JAL Group Airlines: Processing of Personal Data in GDPR

ZIPAIR Tokyo, Inc. (Hereinafter referred to as “ZIPAIR”) process and protect customers' personal data as follows, pursuant to the General Data Protection Regulation (hereinafter referred to as "GDPR") and the JAL Group's Basic Policies on Information Security and the Protection of Personal Information.

1. Protection and Management of Personal Data

ZIPAIR properly manage and protect customers' personal data pursuant to the JAL Group's Basic Policies on Information Security and the Protection of Personal Information.

2. Personal Data Controller and Data Protection Officer

Personal Data Controller

ZIPAIR Tokyo, Inc.
Address: Narita International Airport, Terminal 1, North Wing, 4F NA407, 1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-0011

Data Protection Officer

Address: Narita International Airport, Terminal 1, North Wing, 4F NA407, 1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-0011
E-mail:dpo@zipair.net

ZIPAIR properly process customers' personal data within the scope of the following purposes:

Purpose of Processing Legal Basis
1 To provide air transportation services (Reservations, sales, check-in, airport handling, cabin services, etc. Including cases of interline transportations, joint operations, code-sharing, contract operations, etc. in addition to normal transportation services) Contract performance
2 To provide services relating to point program Contract performance
3 To provide other products and services Contract performance
4 To provide information and communications; to conduct questionnaires relating to products, services, various events, campaigns, and such Legitimate interests
5 To conduct sales analysis, investigations and research; to develop new services and products Legitimate interests
6 To conduct operations relating to 1-5 above; to respond to inquiries, etc. Contract performance
1
Purpose of Processing To provide air transportation services (Reservations, sales, check-in, airport handling, cabin services, etc. Including cases of interline transportations, joint operations, code-sharing, contract operations, etc. in addition to normal transportation services)
Legal Basis Contract performance
2
Purpose of Processing To provide services relating to point program
Legal Basis Contract performance
3
Purpose of Processing To provide other products and services
Legal Basis Contract performance
4
Purpose of Processing To provide information and communications; to conduct questionnaires relating to products, services, various events, campaigns, and such
Legal Basis Legitimate interests
5
Purpose of Processing To conduct sales analysis, investigations and research; to develop new services and products
Legal Basis Legitimate interests
6
Purpose of Processing To conduct operations relating to 1-5 above; to respond to inquiries, etc.
Legal Basis Contract performance

4. Personal Data Categories

ZIPAIR process customers' personal data necessary for the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Such personal data includes:

Basic Data

Name, address, contact details (TEL/FAX numbers, e-mail address), gender, date of birth, country/region of residence, passport number, credit card number, information on employment (company name, department, job title, address, TEL/FAX numbers), etc.

Data for Making Reservations and Itineraries

Reservation /boarding information (flight name, etc.), itinerary information, copy of e-ticket, EMD, (online) check-in, accompanying passengers, incidental services (upgrades, additional baggage, etc.), mailing address of items sent to customers, e.g. ticket, itinerary, etc.

Point program’s Membership Data

Membership number, member's service qualifications, membership region, accumulated points, data related Point program’s awards, etc.

Communications Data

Records of communications with the ZIPAIR (recordings of phone calls to the call centre, records of responses to questions submitted via e-mail or web inquiry forms, etc. Where necessary, records of questions or complaints, etc. received at airport counters or when boarding, may be kept)

Data Collected from Websites and Apps, etc.

Website access logs (IP address, Cookies, etc.) and data collected by apps, etc.

Where a customer reserves the ZIPAIR' air transportation services via a third party such as travel agents or other airline companies, some of the above-stated personal data may be collected from such third party. This policy also applies to personal data collected in such way.

Collection and Use of Sensitive Personal Data

ZIPAIR may collect and use sensitive personal data on customers when providing air transportation services. The collection and use of such sensitive personal data is limited to cases in which customers request Priority Guest Support when using air transportation services, and such data is not used for any other purpose.

Examples of Processing Sensitive Personal Data

  • Where requesting escort from check-in counter to departure gates for passengers that use a wheelchair or are visually impaired
  • Where requesting rental medical oxygen bottles or permission to carry-on a medical oxygen bottle
  • When requesting permission to carry-on syringes or other medical equipment for a chronic disease
  • When a pregnant passenger requests to board a flight within 28 days expected delivery date

Where a customer requests a special in-flight meal, etc., data may be processed that is not sensitive personal data but may indicate a customer's religious beliefs or state of health.

Customers have the right to withdraw consent for the processing of sensitive personal data. Customers wishing to withdraw consent should contact where he or she applied for the service. It may not be possible to provide all or some services if consent is withdrawn.

5. Refusal to Provide Personal Data

The provision of personal data on customers is necessary for customers to be provided with services by ZIPAIR (air transportation services, point program services, etc.). ZIPAIR may not be able to provide a service in whole or in part if personal data is not provided.

6. Legitimate Interests of JAL Group AirlinesZIPAIR

ZIPAIR have a legitimate business interest in the use of personal data they collect to provide effective services and to perform the operations as airline companies.

7. Disclosure and Provision of Personal Data to other Companies

ZIPAIR disclose and provide customers' personal data to JAL Group companies to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".

Refer to the following website for details on group companies.

Customers' data may be disclosed or provided to partner airlines or companies entrusted with ground handling and check-in operations to provide air transportation services such as when using code share flights or connecting flights, and to achieve purposes such as mileage accumulation.

Where customers have made reservations via a travel agent, customer data is disclosed and provided to such travel agent in relation to the reservation.

Customers' data is transmitted to a server operated by Radixx, a company in United States that manages the passenger service system used by ZIPAIR.

ZIPAIR may conduct surveys relating to their services, etc. using an external web service. When a customer answers a survey, some personal data on customers is disclosed or provided to the operator that provides the web service. When requesting a response to a survey ZIPAIR indicate the name of the operator and matters concerning the processing of personal data by the operator.

ZIPAIR uses Google Analytics, a web analytics service provided by Google, Inc. (hereinafter referred to as "Google") on their websites to grasp the situation surrounding access to the sites. Cookies, web beacons, and other similar technology may be used to provide services. Cookies and web beacons, etc. are used to statistically analyse anonymous information and, as part of membership services, etc. may also be used to associate information that identifies customers so as to provide more customised services. ZIPAIR use user attribute and interest category reporting functions that respond to Google's advertising functions. Customers can opt-out of these (suspend functions) at their discretion. Visit the following sites for an explanation of how to opt-out:

Analytics Opt-Out Browser Add-on :(https://tools.google.com/dlpage/gaoptout)
User attribution and interest category reporting opt-out:( http://www.google.com/settings/ads/)

Where Point program’s customers request exchange of awards, etc., customer data necessary to provide awards (address, etc.) is disclosed and provided to related corporations (award providers, delivery companies, etc.).

Where required by law, customer data relating to reservations and itineraries (including passport, visa, and API data) may be submitted to the customs authorities or immigration bureaus in the customers' countries to be flown from, into or over, or in countries of transit and transfer.

Customers' personal data may be disclosed or provided to authorities or recipients prescribed in laws and regulations where necessary to comply with EU law or the laws and regulations of members of the EU/EEA.

8. Transfer of Personal Data to Non-EU Third Countries

ZIPAIR may transfer customers' personal data from within the EU/EEA to non EU/EEA countries and regions where there are ZIPAIR establishments or airports serviced by ZIPAIR in order to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".

In such case, except when the European Commission determines that the country or region has secured data protection at an adequate level, in principle, customers' personal data is transferred after executing standard data protection clauses as an appropriate protection measure in accordance with the provisions of the GDPR and the laws and regulations of EU/EEA member states.

Contact the inquiries section stated in "12. Inquiries" with questions, etc. regarding the above stated protection measures.

9. Management of Personal Data

ZIPAIR retain customers' personal data for the period necessary to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Records concerning boarding by customers, such as reservations records and ticket information, are normally retained after boarding for a maximum of 7 years.

Where a Point program’s member, data is retained as membership data for a maximum 3 years after withdrawing membership, in addition to the period as a member. Furthermore, records concerning contracts and invoices are retained for the period necessary to meet legal obligations. If it is necessary for the establishment, exercise or defence of legal claims, we may keep personal data for a longer period.

Data collected during communication with customers (customer service records, records of e-mails received, etc.) is retained for the period necessary to provide even better services to customers.

Access logs, etc. recorded when the ZIPAIR website is accessed are retained for the period necessary for analysis by ZIPAIR.

10. How to Request Disclosure, etc. and Make Inquiries

When a data subject or his or her representative makes a request concerning personal data retained by JAL Group AirlinesZIPAIR, the Company shall respond as follows in accordance with GDPR:

Disclosure

The Company discloses retained personal data that identifies the data subject. (The Company will inform the data subject to such effect if there is no retained personal data that identifies the data subject.) However, where corresponding to any of the following, the Company may notify the data subject of the reason and refuse to disclose data in whole or in part.

Where the data subject's or a third party's life, health, property, or other rights or interests are likely to be harmed

Where the proper implementation of ZIPAIR' operations are likely to be hindered

Where disclosure will violate laws and regulations

Rectification

Where requested to rectify or make additions (hereinafter referred to as "Rectification, etc.") to retained personal data due to the retained personal data that identifies the data subject being incorrect, unless special procedures are prescribed in the provisions of laws and regulations regarding the Rectification, etc. of such details, the Company shall conduct necessary investigations without delay within the scope necessary to achieve purpose of processing. The Company shall notify of details without delay when all or a part of the retained personal data is Rectified, etc. as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Rectification, etc.

Erasure

Where requested to erase retained personal data that identifies the data subject, the Company shall conduct necessary checks without delay such as where personal data is necessary in light of the purpose of processing. The Company shall notify of details without delay when all or a part of the retained personal data is erased as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out erasure.

Suspension of Use, etc.

Where requested to suspend use, erase, or suspend provision to a third party (hereinafter referred to as "Suspension of Use, etc.") of retained personal data, and when there is discovered to be grounds for such a request, the Company shall Suspend Use, etc. of such retained personal data without delay, to the extent necessary; provided, however, that where Suspension of Use, etc. of such retained personal data requires a considerable expense, or where Suspension of Use, etc. is otherwise difficult, the Company may substitute Suspension of Use, etc. with alternative measures necessary to protect the rights and interest of the data subject. The Company shall notify the data subject of such effect without delay when it has Suspended Use, etc. of all or a part of the retained personal data. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc.

Data Portability

Where legal requirements are fulfilled, the Company shall provide personal data provided by data subjects that has been structured, generally used, and is in a machine readable format. Furthermore, where technically possible, personal data provided by data subjects shall be transmitted to other data controllers. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to provide or transmit personal data.

Procedure for Making Requests

Send the applicable request form (*1) and the necessary documentation (*2) (when requesting “disclosure” or “data portability”) to the following address:

Personal Information Handling Desk
ZIPAIR Tokyo, Inc.
Narita International Airport, Terminal 1, North Wing, 4F NA407, 1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-00111

*1Download an application form from one of the following links:

Request for Disclosure of Retained Personal Data in ZIPAIR Tokyo Inc. Possession (PDF Approx 250KB)

Request for Rectification of Retained Personal Data in J ZIPAIR Possession (PDF Approx 247KB)

Request for Erasure of Retained Personal Data in ZIPAIR Tokyo Inc. Possession (PDF Approx 246KB)

Request for Suspension of Use, etc. of Retained Personal Data in ZIPAIR Possession (PDF Approx 247KB)

Request for Data Portability of Retained Personal Data in ZIPAIR Possession (PDF Approx 249KB)

Statement for Objection of Retained Personal Data in ZIPAIR Possession (PDF Approx 248KB)

*2Necessary documentation

Attach the following documents to confirm the identity of the data subject. Where requests are made by a representative, attach documents to confirm the identity of the representative together with documents to confirm the right to represent.

[Data Subject Identify Confirmation Documents] (Where requests are made by a representative, attach documents concerning the representative)

A copy of a driver's license, passport, health insurance card, or any other document issued by a public agency that can used to confirm the identity customer

[Address Confirmation Documents]

Where the above document (from a government or public office) does not include an address, in order to confirm the addressee, attach a document issued by a public agency that indicates a current address (issued within three months of making the request).

[Right of Representation Confirmation Documents]

Parental Authority:

Document that confirms the representative has parental authority

Guardian of Adult:

Document that confirms the representative is a guardian of adult

Statutory Agent:

Document that proves the representative is a statutory agent

Voluntary Representative:

Letter of proxy (signed by data subject)

In the case of requests from voluntary representatives, the Company may confirm delegation with the data subject or directly disclose, etc. personal data to the data subject.

In order to view PDF documents, you will need to install Adobe Reader on your computer.

Adobe Reader(Adobe Acrobat Reader)(https://get.adobe.com/reader/

11. Complaints Concerning Personal Data

Customers have the right to lodge an objection to the processing of their personal data retained by ZIPAIR if legal requirements are fulfilled concerning a particular situation. Where an objection is lodged and such objection fulfils legal requirements, ZIPAIR shall delete or suspend use of retained personal data in whole or in part, and notify the data subject of such effect without delay.

Where objections are lodged regarding direct marketing, ZIPAIR shall promptly suspend such direct marketing and notify the data subject of such effect without delay.

The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc. due to the lodging of an objection.

Customers have the right to make complaints concerning the processing of their personal data, against the EU/EEA member country in which the customer lives or works, or EU/EEA member countries' supervisory authorities that have engaged in illegal conduct. Contact each supervisory authority concerning specific complaint procedures, etc.

12. Inquiries

If you have any inquiries regarding "ZIPAIR: Processing of Personal Data in GDPR", please send your letter to the following address:

Personal Information Handling Desk
ZIPAIR Tokyo, Inc.
Narita International Airport, Terminal 1, North Wing, 4F NA407, 1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-0011