Customer privacy policy - Non-European Appendix
Cathay Pacific Customer Privacy Policy - Non-European Appendix
This Appendix applies if you are based in the following countries/regions during your interactions with us
1.1 Overseas recipients of Personal Data
(a) In the course of providing our products and services to you, we may disclose your Personal Data to the following overseas recipients:
i. companies within Cathay Pacific, our affiliates and their subsidiaries, and third party service providers that are located overseas who assist us in providing our travel (including transit) and associated services; and
ii. law enforcement agencies, regulatory authorities and governments for security, customs and immigration purposes.
(b) These recipients may be located in any country to which you travel, or which you travel through, either with us or our partner airlines.
(c) We may disclose your Personal Data to recipients in countries that you are travelling to or you are sending cargo to or from in order to provide travel, freight and reservation services. The overseas recipients includes recipients in countries through which you are transiting, or when you travel on flights operated by other airlines, or countries in which our service providers operate or have their headquarters.
(d) We may also disclose your Personal Data to data processors (including operators of global travel distribution systems), customer service providers and third party marketing service providers. The regions in which these third parties are located include the European Union countries, Asia, North America, Australia, South America and Middle East.
1.2 Accessing and correcting your personal information
(a) If you are a Cathay Membership Programme member or a Registered Account holder, you may seek to access the personal information that we hold about you, and seek to update or correct it by logging into your electronic account and editing your profile, preferences or settings. You may also seek to access or correct your personal information by contacting our customer representatives, or by contacting the Data Protection Office using the contact details in the Privacy Policy.
1.3 Complaints
(a) You may request further information about the way we manage your Personal Data or lodge a complaint by contacting our Data Protection Officer using the contact details in section 8.4 of the Privacy Policy.
(b) We will deal with any complaint by investigating it, and providing a response to you within a reasonable time, provided that we have all necessary information and have completed any investigation required. In some cases, we may need to ask you to put your complaint in writing so that we are sure that we understand it, and may also need to ask you for further information or to verify your identity. In cases where further information, assessment or investigation is required, we will seek to agree an alternative timeframe with you.
(c) If you are dissatisfied with the outcome, please contact us. Alternatively, you may take your complaint to the Privacy Commissioner at the Office of the Australian Information Commissioner (OAIC). The contact details for the OAIC are available from the OAIC’s website at www.oaic.gov.au.
2.1 Consent and withdrawal of consent:
Where you have consented to our use of your Personal Data, you may withdraw your consent to the use of your Personal Data. You may do this by contacting us as set out in section 8.4 of the Privacy Policy.
We may continue to use and disclose your Personal Data where it is required to provide you with the services you have requested or that we have agreed to provide you, or in accordance with the law.
2.2 Marketing and profile information:
In connection with our marketing activities, we analyse some of the information that we collect about our customers (together with information about customers that we collect from our loyalty and other partners) to determine what offers are most likely to be of interest to different categories of customers in different circumstances and at different times. We call this the creation of “segments”. To do this, we combine Personal Data that we have collected from customers directly together with Personal Data that we have collected from our affiliates and other partners, including Asia Miles, about our customers’ purchase history and interactions with us. From time to time, we will assess the Personal Data that we hold about you in order to assign you to a particular segment. We will use the segment that you have been assigned to in order to tailor our marketing communications to include offers and content that are relevant to you.
2.3 Consent for electronic marketing communications:
We will only send you electronic communications in relation to marketing activities if you have provided express opt-in consent to do so. This does not include transactional communications which facilitate or confirm purchases or services, or responses to inquiries from you.
2.4 Opting out of direct marketing:
You have the right to opt out of our direct marketing, and the underlying analysis of your Personal Data that we use to tailor the direct marketing that we send to you, at any time. You can exercise this right, by contacting us in accordance with section 8.4 of the Privacy Policy, or opting-out or updating your e-mail subscriptions in accordance with section 8.2 of the Privacy Policy.
2.5 Using your Personal Data to make decisions:
In connection with our business, we will use your Personal Data to make various decisions about you and your eligibility to access our services, to prevent abusive use of our services, to ensure security of our systems, or to detect fraud. Some of these decisions may be taken on an automated basis including, by matching your Personal Data against information in certain risk models that we have created based on the behaviour of other individuals and using your Personal Data to further enhance such models.
2.6 Storage and access outside of Canada:
Your Personal Data may be accessed and stored outside of Canada by staff or suppliers, transferred, and/or stored outside Canada. Your Personal Data may be subject to access and disclosure to governmental and law enforcement authorities in those countries and in accordance with the laws of those countries.
2.7 Rights of access and correction:
You have rights of access to and correction of your Personal Data, subject to exceptions in accordance with the laws of Canada. We may charge you a reasonable fee in respect of certain access rights and will advise you of this in the course of any request. You may exercise your rights by contacting us at the contact details in section 8.4 of the Privacy Policy.
2.8 Accountability:
If you have any concerns or questions about how we are collecting, using or disclosing your Personal Data, you may contact us in accordance with section 8.4 of the Privacy Policy. If you are not satisfied with how we resolve your questions or concerns, you may contact the Office of the Privacy Commissioner of Canada.
3.1 The following sentence shall be added to the introductory section of the Privacy Policy before the start of clause 1:
“For the purpose of the Privacy Policy, “Cathay Pacific” means Cathay Pacific Airways Limited, Hong Kong Dragon Airlines Limited, Cathay Holidays Limited (and its subsidiaries). Among these entities Cathay Pacific Airways Limited is responsible for handling your Personal Data and acts as a point of contact for any enquiries, complaints, data corrections or update requests”.
3.2 The first sentence of Section 5 (Who we share your Personal Data with) of the Privacy Policy is replaced by the following language:
“In certain circumstances, to the extent permitted by the Act on Protection of Personal Information of Japan (Act No.57 of 2003) and based on your consent if required by the law, we will disclose your Personal Data to third parties as described below:”
3.3 Processing of special categories of Personal Data
(a) We will collect and handle sensitive Personal Data, for example, when we handle requests for special medical or access assistance or your specific dietary requirements that may indicate your religious or other beliefs.
(b) We will typically ask you for your consent when collecting, handling or share with a third party this type of Personal Data, unless we are otherwise permitted to process such Personal Data under the Act on Protection of Personal Information of Japan (Act No.57 of 2003) (APPI).
3.4 Your rights
(a) In addition to the Section 8 (Your rights) of the Privacy Policy, in certain circumstances, you may have the rights under the APPI to ask us to:
(i) correct, add or delete Personal Data if the Personal Data held by us is not accurate;
(ii) stop the use or sharing with a third party of, or delete, Personal Data if the use or sharing is against the rules of the APPI;
(b) These rights are subject to certain exemptions to safeguard the life, body or assets of you or a third party (e.g. the prevention or detection of crime) and our interests, due to requirements of other laws or availability of less onerous options.
4.1 The following sentence shall be added as a final paragraph in the introductory section of the Privacy Policy before the start of clause 1:
“By providing us with your Personal Data and continuing to use our services, you agree to the processing of your Personal Data in accordance with the terms of this Privacy Policy, which may be amended or updated from time to time. ”
4.2 The following section 2.3 shall be added to the Privacy Policy:
“2.3 We will process sensitive Personal Data, for example, when we handle requests for special medical or access assistance or your specific dietary requirements that may indicate your health issues. We will ask you for your written consent when processing this type of Personal Data, unless we are otherwise permitted to process such sensitive Personal Data under the Malaysian Personal Data Protection Act 2010.“
5.1 The following sentence shall be added as a final paragraph in the introductory section of the Privacy Policy before the start of clause 1:
“You consent to the collection, use and disclosure of your Personal Data as described in this Privacy Policy.”
6.1 The following sentence shall be added as a final paragraph in the introductory section of the Privacy Policy before the start of clause 1:
“You consent to the collection and use of your Personal Data in accordance with the terms of this Privacy Policy”
6.2 The following clause shall be added to the Privacy Policy as section 5.6:
5.6 Names of third party recipients of your Personal Data and description of their processing work
The names of third parties that will process your Personal Data on our behalf and descriptions of their work are as follows. This list may be amended or updated from time to time.
Service Provider (Trade Name) | Description of Work |
---|---|
Swissport Korea |
Ground handling service in Incheon Intl Airport including check-in, reservation and ticketing, providing notice of change, ticket sales, guiding use of lounge by members, assistance in membership subscription and response to queries on mileage service, etc. |
Asiana Airlines |
Ground handling services in Busan and Jeju Intl Airport including check-in, reservation and ticketing, providing notice of change, assistance in membership subscription and response to queries on mileage service, etc. |
SMS transmission/messaging service providers |
SMS transmission for notification or reminders on flights, etc. |
IBM |
Mainframe: To perform auto-tracking and retro claim processing for oneworld and Asia Miles partners |
AWS |
Cloud service. |
OpenJaw |
Travel retail platform for Cathay |
Amadeus |
Amadeus is the Internet application for passenger to book flights online |
Novatti |
eVoucher Management System |
Salesforce |
Salesforce provides application to store and handle customer contacts and to manage customer feedback and compensation |
CHAMP |
Cargo Service System for Carrier and Handling |
Ayden |
Payment gateway |
Alipay |
Payment service |
Acoustic (Silverpop) |
Marketing automation & email marketing software |
Go Logistics and Storage |
Cathay Shop Product delivery |
TravelSky Technology Limited |
For APP booking management in the reservation systems |
Asia Miles Limited |
Asia Miles accrual |
6.3 The following paragraph shall replace section 7.3 (Retention Period) of the Privacy Policy:
7.3 Retention Period
Our retention periods for Personal Data are based on business needs and legal requirements. We will retain your Personal Data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose. For example, we may retain: (i) certain transaction details (e.g. flight history) and correspondence until the time limit for claims arising from the transaction with us has expired (which is typically between 6 to 10 years after the relevant transaction occurred, and in some cases much less than this); or (ii) certain data to comply with regulatory requirements regarding the retention of such data. Where Personal Data is no longer needed, we either irreversibly anonymise the data (in which case we may further retain and use the anonymised data) or securely destroy the data.
6.4 The following sentence shall be added to section 8.1:
“If you are under the age of 14, your legal guardian will have the rights under section 8.”
6.5 The following clause shall be added to Privacy Policy as section 5.7 of the Privacy Policy:
5.7 Provision of personal data to a third party when booking flight tickets
5.7.1 Personal data you provide when you book flights online include the following. Please note, personal data collected from you may vary depending on the nature of services provided to you:
Mandatory information:
- Your family name, given names, title
- Your travel companions' family name, given names, title (when applicable)
- Mobile phone number, Email address
- Payment information
- Date of birth (applicable to children under the age of 12)
- Travel document information (applicable to specific points of departure/destinations)
- Nationality, gender, date of birth (applicable to specific points of departure/destinations)
- Destination contact information (applicable to specific points of departure/destinations)
- Destination address (applicable to specific points of departure/destinations)
- Region of residence (applicable to specific points of departure/destinations)
- Emergency contact (applicable to specific points of departure/destinations)
Optional Information (May be requested based on the point of Departure / Destination):
- Meal preferences (since preferable meal information is optional, you can still book online)
- Seat preferences (since preferable seat information is optional, you can still book online without this selected)
- Any frequent flyer programme information and membership number
Please note: unaccompanied young travellers under the age of 14 will need additional consent from a guardian for collection and use of their personal data. Please contact the reservation department in Seoul at +82 1644-8003 before checking in online.
5.7.2 In addition, we may provide your personal data to third parties in the following cases:
Name of Recipient | Items of Personal data Provided | Purpose of Use by Recipient | Period of Retention and Use by Recipient |
---|---|---|---|
AMADEUS IT GROUP, S.A |
All information collected in booking |
For managing passenger flight bookings |
7 years |
oneworld Alliance and other partner airlines (details available here) |
|
Points accrual |
Until termination of contract |
Asia Miles Limited |
|
Asia Miles accrual |
Until member account termination |
TravelSky Technology Limited |
All information collected in APP booking |
For APP booking management in the reservation systems |
7 years |
Adyen |
Payment information |
For cash (non-miles) payment |
7 years |
Aviation authorities in the countries where CX operates |
Advance passenger information |
Legal/regulatory requirement |
In accordance with applicable laws/regulations |
6.6 The following clause shall be added to the Privacy Policy as section 7.4
7.4 Methods and Process of Destruction of Personal data
We will destroy personal data without delay when either the purpose of processing has been achieved or the period of processing and retention has expired.
If it is required to continue to preserve personal data pursuant to other laws and regulations even though the retention period of the personal data consented by the data subject has expired or the purpose of processing such personal data has been achieved, the personal data shall be segregated to ensure that the purpose of processing will be limited accordingly.
The procedure and methods for destruction of personal data are as follows:
Destruction Procedure: We select the personal data subject to destruction and destroy them with the supervision of our Data Privacy Officer.
Destruction Methods: We permanently delete personal data stored in the form of an electronic file using a technical method that renders the record irrecoverable. For other records, printed materials, written documents or recording media, we destroy them by shredding or incinerating them.
6.7 The following clause shall be added to the Privacy Policy as section 2.3
2.3. Information we collect when you book non-members' tickets
When booking non-members’ tickets, we collect your personal data referred to in Sections 2 and 5.7.1 of the Privacy Policy, except for frequent flyer programme code, number and related information.
6.8 The following clause shall be added to Privacy Policy as section 5.8 of the Privacy Policy:
5.8 Overseas transfer of personal data
We transfer or retain users personal data overseas as below. You are entitled to refuse to consent to the overseas transfer of your personal data. If you do not consent to the overseas transfer, please contact dpo@cathaypacific.com. However, if you refuse to provide your consent, you may be restricted from using our services.
Name of recipient (Country to which personal data will be transferred/ Contact information of their respective person in charge of managing the personal data) | Items of personal data transferred overseas | Timing and method of transfer | Purpose of use by the recipient | Period of retention and use by recipient |
---|---|---|---|---|
AMADEUS IT GROUP, S.A (Germany/ dataprotection@amadeus.com) |
All information collected in booking |
Online transmission upon creation of booking |
For managing passenger flight bookings |
7 years |
oneworld Alliance partners (Locations of airlines/ Contacts please refer to link]) |
|
Online transmission upon creation of booking |
Points accrual |
Until termination of the contract |
Asia Miles Limited (Hong Kong/ dpo@cathaypacific.com) |
|
Online transmission upon creation of member account and booking |
Asia Miles accrual |
Until member account termination |
TravelSky Technology Limited (China/ helpdesk@travelsky.com) |
All information collected in APP booking |
Online transmission upon creation of booking |
For APP booking management in the reservation system |
7 years |
Adyen (Netherlands/ dpo@adyen.com) |
Stored credit card information |
Online transmission upon creation of payment |
For cash (non-miles) payment |
7 years |
OpenJaw (Ireland, Data Centre : Singapore/ dpo@openjawtech.com) |
|
Online transmission upon creation of Cathay Holidays booking |
For Cathay Holidays Booking, Redemption & Amendments |
7 years |
Salesforce (Marketing Cloud) (the US/ privacy@salesforce.com) |
Member information such as name, contact mobile, email, miles balance, miles transaction, booking, consent |
Online transmission upon creation of member account and communication |
For member communication management |
1 – 7 years |
Acoustic (Silverpop) (the US/ privacy@acoustic.com) |
|
Online transmission upon creation of communication |
For passenger communication |
450 days |
Novatti (Hong Kong/ privacy.officer@novatti.com) |
|
Online transmission upon change/update of member benefit |
For retrieving member benefit entitlement |
7 years |
Go Logistics and Storage Company Limited (Hong Kong/ info@gols.com.hk) |
|
Online transmission upon purchase |
For product delivery |
7 years |
AWS (Singapore/ aws-korea-privacy@amazon.com) |
|
Online transmission upon member registration and update |
For storage on cloud |
7 years |
CHAMP (Luxembourg/ dpo@champ.aero) |
Cargo Airway Bill |
Online transmission upon cargo shipment order creation and update |
For managing cargo shipment |
7 years |
IBM (Australia/ https://www.ibm.com/privacy/portal/contact/us-en) |
Passenger information |
Online transmission upon miles accrual/retro activities |
For miles accrual/retro activities |
7 years |
7.1 The following section 2.3 shall be added to the Privacy Policy:
“2.3 We will collect and handle sensitive Personal Data, for example, when we handle requests for special medical or access assistance or your specific dietary requirements that may indicate your health issues. We will ask you for your written consent when collecting and handling this type of Personal Data, unless we are otherwise permitted to collect, process or use such Personal Data under Taiwan Personal Data Protection Law. “
7.2 The following section 4.2 shall be added to the Privacy Policy:
“4.2 Your Personal Data may be used in electronic form and/or hard copy form or in any appropriate manner.”
7.3 The following sentence shall be added to section 8.1:
“In addition to the above, you have the right (subject to exceptions and in accordance with Taiwan Personal Data Protection Law) to request a copy of your Personal Data held by us or require us to delete or cease the collection, processing or use of your Personal Data. You may exercise these rights by contacting us at the contact details in section 8.4 of the Privacy Policy.”
8.1 California Privacy Rights
8.1.1 Privacy Rights
Under California Civil Code TITLE 1.81.5. California Consumer Privacy Act of 2018 (CCPA) sections 1798.100 - 1798.199 , California residents are entitled to:
- Access to Specific Information: You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months.
- Deletion of Specific Information: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.
Please submit a written request by contacting us at the contact details in section 8.4 of the Privacy Policy.
We will not discriminate against you for exercising any of your CCPA rights.
8.1.2 Do We Sell Your Personal Data?
We do not sell information that directly identifies you, like your name, address, or banking information. However, the CCPA’s broad definitions of “sale” and “personal information” may deem the common flow of information in the digital analytics and advertising ecosystem to be a sale. Like most companies we use online analytics to measure the ways users engage with our websites and apps. These analytics, in turn, inform how we perform online advertising. In order to provide these analytics and facilitate online advertising, we use third-parties that collect device identifiers and place tags, cookies, beacons, and similar tracking mechanisms on our websites/apps and on third-party websites/apps. You can find more information on how we use such cookies in our Cookies Policy.
8.2 Children
Other than information required to complete a booking, we do not knowingly collect personal identifiable information from children under the age of 13. If we learn that we have collected Personal Data from a child under the age of 13, we will take reasonable steps to delete that information. Where required by applicable law, we may ask a parent or guardian for consent before we provide a product or service to a minor.
8.3 Your Rights And Choices
You may have additional rights and choices regarding how we process your personal information. Those additional rights and choices are listed below.
We reserve the right to verify your identity in connection with any requests regarding personal information to help ensure that we provide the information to the individuals to whom it pertains, and allow only those individuals or their authorized representatives to exercise rights with respect to that information. We will try to comply with your request as soon as reasonably practicable.
Please note that your exercise of these rights is subject to limitations and we may reject your request.
Access and correction: You may access the information we maintain about you. You may request access to correct any errors in your personal information.
Deletion: You may request that we delete your personal information. Please note, we may be required by legal or other reasons to retain your personal information.
Do Not Sell My Personal Information: To the extent that we sell customer data, you may have the right to direct us to stop selling your personal information if we are doing so.
Please contact us using the contact details in section 8.4 of the Privacy Policy if you would like to exercise any of these rights or request more information. Where required by applicable law, we will notify you if we reject your request and notify you of the reasons we are unable to honor your request.
8.4 The following sentence shall be added to section 9:
“In relation to web browser-based do-not-track (“DNT”) signals, because there is not yet a consensus on how companies should respond to web browser-based DNT mechanisms in Europe, the US and California, we do not explain how we respond to web browser-based DNT signals at this time.”
More about Legal and privacy
Customer privacy policy - European Appendix
Customer privacy policy - Non-European Appendix
Customer privacy policy – Mainland China
Cathay Pacific Conditions of Carriage (PDF), Link opens in a new window operated by external parties and may not conform to the same accessibility policies as Cathay Pacific .
Notification to Passenger Charter of Rights for travel to/ from India (PDF), Link opens in a new window operated by external parties and may not conform to the same accessibility policies as Cathay Pacific .
Notification of Rights to Benefits under the Israel Aviation Services Law (PDF), Link opens in a new window operated by external parties and may not conform to the same accessibility policies as Cathay Pacific .
ET Conditions of Contracts/ Notices & EC 889 Air Carrier Liability for Passengers/ their Baggage (PDF), Link opens in a new window operated by external parties and may not conform to the same accessibility policies as Cathay Pacific .
All downloadable files on this page are in PDF (Portable Document Format) and can be viewed with Adobe Acrobat Reader. You can download the Reader at no cost from the Adobe website, Link opens in a new window operated by external parties and may not conform to the same accessibility policies as Cathay Pacific .