turn, this will allow us to provide you with better service if you contact us, and to offer you other products and services that may be personal relevant.
3. Implementation and analysis of company processes and systems
Schiphol processes personal data to optimise its business processes, such as the baggage process and the passenger process.
For the routing, sorting and screening of baggage, Schiphol processes, for each item of baggage, the passenger name, the barcode of the suitcase and (if applicable) the passenger’s Frequent Flyer number. These data are retained for seven days after the departure of the flight.
For security purposes and to ensure that your journey via Schiphol is as pleasant as possible, we track how many passengers are at Schiphol to allow us to give you information on expected peaks and waiting times. In the terminal we use a Wi-Fi and Bluetooth tracking system for this. Apart from tracking the number of passengers, we can use Wi-Fi data to identity pedestrian traffic routes (and thus prevent congestion) and to increase the efficiency of our processes (creating and indicating alternative routes). As indicated above under ‘marketing’, we also collect aggregated Wi-Fi data (which cannot be traced back to individuals) for marketing purposes.
You are of course always free to switch off your Wi-Fi and Bluetooth. Schiphol uses sensors to trace Bluetooth and Wi-Fi signals. A device (mobile telephone, laptop, etc.) can be identified by its unique ‘MAC address’. This MAC address does not link to individual user data, and therefore no personal data is compromised. A detailed technical description of the measures that Schiphol takes to safeguard your privacy in this connection is available here (in English). A summary of this is provided below.
Immediately after it has been detected, each MAC address is converted into a unique code by means of hashing. The original data are destroyed immediately and permanently, and can therefore not be ‘retrieved’, for instance in connection with a request for access. The unique code is also hashed by means of a ‘salt’ (data added randomly) that is unique per 24 hours. This enables us to track travel patterns of unique devices at the terminal of Schiphol within a single time-frame of 24 hours, but never for longer. The hashed data are stored for a maximum of three years after which they are destroyed.
Schiphol also uses camera images for crowd management; the purpose is to gain insight into the number of people in queues, the density of people in spaces and the occupation of desks. That information can also be used to provide predictions with regard to the numbers of passengers/visitors and therefore also waiting and processing times. These camera images are stored for a maximum of 28 days after which they are destroyed.
4. Operation of Schiphol online services such as its website, app and social media
General data on website visits, such as the most frequently requested pages, are tracked on Schiphol's website without identifying visitors. The purpose is to be able to adapt the design of our website as much as possible to visitors' requirements. These data can also be used to place more targeted information on the site. This enables Schiphol to further optimise the services we offer to you via the website.
If you sign up for our electronic newsletter, you thereby give us your consent to use your email address to send you the newsletter. If you have also given explicit consent for receiving other information such as offers and questionnaires, we will send those to you as well. You can always unsubscribe from this via the link at the bottom of the newsletter page of every newsletter.
The Schiphol web server automatically collects IP addresses. Your IP address is a number with which computers on the network can identify your computer, so that data (such as internet pages) can be sent to your computer. We use IP addresses to manage the website and to ensure it is as relevant as possible.
During your visit to the Schiphol website, our systems will create and consult cookies. A cookie is a compact piece of information which is stored on your computer. Most browsers accept cookies; however, it is generally possible to change the settings of a browser so that it no longer accepts cookies. Read more here about the use of the various types of cookies by Schiphol, and how you can accept or refuse them.
Our social media channels provide the latest news, information, offers and useful facts about Schiphol. These channels are an easy way to contact Schiphol, participate in discussions, respond to posted content or take action in some other way. We are always happy to exchange ideas with you and receive your opinion on Schiphol and its services. Engaging with customers like this allows us to continually improve our service. We request that you do not place privacy-sensitive information about yourself or others (e.g. email address, name, address, telephone number) on these channels, but that you share your information with us via a private message if necessary. Schiphol will only use the data shared by you to answer your question and to improve its customer service (for instance, by means of anonymised Q&As that can be modified by input from customers). Schiphol may remove publicly shared privacy-sensitive data.
Schiphol offers services via the Schiphol app. Your data can be used for location determination and route planning / navigation at Schiphol, provided you have given explicit consent for this.
Schiphol uses Google Analytics to calculate website statistics, such as the number of unique visitors, sessions and campaign data. This information is not shared with third parties and the IP address is anonymised.
5. Recruitment and selection
Schiphol only uses applicants' personal data for recruitment and selection purposes. Unless required by law, Schiphol will not provide these data to other persons or bodies outside Schiphol without the applicant's prior consent. Applicants' data will be deleted no later than four weeks after the application procedure has ended, unless the personal data are retained, with the applicant's consent, for one year after the end of the application procedure with a view to possible future vacancies.
6. Maintaining customer relationships
Schiphol Real Estate B.V. lets and manages office space at Amsterdam Airport Schiphol. In connection with the performance of the lease contract and for maintaining the customer relationship, Schiphol Real Estate processes contact details of contacts of its lessees.
Schiphol has a CRM system in which it processes contact details for maintaining the customer relationship with the contacts of its customers, such as airlines, ground handlers, forwarders, customers of telecommunication services, travel organisations and travel agents. The purpose is to inform these organisations and persons about the Schiphol products and services and/or to invite them to meetings and events. These data are not used for the purposes of sales.
Data protection and storage
Schiphol does everything within its power to protect your personal data against loss and unauthorised use. All Schiphol employees who have access to personal data as part of their work are required to maintain confidentiality. Your data will only be supplied to parties outside Schiphol if this is necessary for the performance of the aforementioned purposes. Schiphol has agreed in a data processing agreement with Schiphol partners who are responsible for performing certain services or parts thereof that they will also do everything within their power to protect the personal data and that they will comply with the provisions of the GDPR.
If a data leak occurs despite the measures referred above, we will naturally handle it in accordance with the rules. If you yourself believe or suspect that there is a data leak, we ask you to report this as soon as possible via firstname.lastname@example.org.
Schiphol will endeavour to ensure that processed personal data are accurate and precise. Moreover, Schiphol will not process more personal data than necessary, and will store them for no longer than is necessary for the purposes for which they were collected. Schiphol has defined/will define a suitable retention period for the various processing operations of personal data.
If your personal data have been collected by Schiphol, you have the right to request access to or rectification or removal of these data. You may also request us to transfer the data to another party or request that these data be processed only to a limited extent. Furthermore, you may object to the processing of these data.
In specific situations, Schiphol is not obliged to act on a request of a data subject, based on those rights, namely if imposing restrictions on the rights of the data subjects is necessary to safeguard, for instance: national or public security; the prevention, investigation, detection and prosecution of criminal offences or if this necessary to safeguard the rights or freedoms of others.
You may also request us to transfer the data to another party or request that these data be processed only to a limited extent.
In addition, you may also object to the processing of these data.
Below, you will find further explanation regarding the rights you have as a data subject:
Right of access
You have the right to obtain from Schiphol confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
e) the existence of the right to request rectification or erasure of personal data, or restriction of processing of personal data concerning you, or to object to such processing;
f) the right to lodge a complaint with the Dutch Data Protection Authority;
g) where the personal data are not collected from you, any available information as to the source of that personal data;
h) the existence of automated decision-making, including ‘profiling’, if applicable.
Right to rectification
You have the right to obtain from Schiphol without undue delay the rectification of inaccurate personal data concerning you or – taking into account the purposes of the processing – to have incomplete personal data completed.
Right to be forgotten
You have the right to obtain the erasure of personal data concerning him or her and Schiphol has the obligation to erase those personal data where, for instance, one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the personal data have been unlawfully processed;
Right to restriction of processing:
You have the right to request restriction of processing where one of the following applies:
a) you contest the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c) Schiphol no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
d) you have objected to processing (pursuant to Article 21 (1) of the GDPR) pending the verification whether the legitimate grounds of Schiphol override your own.
Right to data portability:
You have the right, under certain circumstances and solely where technically feasible, to receive the personal data concerning you, which you have provided to Schiphol, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller.
Right to object:
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.
Data Protection Officer
Schiphol has appointed a Data Protection Officer (DPO), who verifies whether Schiphol processes personal data in accordance with the GDPR.
If you have any questions about your data or the way in which we treat your privacy, or if you want to exercise the rights referred to above, you can fill in the web form below or send an email to the DPO via email@example.com. As soon as possible after receipt of your request, we will inform you about the handling of your request.
If you are dissatisfied with the way in which we treat your privacy and/or the rights referred to above, you can file a complaint with the Dutch Data Protection Authority.
The recipients of your data
The following persons and/or institutions may receive your personal data:
a) anyone at Schiphol who is responsible for carrying out or supervising tasks related to the processing of your personal data or anyone involved in this;
b) processors and subprocessors contracted by Schiphol to perform certain tasks relating to the processing of your personal data;
c) (other) controllers who use your personal data for purposes of their own and inform you of this, such as airlines;
d) within the scope of the automatic border passage, the Royal Netherlands Marechaussee insofar that is necessary for the performance of its duties;
e) government bodies, such as the police and judicial authorities, insofar as this is necessary to comply with statutory obligations;
Transfer of data to countries outside the EU
In certain cases, Schiphol transfers personal data to countries outside the EU, but ensures that this takes place in accordance with the relevant legal requirements, e.g. using EU model contract conditions.
Schiphol reserves the right to revise its privacy statement from time to time. This may be the result of changed policy, changes in data processing or changes in the systems with which Schiphol processes data. This is a continuous process. The most recent version of the Privacy Statement is always available on our website, and we advise you to check it regularly.
This version was drawn up on 3 August 2018.
Royal Schiphol Group
P.O. Box 7501
1118 ZG Schiphol
Evert van de Beekstraat 202
1118 CP Schiphol
Privacy Statement for Schiphol Assist
Schiphol Nederland B.V. (“Schiphol”)’s aims to be as transparent as possible with regard to your privacy. This Privacy Statement details how Schiphol uses your personal information data, and how this data will be processed as part of the Schiphol Assist project.
Why we process your personal information
The goal of the Schiphol Assist project is to have direct contact with travellers at Schiphol, and to meet their needs quickly. The starting point is providing personal help to the traveller/visitor to Schiphol.
Engagement of third-party services
Existing social media services like Facebook, Twitter and WhatsApp are used in order to actively communicate with travellers. We would like to draw your attention to the following points:
- Data will only be processed using Facebook, WhatsApp and Twitter’s services to register users and send messages. Your account data will not be stored or processed by Schiphol
- Schiphol will only process your personal data and information and personal for reports and user analysis purposes
- Information and personal data received by Schiphol will be removed daily.
We will ask for your permission to use the service. To withdraw your permission at any time, please email firstname.lastname@example.org. If you withdraw your consent, we will stop processing your personal data immediately; however, please note that this is not retrospective and does not apply to use of your personal data prior to withdrawal.
You may request access, change or delete the personal data held about you by Schiphol at any time – for instance, if you want to know what information Schiphol has about you and the purposes for which it is processed. You also have the option to oppose our processing of your personal data by emailing email@example.com.
Check our Privacy Statement for a transparent overview of your rights as a user.
The Privacy Guarantee is intended to assure you that we take your privacy seriously.