Privacy Statement

Version: August 2024

Security is the top priority for SWISS, and this includes the security of your personal data. In this Privacy Statement, we inform you of how and why we collect, process and use personal data. This information is particularly intended for:

• users of our websites and apps
• passengers
• individuals who use or may be interested in our services
• contacts at our business customers and partners
• individuals who contact us
• recipients of our newsletters, personalised offers, and other marketing communications and activities
• participants in research campaigns, customer panels, and customer satisfaction and opinion surveys
• participants in events
• visitors of our company locations.

Please note that there is additional information on specific data processing (such as our ​Cookie Policy, the ​Travel ID Privacy Statement, the ​SWISS World Cargo Privacy Statement, etc.). We also often provide you with the relevant information wherever we collect your personal data. Please also consult the contractual conditions for individual services for passengers, particularly our ​General Conditions on Carriage.

We have based this Privacy Statement on both the Swiss Data Protection Act and the European Union’s General Data Protection Regulation (GDPR). Whether these and/or other data protection laws apply depends on the individual case.

If you provide us with data about other persons (e.g. family members or friends for joint bookings), we assume that you are authorised to do so and that the data is correct. Please ensure that the persons concerned have been informed about this Privacy Statement.

1. ​Data Controller
2. ​Contact
3. ​Sources of personal data
4. ​Main purposes and legal bases for processing
5. ​Specific use cases, their purposes, legal bases and further details
6. ​​Legal bases according to the GDPR
7. ​Data disclosures
8. ​​​Transfer of personal data to countries outside Switzerland and the European Economic Area
9. ​Retention of personal data
10. ​Profiling, artificial intelligence and automated decision-making with legal effect
11. Data security
12. ​Your rights regarding your personal data
13. ​​Changes to our Privacy Statement

Unless indicated otherwise, the data controller described in this Privacy Statement is:

Swiss International Air Lines AG
Malzgasse 15
CH-4052 Basel
Switzerland

Website: ​www.swiss.com

(hereinafter “SWISS”, “we”, or “us”)

Our EU Representative pursuant to Art. 27 GDPR is:

Swiss International Air Lines AG Frankfurt Branch
Cargo City Süd 558 c
D-60549 Frankfurt am Main
Germany.

To exercise your data protection rights described in Section 12, please use our contact form for data subject rights.

If you have general questions or concerns regarding this Privacy Statement, you can contact our Data Protection Officer and team at the following address:

Swiss International Air Lines AG
Data Protection Officer
ZRHS/CJ
PO Box
8058 Zurich Airport
Switzerland

dataprotection@swiss.com

Enquiries not related to data protection, such as requests or feedback on individual bookings or services, will not be answered or forwarded by our Data Protection Team. Please visit our Service Centre and use the appropriate contact form, or reach out to your SWISS contact if you are representing a business partner.

You often disclose personal data to us yourself, for instance, when you send us data or communicate with us. The provision of personal data is voluntary in most cases, which means that you are generally not obliged to disclose your personal data to us. However, we do have to collect and process the personal data that is required for processing contractual relationships and fulfilling associated obligations or that is prescribed by law, as we would otherwise be unable to conclude or continue the contract in question. For example, you need to provide us with information that we are bound to transfer to local or foreign authorities so that we are allowed to carry you to your flight destination (see also Section ​4.4).

We may also collect personal data about you ourselves or automatically, such as when you book a flight or use other offers. This may be technical data about your device, the transaction or your behaviour. For example, we can analyse the data collected during the booking process and, on this basis, make assumptions about your personal interests, preferences, affinities and habits. This enables us, for instance, to tailor our offers and information to your individual needs and interests (see also Section ​10).

We may also receive personal data from other Lufthansa Group companies. See Section ​4.7 for more information. We may also receive information about you from third parties, for instance, from companies with which we cooperate, persons who communicate with us or public sources.

For example, we may receive information about you from the following third parties:

• cooperation partners, e.g. partners in a frequent flyer programme such as Miles & More or PartnerPlusBenefit
• persons who act on your behalf (family members, legal representatives)
• travel service providers you use
• banks, insurance companies, distribution partners and other contractual partners for payments
• providers of online services, e.g. providers of Internet analysis services
• information services for compliance with statutory requirements such as export restrictions
• authorities, parties and other third parties in connection with official and judicial proceedings
• public registers such as the debt collection or commercial register, from public offices, from the media or from the Internet.

In short, we process personal data for the following purposes:

• Processing of contracts, for example, the processing necessary for the operation of your flight and provision of other services (Section ​4.1)
• Information and marketing (Section ​4.2)
• Market research and product development (Section ​4.3)
• Compliance with legal requirements (Section ​4.4)
• Security (Section ​4.5)
• Protection of rights (Section ​4.6)
• Administration and support within the Lufthansa Group (Section ​4.7)
• Specific use cases (as described in Section ​5).

We process personal data in connection with the initiation, administration and processing of contractual relationships. Contract processing also includes any agreed personalisation of services.

For example, a contract exists when:

• you book a flight or other services
• you use our apps or other online services
• you use Travel ID
• you book SWISS WorldCargo services for the company you work for, or
• you or the company you work for have concluded another contract with us.

If you are a passenger, we process the data you provide us with when you book a flight and other services to fulfil the contract of carriage and the respective service contracts. The necessary and voluntary information is indicated in the booking process (such as name, frequent flyer number, e-mail address, phone number, payment information, travel documents, etc.) and only stored if you complete the booking. Additional services may be offered by us or our partners and include advance seat reservation, additional baggage, pre-ordering meals, upgrade options (including bid upgrade services), baggage collection and check-in service, travel insurance, accommodation, car rental, package deals and other services.

The purpose of contract processing generally comprises everything that is necessary or appropriate for concluding, performing and, where applicable, enforcing a contract.

For example, this includes processing in order to:

• communicate with you
• provide customer service
• manage frequent flyer programmes (e.g. Miles & More, PartnerPlusBenefit), for instance, to apply or credit miles
• administer and manage our IT and other resources
• process payments and generally manage accounting
• store data in compliance with retention obligations
• establish, notify and, if applicable, announce winners of contests or similar campaigns
• assert legal claims from contracts (collection proceedings, legal proceedings, etc.)
• terminate and end contracts
• prepare and conclude corporate transactions such as corporate acquisitions, sales and mergers.

Our basis for this processing is the performance of a contract to which you are a party or pre-contractual measures (Article 6(1)(b) GDPR).

You can receive information, offers, surveys about travel related preferences, customer satisfaction surveys, and newsletters on the topic of travel from us, companies of the Lufthansa Group, or partner companies, via communication channels chosen by you, such as email, SMS, messenger services, and telephone.

These messages and offers can be personalized through the use of technologies that allow us to determine whether the recipients have opened the message or otherwise interacted with electronic advertising communications. Please refer to our ​Cookie Policies for further details.

If we ask for your consent, for example, when you subscribe to a newsletter, our legal basis for this processing is your consent (Art. 6 Para. 1 lit. a) GDPR). You can revoke your consent to the processing for this purpose at any time with future effect by following the corresponding unsubscribe link in the respective communication.

If we process your personal data for information and marketing activities without asking for your consent, we have concluded in individual cases that our legitimate interest provides a sufficient legal basis for the corresponding processing (Art. 6 Para. 1 lit. f) GDPR).

We process personal data in order to improve our services, for example, when we analyse data on the usage of our services. The basis for this processing is our legitimate interest (Art. 6(1)(f) GDPR).

You may register for our customer panel to let us know your opinion on specific subjects related to our products and services. Members of the customer panel are invited at regular intervals, via e-mail, to take part in market research projects, such as brief online surveys, focus groups, product tests and in-depth interviews, for example. The information provided by a member, such as address, age, gender, nationality, professional background, and travel behaviour and habits, is used to identify suitable surveys for the member. The information received over the course of a market research project is analysed in anonymised form. More information is available on the ​Lufthansa Group BetaLab website.

Our basis for the processing related to the customer panel and other surveys is your consent (Art. 6(1)(a) GDPR).

We process personal data in order to comply with legal obligations and to prevent and detect violations. Our obligations may derive from Swiss laws and intergovernmental agreements or from the laws and regulations of other countries worldwide, as well as self-regulations, industry and other standards, our own corporate governance or official directives.

With regard to carriage of passengers specifically, we may be legally required to collect and disclose defined personal data to authorities in the countries on the itinerary. This may include the following personal data:

• Advanced Passenger Information (API data): Basic information about passengers that is required by specific government authorities for entering and leaving the country. It includes the name, date of birth, sex, nationality, travel document data and e-mail address of passengers. API data also includes other data, such as flight information (e.g. flight number and arrival and departure times).
• Passenger Name Record (PNR data): Information and data required for carriage (e.g. booking code, name, e-mail address, flight information, payment information and details of travelling companions), plus any additional data in connection with carriage, in particular information sent by you (e.g. frequent flyer information or special requests) or third parties (e.g. travel agencies).
• Health data, such as a specific immunisation status
• Travel permit for children, if a child is travelling alone or with one parent only.

This information is required for legal, security, regulatory and administrative reasons, which may include the following purposes:

• border controls
• immigration formalities
• combatting organised and international crime, terrorism and other serious crimes
• public health purposes; e.g. orders by an authority for combating an epidemic or pandemic
• other lawful purposes subject to applicable law.

Usually, such data is required by the authorities of the country of departure and/or arrival and therefore must be disclosed to Swiss and foreign authorities involved, such as criminal prosecution, judicial, health or other administrative authorities. For example, the United States border authorities (US Customs and Border Protection) receive API and certain PNR data when you book a flight between Switzerland and the United States. The United States have given Switzerland the same guarantees with regard to the use of data as they have to the European Union; they will only use the information for combating terrorism and other serious, cross-border criminal offences.

SWISS is also obliged to disclose your personal data to Swiss and, under certain circumstances, foreign criminal prosecution, judicial or administrative authorities if they require disclosure in order to prevent or prosecute crimes, misdemeanours, or administrative misconduct or if they need it to fulfil their administrative duties.

Data transfers to authorities are based on our legitimate interest in complying with Swiss and foreign laws and in supporting the above-mentioned purposes (Art. 6(1)(c) and (f) GDPR). If the processing relates to special categories of personal data (such as health data), the legal basis is Art. 9(2)(a), (g), or (i) and Art. 10 GDPR.

We process personal data for security purposes, i.e. for your and our security. Examples of processing for this purpose include:

• IT security measures
• physical access controls
• video surveillance and the evaluation of recordings at specific premises for the detection and prosecution of criminal acts
• measures for the prevention of theft, fraud and misuse
• analysis to detect suspicious behaviour patterns and fraudulent activities
• imposition of flight bans for “unruly passengers”. “Unruly passengers” are passengers who display improper, aggressive or violent behaviour towards other passengers or the crew, or who damage the aircraft.
• Exchange of data within the Lufthansa Group and with other airlines in order to document, analyse and prevent cases of fraud and instances of “unruly passengers”.
• Disclosure of data in connection with harm, injury and criminal acts to authorities and insurance companies.

This data processing is based on our legitimate interest in security (Art. 6(1)(f) GDPR).

We wish to be in a position to establish and enforce our claims and defend ourselves against the claims of others. Our claims may include claims of employees, companies affiliated with us and our business partners. We process personal data for the protection of rights, for instance, in order to enforce claims judicially, before or out of court, and before authorities worldwide, or to defend ourselves against claims.

The legal basis for this data processing is our legitimate interest in protecting our rights (Art. 6(1)(f) GDPR).

The Lufthansa Group maintains and builds processes that serve all or several Lufthansa Group companies to improve efficiency and stay competitive. SWISS and other Lufthansa Group companies may therefore share personal data in order to support each other’s data processing activities in accordance with this Privacy Statement (see Section ​7.1).

Examples of joint administration and support are:

• ​Travel ID
• IT administration, including systems used by multiple Lufthansa Group companies
• the central storage and management of data used by multiple Lufthansa Group companies
• training and education
• the review or execution of corporate transactions, such as corporate acquisitions, sales and mergers
• the forwarding of enquiries that concern other Lufthansa Group companies
• joint anti-fraud measures (see Section ​5.4)
• data sharing on “unruly passengers” (see Section ​4.5)
• the review and improvement of Lufthansa Group-internal processes in general.

The legal basis for this data processing is our legitimate interest in efficient administration and support within the Lufthansa Group (Article 6(1)(f) GDPR).

We collect information that your browser automatically transmits to us when you visit our websites. This may include the following data:

• Internet Protocol address (IP address) of the user’s device
• Internet service provider
• operating system, browser type and browser version used
• date and time of the server request
• website accessed
• referrer URL (the website previously visited).

The data automatically collected as described above is processed for the purposes of proper functioning of our websites, e.g. to establish a connection, to ensure stability and uninterrupted system security, to improve our services and for statistical purposes.

The legal basis for the data processing is our legitimate interest in these purposes (Art. 6(1)(f) GDPR).

On our websites, we also process personal data with so-called cookies and similar technologies for additional purposes, such as analytics and marketing. See our ​Cookie Policy for more information.

When you visit the SWISS Magazine website (URL: https://www.swiss.com/magazine and subpages), we process the data mentioned above in ​5.1 also for the correct display of non-personalised ads of third parties, to measure their performance, to ensure security, to prevent fraud and to correct errors.

We currently use the service provider Goldbach neXT AG, Seestrasse 23, 8700 Küsnacht ZH, Switzerland, who is IAB Europe TCF 2 certified for this processing (see Section ​​7.2 regarding our service providers).

The data is deleted as soon as it is no longer required to achieve the purposes mentioned, which is after 30 days at the latest.

The legal basis for the data processing is our legitimate interest in the purposes mentioned (Art. 6(1)(f) GDPR). Personalisation of ads requires your consent (see our ​Cookie Policy).

Credit checks help us to prevent problems in payment transactions. They ensure the protection of our company against financial risks, which may also affect prices in the medium to long term. A credit check may be necessary if we provide our services without receiving the respective payment at the same time, e.g. in the case of a payment on account. Other payment options are available without credit checks.

In order to use the “purchase on account” payment option, we may process your personal data (e.g. first name and surname, address, date of birth, e-mail address and mobile telephone number, as well as information on the outstanding amount, the currency used and the booking data) and the usage data of your SWISS website visits (e.g. information about the start, end and scope of the websites you visited, your IP address and click paths). If there is any suspicion of fraud, we will verify the assessment and the underlying evidence. You will be informed if your application is declined.

The purpose of the processing is the provision of this payment option, the identity and creditworthiness check (this may also include obtaining references from other third parties, such as credit agencies) and risk management (including fraud and abuse prevention, also with the involvement of additional third-party companies).

Currently, we give you the option to use the “purchase on account” service through a third-party company according to its terms and conditions (e.g. ​​Powerpay by MF Group AG). Please note that if you use this service, the service provider processes your personal data as independent controller according to its own privacy statement.

The processing by us or third parties necessary to fulfil a contract with you (e.g. terms and conditions you accepted) is based on Art. 6(1)(b) GDPR. Any other processing for the purposes mentioned above is based on our legitimate interests (Art. 6(1)(f) GDPR).

We may verify payment transactions in order to prevent fraud and other improper usage. To this end, we use both internal and external sources of information. For this purpose, we also check distinct, identifiable technical features. If fraudulent activity is suspected and/or detected, we may share the relevant information (including personal data) with other Lufthansa Group companies, which may also verify the data for their own purposes (see Sections ​4.7 and ​7.1).

The basis for this data processing is our legitimate interest in anti-fraud measures (Art. 6(1)(f) GDPR).

You may register with operators of biometric identification services and for selected flights at certain airports to benefit from the advantages of a biometric identification system (facial recognition), without a boarding pass or smartphone.

The data controller as defined in the GDPR for processing personal data that is required for registering a biometric profile, as well as for biometric identification, is the respective operator. You may use biometric identification services from the following operators:

• Star Alliance

Processing that is our responsibility

• If you have received your digital boarding pass within the scope of our online check-in, then we shall forward your digital boarding pass to the operator of the biometric identification service of your choice upon request, i.e. you make the corresponding selection.
• At the access points/devices operated by us at the airport (e.g. boarding gate) that are equipped with the corresponding cameras, we shall record a brief video sequence of you. A defined numbers of biometric photos will be extracted from this and sent to the operator of the biometric identification service for the purpose of identifying you.

Categories of recipients

• IT service providers located within the EU (Processor)
• Supplier of biometric identification services (Controller)

Duration of data storage

Your data will be deleted at the access points/devices as soon as the identification process has been completed or your data has been transferred.

Legal basis for processing

Your data will be processed on the basis of your consent as per Art. 6 (1)(a) and Art. 9 (a) GDPR, which you have provided to the operator of the respective biometric identification services during registration. Your consent to the use of biometric data may be withdrawn from the respective operator at any time. For details about processing your personal data and withdrawing your consent, please read the operator’s Privacy Policy:

• Star Alliance

To use self-services, request general information or find out about future destinations, you can contact us by means of our chat service on our website or our defined messenger services. Depending on the requirements or complexity of your enquiry, it can also be answered by one of our service agents on a live chat.

We request the personal data required for the respective purpose (e.g. booking number) from you in order for you to use our services, e.g. rebooking or refunding your flight, or answering questions about products and services relating to your trip.

If you have registered with your Travel ID profile, we can also offer you a personalised service based on the information stored in your Travel ID profile, e.g. display a selection of your bookings. You will find further details about the processing of your data in connection with your use of Travel ID in the ​Travel ID Privacy Policy.

We have a contract data processing agreement with WhatsApp Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Ireland, for contacting us using WhatsApp. WhatsApp uses end-to-end encryption for communication. Information disclosed in the chat is therefore not visible to WhatsApp. You will find information about the processing of personal data when you use WhatsApp in the ​WhatsApp Privacy Policy.

Your personal data is generally processed within the EU.

Passenger counting after boarding or before doors are closed confirms the correct number of passengers in the aircraft. This promotes flight safety and assists us in correct baggage handling, which also aids safety. Counting is carried out manually by the cabin crew up to that point. Counting errors lead to flight delays and can affect safety if not discovered (e.g. in terms of take-off calculations). SWISS wishes to minimise errors by automating counting to increase safety and improve the boarding process.

SWISS uses an artificial intelligence (AI) model for this purpose from its service provider VION AI GmbH (Germany). It is trained to differentiate passengers boarding the aircraft from members of the cabin crew without identifying the individual. This allows passengers and their hand luggage to be counted reliably and automatically.

You will be informed via a notice near the aircraft door if passenger counting with artificial intelligence is used on your flight. Video recordings of passengers boarding made for the purpose of counting are deleted or anonymised shortly after the count is completed successfully. If the video recordings are used to train the model (this happens on selected flights), video recordings are deleted or anonymised immediately after training and no later than 6 weeks after the recording was made.

Overall, automated counting of passengers and hand luggage helps to:

• increase safety
• improve the boarding process through automation, and
• train the AI model for these purposes.

If we go beyond our statutory obligation to flight safety in this process, our legal basis is in our legitimate interest in increasing flight safety and improving the boarding process (Art. 6(1)(f) GDPR).

Depending on the applicable law, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Data Protection Act, but it does apply under the GDPR. If not indicated for the respective purpose above, the processing of your personal data is based on one of the following legal bases:

• your consent, if we requested it, for example, for newsletters, marketing cookies, etc. (Art. 6(1)(a) GDPR)
• fulfilment of a contract with you or for pre-contractual measures, for example, in the context of a booking with us or with one of our partners (Art. 6(1)(b) GDPR)
• compliance with a legal obligation, for example, our obligation as an air carrier to communicate API data to the competent authorities based on EU Directive 2004/82/EC and Art. 104 et seq. of the Swiss Federal Act on Foreign Nationals and Integration (Art. 6(1)(c) GDPR)
• legitimate interests, including our own interests and third-party interests, for example, in enhancing customer satisfaction; in carrying out advertising and marketing activities; in safeguarding and organising business operations, including developing websites, apps and other systems; in protecting passengers, customers, employees and other individuals, as well as data, secrets and assets of the Lufthansa Group; in managing risks; in selling and purchasing companies, parts of companies or other assets; in enforcing or defending legal rights and claims, and in complying with Swiss and foreign law as well as internal rules and regulations (Art. 6(1)(f) GDPR).

SWISS belongs to the Lufthansa Group. More information and reports by the Lufthansa Group and its companies are available in the ​Lufthansa Group company profile. SWISS may disclose personal data within the Lufthansa Group in order to fulfil its contractual obligations towards you, to reply to your booking requests or to provide customer service. Disclosure may serve to facilitate intra-Group administration or support for the group companies concerned and their own processing purposes (see Section ​4.7).

We often work with other Lufthansa Group companies as joint controllers under data protection law (for example, when you use ​Travel ID). We also often engage other Lufthansa Group companies as service providers (see Section ​7.2 below).

We may disclose your personal data to other companies if we make use of their services. These service providers generally process personal data on our behalf as so-called “processors”. Our processors are obliged to only process personal data in accordance with our instructions and to take suitable measures to ensure data security. Certain service providers are also joint controllers (e.g. Meta as described in Section ​5.6) or independent controllers (e.g. service providers for “payment on account” as described in Section ​​5.3).

Examples include services in the following areas:

• travel technology
• advertising and marketing services, for example, for the delivery of messages and information
• corporate management services, for example, accounting or asset management
• payment services
• IT services, for example, in the areas of data storage (hosting), cloud services, the delivery of e-mail newsletters, and data analysis and refinement
• advisory services, for example, the services of tax advisors, lawyers and management consultants.

In individual cases, we may disclose personal data to other third parties for their own purposes, for example, if you have granted your consent or we are legally obliged or authorised to share such information. In such cases, the data recipient is an independent data controller under data protection law and usually provides its own privacy statement.

Examples of such cases include the following:

• The disclosure of personal data to courts and authorities within Switzerland and abroad (see examples in Section ​​4.4)
• The processing of personal data in order to comply with a court or administrative order or to enforce or defend legal rights or claims, or if we consider such processing to be necessary on any other legal grounds. We may also disclose your personal data to other parties involved in any proceedings.
• The transfer of claims to other companies, such as collection agencies.
• The review or execution of corporate transactions, such as corporate acquisitions, sales and mergers.

Please take note of our ​Cookie Policy concerning independent data collection by third-party providers whose tools we have integrated into our websites and apps.

As an airline operating worldwide, we transfer your personal data to countries worldwide, depending on the use case, according to this Privacy Statement. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.

One means of ensuring adequate data protection is, for example, to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. This includes agreements that have been approved, issued or recognised by the European Commission and the Swiss Federal Data Protection and Information Commissioner, known as standard contractual clauses. An example of the data transfer agreements generally used by us is available on the ​website of the European Commission. Please note that such contractual arrangements can partially compensate for weaker or missing statutory protection but cannot rule out all risks completely (e.g. government access abroad). In exceptional cases, transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings abroad or if the transfer is necessary for the execution of a contract.

We retain your personal data:

• for as long as it is required for the purpose of processing and compatible purposes; in the case of contracts, normally for at least the duration of the contractual relationship
• for as long as it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data
• for as long as we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to enforce or defend claims, for archiving purposes or to ensure IT security.

Specific examples for retention periods based on our legitimate interest are the following:

• we generally retain contractual data for ten years after contractual expiry, as claims may arise during this time (statute of limitation)
  
• shorter retention periods typically apply to other data, for example, recordings from video surveillance or recordings of certain online processes (log data)
• at specific airports, we retain copies of your travel document typically for 14 days because we regularly need to produce proof to authorities that we checked the travel documents of passengers travelling from these airports
• other retention periods mentioned in Section ​​5 and in other privacy statements.

“Profiling” refers to the automated processing of personal data in order to analyse personal aspects or make predictions, e.g. the analysis of personal interests, preferences, affinities and habits or the prediction of likely behaviour. Profiling is a common procedure across industries. Profiling supports us in the specific purposes mentioned in Sections ​​4 and ​5 and is based on the mentioned legal bases. For example, profiling helps us to:

• continuously improve our offers and better tailor them to individual needs (Section ​4.3)
• present our contents and offers to you in accordance with your needs (Section ​4.2)
• show you advertisements and offers that are likely to be relevant for you (Section ​​4.2)
• better support you with our customer service (Sections ​4.1 and ​5.6)
• conduct credit assessments (Sections ​5.3 and ​5.4).

There is not yet an internationally recognised definition for "Artificial Intelligence" (AI). As with all new technologies, SWISS commits itself to use such technologies in a responsible way. For example, we have tested AI to distinguish aircraft-boarding passengers from crew members and ground staff to eliminate miscounts without facial recognition. More information is available to you should you be part of such a passenger count.

We do not make any decision about you that is based solely on automated processing and that has legal consequences for you or significantly affects you in a similar way, unless we inform you about it separately. You would then have the option of having the decision reviewed by a human being.

We take appropriate technical and organisational security measures in order to safeguard your personal data, protect you against unauthorised or unlawful processing activities and to counteract the risk of loss, unintentional changes, inadvertent disclosure or unauthorised access. However, like all companies, we cannot completely rule out data security infringements; certain residual risks are unavoidable.

Security measures of a technical nature include the encryption and pseudonymisation of data, record keeping, access restrictions and the storage of data backups. Security measures of an organisational nature include training of our employees, confidentiality agreements and audits. We also require our processors to take appropriate technical and organisational security measures (see Section ​7.2).

You have the right to object to data processing particularly if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. You can also object to data processing in connection with direct advertising (e.g. advertising e-mails) at any time. This also applies to profiling, to the extent it is related to direct advertising.

Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights:

• the right to request information about your personal data stored by us
• the right to have inaccurate or incomplete personal data corrected
• the right to request the deletion or anonymisation of your personal data
• the right to request that the processing of your personal data be restricted
• the right to receive certain personal data in a structured, commonly used and machine-readable format
• the right to revoke consent with effect for the future, insofar as processing is based on consent.

Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about the identity or if this is necessary to protect other persons, to safeguard interests worthy of protection or to comply with legal obligations. If exercising certain rights will incur costs for you, we will notify you of this in advance.

In general, exercising these rights requires that you prove your identity (with a copy of your passport or ID when your identity is not evident otherwise or cannot be verified in another way).

You can exercise these rights:

• by visiting the user account or app your request is related to. For example, in your ​Travel ID profile, you can check the current status of most of your master data yourself at any time, revoke any consent and delete your ​Travel ID profile.
• by unsubscribing from newsletters and other advertising e-mails, typically at the end of the e-mail
• via our ​​contact form for data subjects’ rights. Please note that it may take up to 30 days until you receive our first response.

We are grateful for the opportunity to address the concerns you may have in connection with our data processing. However, you are free to lodge a complaint with a competent supervisory authority.

Enquiries not related to data protection, such as requests or feedback on individual bookings or services, will not be answered or forwarded by our Data Protection Team. Please visit our ​Service Centre and use the appropriate contact form, or reach out to your SWISS contact if you are representing a business partner.

This Privacy Statement may be changed from time to time and without prior notice. The current version published on our website will apply.