Privacy Policy for Widerøe
This privacy policy describes how Widerøe AS and other entities in the Widerøe Group (“Widerøe”, “we”, and “our”) process personal data about you. The privacy policy applies to all personal data we process about you and for all interactions you have with Widerøe, for example when you use our website or mobile app, book a trip, or contact customer service.
If you provide us with personal data about others, you are obliged to inform those individuals that Widerøe will process their personal data in accordance with this privacy policy and any other terms applicable to the relevant services..
1. Responsible for processing of personal data
Widerøe AS or the relevant subsidiary you are in contact with is the data controller, meaning they determine why and how personal data will be processed.
Widerøe is owned by Norwegian Air Shuttle ASA and is currently part of the Norwegian Group. Widerøe is also part of the loyalty program, Norwegian Reward. In some cases, entities in both the Norwegian and Widerøe Groups, as well as Widerøe’s partners, may process your personal data or act as joint controllers in connection with the provision of certain services. This applies, for example, when you book trips that include both Norwegian and Widerøe, or for earning loyalty points. For more information on how personal data is managed in collaboration with Norwegian and Reward, see section 4 below.
For any questions you may have about Widerøe’s processing of your personal data, you can contact us at:
Widerøe AS
Address: Widerøe AS, Attn: Data Protection Officer, P.O. Box 247, 8001 Bodø
Email: [email protected]
Organization number: 917 281 629
2. Definitions
Widerøe’s websites and app or other communication channels, as well as services we offer, such as booking flights, check-in, customer service, loyalty programs, online profiles, newsletters, cargo services, and other flight-related services, are referred to below as our “services”.
“Personal data” means any information that can be used directly or indirectly to identify a person.
“Processing” means any operation performed on personal data. For example, collection, registration, organization, structuring, storage, adaptation or alteration, use, disclosure, or any other form of making available, compilation, or deletion, and may include automated or manual processes.
To process your personal data, we must have a legal basis for processing (“legal basis”). This may, for example, be the fulfillment of a contract, your consent, or a legal requirement we are subject to.
3. Processing of personal data
Information about the personal data we process about you, the valid legal basis, the purpose of the processing, and how long we process the personal data is provided below, sorted according to the services you use. Widerøe may use your personal data for the purposes specified below, as well as for any purposes you were informed about in connection with your use of the relevant service(s). This Privacy Policy applies only to the use of Widerøe’s services. If there are links to third-party websites on Widerøe’s websites, Widerøe is not responsible for the content or the processing of personal data that may occur on such sites.
3.1. Customers/Passengers
3.1.1. Booking; Travel and Check-in management
When you book flights or use other travel-related services or products offered by Widerøe, Widerøe processes your personal data.
Why we process your data: The processing of personal data is necessary to fulfill the agreement for the purchase of air transport services, see GDPR Article 6(1)(b). The purpose is to manage and carry out travel and related services you have ordered.
What we process: Identification and contact information, such as name, address, phone number, email address, Reward number, as well as payment and transaction data. For certain tickets, Widerøe also processes date of birth. Gender is processed for calculating weight and balance on our aircraft based on standard weight per gender set by the European Aviation Safety Agency (EASA). Passport information is processed for travel to/from countries that require this. We also process travel information, such as travel dates and route, seat, meals, baggage information, requests for special services and assistance, as well as irregularities in the journey.
Widerøe does not intend to process special categories of personal data, such as health information, information about religion, etc., and we encourage you not to provide such personal data. If you nevertheless provide special categories of personal data as part of the booking process, we will always process such data with extra care and security.
How we process: We process your personal data to complete purchase of flight tickets, check-in, boarding, providing information about past and future trips, seat reservation, earning loyalty points, cancellation, or rebooking. Some countries also require the transfer of travel and contact information to relevant authorities related to immigration, police, and customs control, and this is shared based on our legal obligations, see GDPR Article 6(1)(c).
How long we process: We retain customer information for up to 5 years after the trip is completed. This is to fulfill legal requirements, handle any complaints, and claims for compensation in case of irregularities. After 5 years, we will keep statistics about travelers to improve our services and products. These are anonymized and cannot be linked to you.
3.1.2 Payment
To complete payment for our services by card, you must provide certain payment information, including card number and expiration date. The legal basis for handling and storing financial information is our legal obligations under accounting and bookkeeping regulations, see GDPR Article 6(1)(c).
Widerøe has implemented measures to ensure that your payment information is secure and processed in accordance with applicable law. The information collected in connection with your booking, such as name, travel, and card information, is both registered and stored by our selected service providers, who comply with all requirements in applicable legislation (PCI DSS).
3.1.3 Prevention of Fraud and Crime
To prevent, investigate, or report cases of fraud or security issues, we process the following personal data about you: name, address, email address, phone number, IP address, and payment information.
The legal basis for processing this information is to prevent, investigate, or report cases of fraud, see GDPR Article 6(1)(f). Our assessment is that processing your personal data is necessary to achieve the relevant purposes.
The information is stored for up to 3 years.
3.1.4. Profiles and My Travels
Why we process your data: If you wish, you can choose to create a profile. This can be used across both Norwegian and Widerøe channels. The purpose is to provide you with a tool to easily manage your bookings and travels, and for us to provide you with relevant information and offers. You can decide through your profile what kind of communication you want to receive from us.
What we process: Widerøe will process the personal data you register in the profile, which includes name, date of birth, gender, email address, phone number, address, and Reward number. It may also include other information you choose to add, such as passport information and various preferences, such as favorite airport, seat, and information about other passengers you often travel with.
If you choose to add travels to your profile, information about the trips (for example, departure location, destination, airline, date, and time) and your receipt will be stored in your profile. If you choose to link a payment card to the profile, the payment information will be processed and stored by our service providers.
The legal basis for our processing is the fulfillment of a contract and our obligation to comply with the terms for profile account holders, see GDPR Article 6(1)(b).
How we process: You will be able to access future and historical travel information, favorite airport, and similar personalized services. Your information will also be pre-filled the next time you book a trip with us.
How long: Your profile will be deleted after 4 years of inactivity or if you choose “Delete profile” under your user profile. Deletion occurs within 30 days after we have received notice of the deletion request.
3.1.5. Widerøe APP
Why we process your data: To provide an efficient and user-friendly overview of your journey, you can choose to download and use our app. The purpose is to give you tools to easily book and manage your travels.
What we process: We will process your personal data in our mobile app in the same way and for the same purposes as described under section 3.1.4 Profiles, above. However, the Widerøe app contains some additional features, as described below.
How long: Information is stored in the app until the journey is completed. Information about your booking will still be stored in our database for 5 years.
Location
If your mobile device settings allow our app to collect location information, we will automatically collect this information. If you do not want this, you can control how your mobile device shares location information with us through your phone’s settings. The legal basis for this processing is consent, see GDPR Article 6(1)(a).
Technological features
We use technological features (cookies or similar) such as unique identifiers linked to your mobile device in our app. This is done to improve and manage the app’s functions. Your device may store information about how you have used the app previously so that your recent searches, favorite airport, etc., will be saved in the app for your next visit. This information will be deleted if you delete the app.
Push notifications
If you have given consent in the app, we may send you push messages with relevant travel information. This may include messages with information related to your travels, such as check-in opening, gate changes, delays, and special offers. To enable push notifications, we will store your device ID. You can change your settings in the app at any time if you do not want us to send you push messages. The legal basis for this processing is consent, see GDPR Article 6(1)(a), and the information is stored as long as we have your consent.
3.1.6. Customer Support and Service
Why we process your data: If you contact Widerøe’s customer service via email, chat, phone, SMS, submit a claim for a refund or compensation via our digital form, or other channels, we will process your personal data to provide customer support and service, as well as to handle refunds and complaints. The legal basis for the processing is the fulfillment of our contractual obligations to provide you with the services you have requested, to fulfill applicable terms and conditions for the purchase, as well as regulatory requirements we are subject to, see GDPR Article 6(1)(b) and (c).
What we process: Widerøe processes the personal data you choose to provide to us via email, chat, phone, SMS, or other channels, as well as necessary information about your booking to resolve issues you have with your journey.
How we process: It is voluntary to contact our customer service. If you contact Widerøe’s customer service, we will process the personal data you provide (as well as travel information) to provide customer service or deliver the services you have requested. The processing will be limited to what is necessary to assist you with your issues.
Phone
If you call our customer service, the processing may also include registration and recording of phone calls. Before the call starts, you have the opportunity to opt out of recording. The recording is only used for training purposes and to ensure and improve the quality of our handling of inquiries. This is based on our legitimate interest in ensuring and improving the quality of our customer service, see GDPR Article 6(1)(f).
Chat
Our website has a chatbot designed to handle common customer questions. If the chatbot cannot help, you can easily request that the conversation be transferred to a customer service representative during our opening hours. To provide faster assistance, the entire conversation is transferred from the chatbot to our customer service representatives.
You must provide your name and email address to ensure personal assistance when chatting with a customer service representative. The representative will then check for existing trips and cases linked to your email address or reservation number.
A copy of the chat log is automatically sent to the email address provided when the dialogue is concluded. This is done to ensure documentation of the communication, give you the opportunity to retrieve information, and contribute to efficient follow-up of inquiries. We encourage you not to include sensitive information, such as national ID number, payment information, or health information in the chat. The processing is based on legitimate interest (GDPR Article 6(1)(f)). Widerøe has a legitimate interest in sending a copy of the conversation to the customer to ensure transparency, reduce the number of repeated inquiries, and improve customer service.
How long we process: Customer communication is stored for up to 5 years to ensure documentation in case of complaints and legal processes. Audio recordings are deleted no later than 90 days after recording.
3.1.7 Communication to You: Information and Feedback Related to Your Trip
Why we process your data: When you book certain services, it is necessary for us to provide you with additional information related to your trip. For example, we will send emails about flight check-in, notify you of irregularities in your journey, and offer the possibility of or pre-ordering tax-free goods for routes where this is available. The legal basis is our legitimate interest in delivering and notifying you about services related to your booking, see GDPR Article 6(1)(f).
Shortly after your journey, we will send out surveys about your experience traveling with us. This is based on our legitimate interests in following up with customers after a journey and to improve our products, services, and offers, see GDPR Article 6(1)(f). Participation in the survey is voluntary.
What we process: Widerøe processes your name, email address, phone number, and travel information, as well as the responses you provide in the surveys if you choose to participate.
How we process: Your personal data is used to reach out to you with relevant information about your travels and follow-up afterwards. Information obtained through surveys will only be used in aggregate form to improve our products, services, and offers.
How long we process: The communication is a one-time process that occurs automatically when we deliver a service to you or until you have received the requested information.
3.1.8. Communication to You: Newsletters and Other Marketing Communications
Why we process your data: We process your personal data to send you newsletters, campaigns, and other marketing-related communications, if you have given your consent for this.
To make the content more relevant to you, we use tracking pixels in emails to record if and when the emails are opened and if the links in the message are clicked. The information is used solely to measure the effectiveness of our marketing and to improve our digital channels. The processing is based on legitimate interest (GDPR Article 6(1)(f)). Widerøe has a legitimate interest in evaluating and improving our marketing, and tracking pixels are considered a limited and proportionate measure that does not involve significant intrusion into the data subject’s privacy.
If you wish to opt out of receiving marketing communications via email, you can withdraw your consent here.
What we process: Widerøe processes your name and email address to reach out to you. In addition, behavior in newsletters is processed, including receipt, opening, and what you clicked on, information related to newsletter sign-up, and desired marketing communication.
How we process: The processing takes place as long as we send out emails and marketing information to you. You may receive information about our partners, their products/services, and our products/services.
To make our offers more relevant to you, we may share certain personal data with our partners and media platforms (third parties) to tailor marketing and campaigns. This means that your email address may be recognized by third-party platforms you already use so that information and campaigns from us are presented to you on these platforms. We are joint controllers with the platforms for such recognition. The processing is based on consent, see GDPR Article 6(1)(a). Consent is voluntary, and you can manage consents for different marketing communications under your Profile at any time.
How long we process: Until you withdraw your consent. Deletion occurs 30 days after we have received notice of your unsubscription.
3.1.9. More About Statistics, Analysis, and Testing
Analysis of customers’ booking and travel history, use of our services, and surveys
We may process personal data collected from you in connection with your use of our services, your booking and travel history, and the responses you provide in surveys to prepare statistics and analyses. The purpose of the processing is to improve, develop, and optimize our customer offering, route network, digital platforms, business model, and pricing. Analysis for this purpose is carried out without identifying individuals. The legal basis is our legitimate interest in optimizing our services and business model, see GDPR Article 6(1)(f).
Personalized marketing
We process and analyze information such as purchase history, profile data, and interaction with our digital channels to improve and provide you with more relevant offers through our websites, app, and email campaigns. The information is collected from our systems and your use of our services. The information is processed based on your consent to personalization under your Profile, see GDPR Article 6(1)(a).
Analysis for improving customer service
We use data from customer dialogues to analyze and improve the quality of our customer service. The purpose is to identify areas for improvement, reduce recurring inquiries, and ensure better follow-up of our customers. The analyses are used to strengthen our internal routines and employee training. The legal basis is our legitimate interest in optimizing our services, see GDPR Article 6(1)(f).
3.2 Suppliers, Partners, and Widerøe Bisniss
Why we process your data: We process personal data about contact persons of our suppliers and other partners, including companies that are part of our corporate program, Widerøe Bisniss, in order to manage and fulfill possible or existing agreements between us, and to offer discounts through our corporate program. The legal basis is the fulfillment of possible or current agreements as well as legal obligations we are subject to for retention under applicable accounting and tax legislation, see GDPR Article 6(1)(b) and (c).
What we process: We process contact information (name, address, phone number, and email address), company name, and information related to the contact with the company the person works for, as well as other information these contact persons may provide us.
How we process: We need contact information for relevant persons to reach out to businesses for the administration and fulfillment of the applicable agreement between the parties.
How long we process: We will process personal data as long as it is a prerequisite for fulfilling the agreement or for managing the customer relationship. Certain legal obligations or documentation requirements may mean that we retain personal data for a longer period. We will delete personal data for relevant contact persons if we become aware that they have left the supplier, or that a new contact person has been appointed.
3.3. Cargo Services
Why we process your data: If you are a private or corporate customer, or freight agent, we offer cargo services with our aircraft. We then process personal data to be able to carry out deliveries and transport packages to the correct destination according to the agreement or to handle any issues with the delivery.
What we process: We only process information necessary to transport the cargo to the correct destination. This will be contact information, such as name, phone number, and address. The legal basis for the processing is the fulfillment of our contractual obligations to provide you with the services you have requested, as well as regulatory requirements we are subject to, see GDPR Article 6(1)(b) and (c).
How we process your data: Your personal data is only used to manage our cargo services in designated systems. Personal data is only shared with relevant partners such as airports, ground handling providers, and carriers to fulfill our part of the agreement. We may also be required to disclose personal data to relevant customs and police authorities in accordance with legal obligations we are subject to.
Cargo deliveries may be included in anonymized statistics to improve our cargo services, such as the number of requests to new and current destinations.
How long we process: We delete information related to cargo no later than 3 years after the delivery.
3.4. Use of Our Website
Why we process your data: When you visit our website, certain information is automatically collected using cookies or other ways of storing information in your browser, to ensure that essential functions on the website work.
How we process: Cookies are used to give you a better experience when you use the website and our services, as well as to increase security and functionality. Some of the information collected is personal data and can be linked to you, such as device information and IP addresses (which can show your location). With your consent, we may also use cookies for analysis and statistics to improve and customize the website, provide more relevant information, and show you relevant ads and offers. Cookies that are strictly necessary for essential functions on the website will always be enabled.
The legal basis for processing information collected via cookies is consent. Consent for different types of cookies is obtained via our cookie consent platform, which is available on our websites. For more information about what types of cookies Widerøe uses, what information we collect, and how long this is stored, see our Cookie Policy
3.5. Social Media
Why we process your data: We process personal data on social media to communicate with our customers and stakeholders, and to handle inquiries we receive. This is based on our legitimate interest, see GDPR Article 6(1)(f).
What we process: Through these pages, personal data will be processed if you post on the page, comment on posts, or “like”/follow the page. We then process your name and any information you have posted associated with your name/account on that platform. In addition, we process what you share through posts and comments.
+How we process: We want to be available to our customers on social media. For example, we have established a Facebook page and an Instagram account, where we are jointly responsible for the processing of personal data together with Facebook and Instagram. Our purpose for processing personal data through social media is to be in contact with you who wish to communicate with us or interact with us in other ways.
How long we process: The information will be processed as long as posts/comments are available on the social media platform, and you can delete your posts at any time.
4. Transfers or Disclosure of Personal Data to Third Parties
Transfer to Authorities and Compliance with Legal Obligations
As a provider of aviation-related services, we may be required to disclose information to public authorities, such as tax, customs, and border authorities, in accordance with applicable regulations. We are, among other things, obligated to collect and disclose passenger information in PNR and API data, which contains basic identity and travel information. These are mandatory requirements from foreign authorities and are mainly used to prevent and combat terrorism and other crime.
Norwegian and Other Company`s in the Aviation Industry
Widerøe is part of the Norwegian Group, and personal data may be transferred between companies in the group so that we can deliver and carry out purchased combination trips, manage and maintain profile accounts and memberships. Group companies may also have access to personal data to provide necessary services, such as IT services and customer support.
Your personal data may also be shared with other airlines and other companies involved in providing aviation-related services, such as travel agencies, ground handling providers, or tax-free suppliers. This is necessary for us to be able to carry out and deliver the services and products you have ordered.
We use data processors to collect, store, or otherwise process personal data on our behalf. In these cases, we have entered into data processing agreements to safeguard your rights and the security of your personal data at all stages of the processing.
Norwegian Reward
Widerøe is part of Norwegian Reward loyalty program so that you can earn points on all our commercial routes. To calculate, issue, and possibly retroactively register bonus points, your travel and transaction data will be shared with Norwegian Reward. The information may be further shared with Spenn if you have linked your Spenn account to your Reward account. For more information about this and how Norwegian Reward processes your personal data, see Norwegian Reward’s privacy policy.
Acquisition
Personal data may be subject to transfer to another organization in connection with a merger, financing, reorganization, or dissolution transaction of all or part of us. We will only do this if the parties involved have entered into an agreement where the collection, use, and sharing of personal data is limited to the purposes related to the transaction, including a provision on whether the transaction will proceed or not, and the personal data will only be used by the parties involved to carry out and complete the transaction. If another company buys us or our business or assets, this company will have access to the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this privacy policy.
Transfer of Personal Data to Recipients in Countries Outside the EU/EEA
Our goal is for all processing of personal data to take place within the EEA, but it may be that we use suppliers or process personal data outside the EEA.
In such cases, transfer and processing outside the EEA (third countries) will take place in countries approved by the EU Commission or in accordance with a valid legal basis for the transfer of personal data under GDPR Chapter V. If the transfer does not take place to countries approved by the EU Commission, the transfer will only take place according to the guarantees set out in GDPR Article 46(2). We will also conduct risk assessments for transfers to implement additional security measures if necessary.
Security of Processing
We prioritize the security of personal data highly and will implement several technical and organizational measures to safeguard your personal data.
We strive to process information so that it is accurate, available, and handled according to the sensitivity of the data. We also use a range of security technologies and information security procedures to protect personal data from unauthorized access, use, or disclosure. We limit access to personal data to personnel or third parties who process the data on our behalf and who are subject to confidentiality obligations.
We have entered into data processing agreements with our suppliers who process personal data, where they undertake the same level of security as we have for our processing of personal data.
There are established routines for handling information security breaches (data breaches), and if there is a breach that poses a risk to the privacy of the affected individuals, we will send a notification to the Data Protection Authority as soon as possible and no later than 72 hours after the breach was discovered. If the breach is likely to result in a high risk to the privacy of the affected individuals, we will also notify those individuals.
5. Your Rights
Information
You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.
Access
You have the right to request access to the personal data processed about you. Contact us if you wish to access your data.
Correction and Deletion
You can also ask us to correct incorrect information we have about you or ask us to delete personal data. In certain cases, we may not be able to delete your personal data. This may be because your data is still necessary for the purpose for which it was collected, we have a legal basis for processing that outweighs your request for deletion, or we are legally required to retain your personal data.
If you have registered a profile, you can at any time update, change, or delete information you have registered under profile settings.
Processing Based on Consent
If we process personal data based on your consent, you can withdraw your consent at any time. The easiest way to do this is to use the method provided when you gave your consent. Under your profile, you can at any time manage marketing consents.
Right to Restrict or Object to Processing
If you believe that your personal data is inaccurate, that our processing is unlawful, or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of such personal data or to object to the processing of your personal data.
Right to Data Portability
For information you have provided to us and that is necessary to fulfill an agreement with us, and which is processed automatically (i.e., not manually by us), you can request to have your personal data disclosed or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).
Automated Processing, Including Profiling
There will be no automated processing, including profiling, based on your personal data that has legal effects or that significantly affects the individuals concerned. See GDPR Article 22(1) and (4).
6. Complaints
If you find that our processing of personal data does not comply with what we have described here, or that we otherwise violate privacy legislation, you can file a complaint with the Data Protection Authority. However, we ask that you contact us first, so that we can correct any improper processing as quickly as possible.
You can find information about your rights and how to contact the Data Protection Authority on their website: http://www.datatilsynet.no/.
7. Changes to this Privacy Policy
We reserve the right to change our privacy policy. If there are changes to our services or changes in the regulations regarding the processing of personal data, updated information will always be available on our websites.