Last Updated:?November 2019?
Malaysia Airlines?Berhad?is committed to the protection of your?Personal Data?and takes the matter of protecting your privacy as a high priority.?
This Privacy?Policy?explains general terms on how we collect, use and protect the privacy of your?Personal Data?under?various privacy laws to which we are subjected to.??
For the purposes of?the?EU?General Data Protection Regulation?(“GDPR”), the data controller?is Malaysia Airlines?Berhad, with its registered office at Malaysia Airlines?Berhad, 1st?Floor, Administration Building, South Support Zone, KLIA, 64000 Sepang, Selangor?(from now on referred?to as?(“Malaysia Airlines?Berhad”,?“we”,?or “us”).??
“Personal Data” means any information relating to an identified or identifiable natural person.??
The types of Personal Data that we collect directly from you or from third parties depend on the circumstances of collection and on the nature of the service requested or transaction undertaken. It may include:?
(a) Personal information that links back to an individual;?
(b) Contact information;?
(c) Payment information;
(d) Travel information;?
(e) Health information;?
(f) Technical information; and?
(g) Statistical data.?
How do we collect your?Personal Data??
We may collect and receive?Personal Data?directly from you or from your?authorized?representatives (i.e. persons whom you have?authorized, persons who have been validly identified as being you or your?authorized?representative pursuant to our security procedures), from third parties (e.g.,?travel agent or service providers) or the?Personal Data?of your relatives or principal where you disclose same on their behalf, including when you:?
(a) use any of our services, including when you travel with us or use airports where we operate or any facilities within those airports that we operate, such as our lounge facilities;?
(b) use or access our Website or Mobile Apps, particularly when completing the "passenger details" section?during the course of?a booking, even if you do not complete the booking;?
(c) communicate with us such as by email, telephone, in writing or through our customer services pages or social media platforms; or?
(d) register, create or modify an online or in-app account with us, including your?Enrich membership.?
We may also collect your?Personal Data?from publicly available sources through our Website or Mobile Apps and other channels including our ticketing counters and airport operations and third-party providers or our subcontractors where you have consented to provide your?Personal Data?to them or where we subcontract them to assist us?in providing services to you (e.g.?wheelchair assistance, transfers, special meals).??
Where you disclose Personal Data on behalf of another person, you undertake and will ensure that the individual whose Personal Data is supplied to?Malaysia Airlines?Berhad?has authorized the disclosure, is informed of and consents to the terms and conditions of this Privacy Notice. Where the disclosure is in respect of a child’s Personal Data, you should do as only as of the parent or legal guardian of that child and?enter into?relevant contracts on behalf of that child.?
What do we use your?Personal Data?for??
We may use your?Personal Data?for the following purposes:?
(a) to enable us to provide our services and perform our?obligations?to you;?
(b) to facilitate your travel (e.g., making a booking) and freight arrangements;?
(c) to verify the identity of passengers and perform luggage check-ins;?
(d) to provide flight alert?messages;
(e) to facilitate internet check-in;?
(f) to process any commercial transaction (e.g. In-flight sales);?
(g) to facilitate your participation in our or third parties’ loyalty programs;?
(h) to protect the safety and?well-being?of yourself and/or other customers;?
(i) to investigate and respond to claims and inquiries from you;?
(j) to remind you to complete your booking and/or offer our assistance (in case, for instance, failure to complete due to technical difficulties). This is an optional service. You can choose not to receive these emails at any time by following the link at the bottom of each such email;?
(k) to provide in-flight catering and other services that best meet your preferences and needs;?
(l) for financial purposes such as credit or other payment card verification, accounting, billing, and audit; and / or?
(m) for business development purposes such as statistical and marketing analysis, systems testing, maintenance and development, customer surveys, customer relations to advise on alterations to flights or to help us in any future dealings with you, for example by identifying your requirements and preference;?
(n) to comply with any legal or regulatory requirements;??
(o) to communicate promotions, offers, product, services, and information on products and activities, offers to upgrade or other notifications in relation to your booking;?and/or?
(p) marketing and communicating with you in relation to products and services offered by us and our service partners as well as our appointed agents.?
What are our legal bases for processing your Personal Data??
There are?a number of?different ways that we are lawfully able to process your Personal Data. We have set these out below.?
Where using your?Personal Data?is necessary for us to carry out our obligations under our contract with you?
We?are allowed to?use your?Personal Data?when it is necessary to do so for the performance of our contract with you.?
For example, we need to collect your contact details in order to be able to?book your flight or?provide you with?any additional?services you have requested.?
Where the processing is necessary for us to carry out our legal obligations?
As well as our obligations to you under any contract, we also have other legal obligations that we need to comply?with?and we are allowed to use your?Personal Data?when we need to in order to comply with those other legal obligations.?
For example, we are required to?transfer certain Personal Data to government authorities for anti-terrorism purposes.?
Where using your data is in our legitimate interests?
We?are allowed to?use your Personal Data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.?
We believe that our use of your Personal Data is within?a number of?our legitimate interests, including but not limited to:?
- To enable us to provide our services to our customers;?
- To help us satisfy our legal obligations (for example, in relation to anti-terrorism);?
- To help us understand our customers better and provide better, more relevant services to them; and?
- To help us keep our systems and physical premises secure and prevent unauthorized access or?cyber-attacks.?
Where you give us your consent to use your?Personal Data?
We?are allowed to?use your data where you have specifically consented.?In order for?your consent to be valid:??
- It?has to?be given freely, without us putting you under any type of pressure;??
- You?have to?know what you are consenting to – so we'll make sure we give you enough information;?
- You should only be asked to consent to one thing at a time – we, therefore, avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and?
- You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.??
As part of our relationship with you, we may ask you for specific consents to allow us to use your data in certain ways. For example, we currently ask for your consent to provide you with marketing communications. If we require your consent, we will provide you with?sufficient?information so that you can decide whether or not you wish to consent.?
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this above.?
You have various rights in relation to the?Personal Data?which we hold about you. We have described these below.??
To get in touch with us about any of these rights, please contact us at:?
Business Integrity Department,?
Malaysia Airlines Berhad, 1st Floor, Administration Building,
South Support Zone, KLIA, 64000 Sepang, Selangor, Malaysia.
We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.??
Right to object?
This right enables you to object to us processing your?Personal Data?where we do so for one of the following reasons:??
- because it is in our legitimate interests to do so (for further information please see below);?
- to enable us to perform a task in the public interest or exercise official authority;??
- to send you direct marketing materials; or?
- for scientific, historical, research, or statistical purposes.?
Right to withdraw consent??
Where we have obtained your consent to process your?Personal Data?for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.??
In particular, you?may elect to stop receiving promotional activities by:?
(a)?? unsubscribing from the mailing list;?
(b)?? editing the relevant account settings to unsubscribe, or?
(c)?? sending a request to?[email protected]??
Data Subject Access Requests?
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the?information?we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost.? Where we are legally permitted to do so, we may refuse your request. If we refuse your?request?we will always tell you the reasons for doing so.??
Right to erasure??
You have the right to request that we "erase" your?Personal Data?in certain circumstances. Normally, this right exists where:?
- The data are no longer necessary;??
- You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;??
- The data has been processed unlawfully;??
- It is necessary for the data to be erased?in order for?us to comply with our obligations under law; or??
- You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.??
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.?
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.??
Right to restrict processing??
You have the right to request that we restrict our processing of your?Personal Data?in certain circumstances, for example, if you dispute the accuracy of the?Personal Data?that we hold about you or you object to our processing of your?Personal Data?for our legitimate interests. If we have shared your?Personal Data?with third parties, we will notify them about the restricted processing unless this is impossible or involves a disproportionate effort. We will, of course, notify you before lifting any restriction on processing your?Personal Data.?
Right to rectification??
You have the right to request that we rectify any inaccurate or incomplete?Personal Data?that we hold about you. If we have shared this?Personal Data?with third parties, we will notify them about the rectification unless this is impossible or involves a disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete?Personal Data?to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.?
In particular, you?may update or make amendments to your?Personal Data?as below:?
(a) for online registered customers, you may log in to your online account and update your?Personal Data; or?
(b)?? for every other customer, you may email your request to?[email protected]?
Right of data portability??
If you wish, you have the right to transfer your?Personal Data?between service providers. In effect, this means that you?are able to?transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.??
Right to complain?
You have the right to lodge a complaint with our regulator, who is?the Commissioner of Personal Data Protection?in Malaysia.??
In Europe, the privacy regulators for each Member State are listed (along with contact details) on the following website: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
To whom do we disclose your?Personal Data??
We will not trade or sell your?Personal Data?to third parties. Your?Personal Data?shall only be disclosed or transferred to the following third parties appointed or authorized by the Company, who may be located within or outside Malaysia:?
(a) our travel and freight service providers or travel-related businesses;?
(b) our partner airlines and other carriers;?
(c) airport authorities;?
(d) our other affiliates and subsidiaries where it?is?necessary to facilitate your travel;?
(e) credit card verification providers,?
(f) data warehouse;?
(g) IT service providers;?
(h) data analytics and/or marketing agency;?
(i) other third parties in order to process your commercial transactions;?
(j) legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or?
(k) customs, immigration or other regulatory authorities applicable to you; and/or?
(l) safety and security personnel.?
In addition to the above, your?Personal Data?may also be disclosed or transferred to any of the Company’s actual and potential assignee, transferee or acquirer (within or outside Malaysia) (including our?affiliates and subsidiaries) of?our business, assets or group companies, or in connection with any corporate restructuring or exercise including the our restructuring to transfer the business, assets and/or liabilities.?
We shall take practical steps to ensure that their employees, officers, agents, consultants, contractors and such other third parties mentioned above who are involved in the collection, use and disclosure of your?Personal Data?will observe and adhere to the terms of this Privacy?Policy.?
Where do we store your?Personal Data??
We will store your?Personal Data?in the country in which we are based (i.e.?Malaysia).?As discussed above, we may also disclose your?Personal Data?to our group companies and their service providers located in Malaysia and elsewhere, and to employees operating outside of the EEA who work for us or for one of our group companies or their respective service providers.??
We want to make sure that your?Personal Data?is stored and transferred in a way that is secure.??
We will therefore only transfer data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data. For example, this could be:??
- By way of an intra-group agreement between MAB entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of?Personal Data?by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws;??
- By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of?Personal Data?by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or??
- By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of?Personal Data?from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or??
- By transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or??
- Where it is necessary for the conclusion or performance of a contract between?ourselves?and a third party and the transfer is in your interests for the purposes of that contract; or?
- Where you have explicitly consented to the data transfer.?
How?do we keep?your?Personal Data?secure??
We will take all reasonable precautions necessary to protect your?Personal Data?from misuse, interference and loss; and unauthorised access, modification or disclosure.?In addition, the?Company will secure?your data?in following ways:?
(a)? register all those who are allowed access;?
(b)? control and limit access based on necessity;?
(c)? maintain proper record of access and transfer of?Personal Data;?
(d)? ensure all employees of the Company protect confidentiality;?
(e)? conduct awareness programmes to all employees on responsibility to protect?Personal Data;?
(f)? establish physical security procedures;?
(g) bind third parties involved in processing of?Personal Data; and?
(h) do not use removable device and cloud computing service?to transfer?or store?Personal Data?unless with written consent from top management of the Company.?
For how long?do?we retain your?Personal Data??
We will not retain your?Personal Data?longer than necessary for the?purposes for which they are collected. However, relevant?Personal Data?may be retained subject to the conditions below:?
(a)? as and when required under legislation; or?
(b)? where legal actions have arisen and are pending.?
(c)? commercial/operational purposes of Malaysia Airlines?
We?shall take all reasonable steps to ensure that all?Personal Data?is destroyed or permanently deleted when no longer required and prepare disposal schedule for inactive data with?24 month?period.??
Links to third party website?
We may link this website and/or our applications to other companies or organizations websites (collectively, “Third Party Sites”). This Privacy?Policy?does not apply to such?Third Party?Sites as those sites are outside our control. If you access Third Party Sites using the links provided, the operators of these sites may collect your personal information. Please ensure that you are satisfied with the privacy statements of these?Third Party?Sites before you submit any personal information. We try, as far as we can, to ensure that all third party linked sites have equivalent measures for protection of your personal information, but we cannot be held responsible legally or otherwise for the activities, privacy policies or levels of privacy compliance of these Third Party Sites.?
Chief Privacy Officer,??
Business Integrity Department, Malaysia Airlines?Berhad,??1st?Floor, Administration Building, South Support Zone, KLIA,??
64000 Sepang, Selangor, Malaysia.??
Malaysia Airlines’ UK Office (Waqar Khan),?
No. 247-249,?Cromwell Road,
Kensington,?London SW5 9GA,??
Contact Details:?+44 (0) 207 341 2075?
If you are our Enrich members and wish to change your personal details, you may login to Enrich portal at?here. If you wish to amend either your Name or Date of Birth, please contact our Enrich team?here.??
If you have any queries or issues regarding your reservation and flight details, please click?here.??