Last Updated: July 2018
Malaysia Airlines Berhad is committed to the protection of your Personal Data and takes the matter of protecting your privacy as high priority.
For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller is Malaysia Airlines Berhad, with its registered office at Malaysia Airlines Berhad, 1st Floor, Administration Building, South Support Zone, KLIA, 64000 Sepang, Selangor (from now on referred to as (“Malaysia Airlines Berhad”, “we”, or “us”).
What is Personal Data?
“Personal Data” means any information relating to an identified or identifiable natural person.
The types of Personal Data that we collect directly from you or from third parties depend on the circumstances of collection and on the nature of the service requested or transaction undertaken. It may include:
(a) personal information that links back to an individual;
(b) contact information;
(c) payment information;
(d) travel information;
(e) health information;
(f) technical information; and
(g) statistical data.
How do we collect your Personal Data?
(a) when making a booking with us, checking-in for a flight or lodging freight;
(b) via any online sites operated by us and our contractors;
(c) under any other contractual agreement or arrangement;
(d) via a third party, e.g., travel agent or our service provider;
Some of the other ways we collect Personal Data may include (but are not limited to):
(a) communications with you via telephone, letter, fax and email;
(b) when you visit our website or one of our contractors’ websites;
(c) when you contact us in person;
(d) when we contact you in person;
(e) when we collect information about you from third parties; and other channels including our ticketing counters and airport operations.
How do we collect your Personal Data?
We may collect and receive Personal Data directly from you or from your authorised representatives (i.e. persons whom you have authorised, persons who have been validly identified as being you or your authorised representative pursuant to our security procedures), from third parties (e.g., travel agent or service providers) or the Personal Data of your relatives or principal where you disclose same on their behalf, including when you:
(a) use any of our services, including when you travel with us or use airports where we operate or any facilities within those airports that we operate, such as our lounge facilities;
(b) use or access our Website or Mobile Apps, particularly when completing the "passenger details" section during the course of a booking, even if you do not complete the booking;
(c) communicate with us such as by email, telephone, in writing or through our customer services pages or social media platforms; or
(d) register, create or modify an online or in-app account with us, including your Enrich membership.
We may also collect your Personal Data from publicly available sources through our Website or Mobile Apps and other channels including our ticketing counters and airport operations and third party providers or our subcontractors where you have consented to providing your Personal Data to them or where we subcontract them to assist us in providing services to you (e.g. wheelchair assistance, transfers, special meals).
Where you disclose Personal Data on behalf of another person, you undertake and will ensure that the individual whose Personal Data is supplied to Malaysia Airlines Berhad has authorized the disclosure, is informed of and consents to the terms and conditions of this Privacy Notice. Where the disclosure if in respect of a child’s Personal Data, you should do as only as the parent or legal guardian of that child and enter into relevant contracts on behalf of that child.
What do we use your Personal Data for?
We may use your Personal Data for the following purposes:
a) to enable us to provide our services and perform our obligations to you;
b) to facilitate your travel (e.g., making a booking) and freight arrangements;
c) to verify identity of passengers and perform luggage check-ins;
d) to provide flight alert messages;g
e) to facilitate internet check-in;
f) to process any commercial transaction (e.g. In-flight sales);
g) to facilitate your participation in our or third parties’ loyalty programs;
h) to protect the safety and well-being of yourself and/or other customers;
i) to investigate and respond to claims and inquiries from you;
j) to remind you to complete your booking and/or offer our assistance (in case, for instance, failure to complete due to technical difficulties). This is an optional service. You can choose not to receive these emails at any time by following the link at the bottom of each such email;
k) to provide in-flight catering and other services that best meet your preferences and needs;
l) for financial purposes such as credit or other payment card verification, accounting, billing and audit; and / or
m) for business development purposes such as statistical and marketing analysis, systems testing, maintenance and development, customer surveys, customer relations to advise on alterations to flights or to help us in any future dealings with you, for example by identifying your requirements and preference;
n) to comply with any legal or regulatory requirements;
o) to communicate promotions, offers, product, services and information on products and activities, offers to upgrade or other notifications in relation to your booking; and/or
p) marketing and communicating with you in relation to products and services offered by us and our service partners as well as our appointed agents.
What are our legal bases for processing your Personal Data?
There are a number of different ways that we are lawfully able to process your Personal Data. We have set these out below.
Where using your Personal Data is necessary for us to carry out our obligations under our contract with you
We are allowed to use your Personal Data when it is necessary to do so for the performance of our contract with you.
For example, we need to collect your contact details in order to be able to book your flight or provide you with any additional services you have requested.
Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your Personal Data when we need to in order to comply with those other legal obligations.
For example, we are required to transfer certain Personal Data to government authorities for anti-terrorism purposes.
Where using your data is in our legitimate interests
We are allowed to use your Personal Data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.
We believe that our use of your Personal Data is within a number of our legitimate interests, including but not limited to:
- To enable us to provide our services to our customers;
- To help us satisfy our legal obligations (for example, in relation to anti-terrorism);
- To help us understand our customers better and provide better, more relevant services to them; and
- To help us keep our systems and physical premises secure and prevent unauthorized access or cyber attacks.
Where you give us your consent to use your Personal Data
We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
- It has to be given freely, without us putting you under any type of pressure;
- You have to know what you are consenting to – so we'll make sure we give you enough information;
- You should only be asked to consent to one thing at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and
- You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
As part of our relationship with you, we may ask you for specific consents to allow us to use your data in certain ways. For example, we currently ask for your consent to provide you with marketing communications. If we require your consent, we will provide you with sufficient information so that you can decide whether or not you wish to consent.
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this above.
You have various rights in relation to the Personal Data which we hold about you. We have described these below.
To get in touch with us about any of these rights, please contact us at:
Business Integrity Department,
Malaysia Airlines Berhad, 1st Floor, Administration Building,
South Support Zone, KLIA, 64000 Sepang, Selangor, Malaysia.
We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your Personal Data where we do so for one of the following reasons:
- because it is in our legitimate interests to do so (for further information please see below);
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials; or
- for scientific, historical, research, or statistical purposes.
Right to withdraw consent
Where we have obtained your consent to process your Personal Data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
In particular, you may elect to stop receiving promotional activities by:
(a) unsubscribing from the mailing list;
(b) editing the relevant account settings to unsubscribe; or
(c) sending a request to [email protected]
Data Subject Access Requests
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we "erase" your Personal Data in certain circumstances. Normally, this right exists where:
- The data are no longer necessary;
- You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
- The data has been processed unlawfully;
- It is necessary for the data to be erased in order for us to comply with our obligations under law; or
- You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your Personal Data in certain circumstances, for example if you dispute the accuracy of the Personal Data that we hold about you or you object to our processing of your Personal Data for our legitimate interests. If we have shared your Personal Data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your Personal Data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete Personal Data that we hold about you. If we have shared this Personal Data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete Personal Data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
In particular, you may update or make amendments to your Personal Data as below:
(a) for online registered customers, you may login to your online account and update your Personal Data; or
(b) for every other customer, you may email your request to [email protected]
Right of data portability
If you wish, you have the right to transfer your Personal Data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
Right to complain
You have the right to lodge a complaint with our regulator, who is the Commissioner of Personal Data Protection in Malaysia.
In Europe, the privacy regulators for each Member State are listed (along with contact details) on the following website: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
To whom do we disclose your Personal Data?
We will not trade or sell your Personal Data to third parties. Your Personal Data shall only be disclosed or transferred to the following third parties appointed or authorised by the Company, who may be located within or outside Malaysia:
a) our travel and freight service providers or travel-related businesses;
b) our partner airlines and other carriers;
c) airport authorities;
d) our other affiliates and subsidiaries where it is necessary to facilitate your travel;
e) credit card verification providers,
f) data warehouse;
g) IT service providers;
h) data analytics and/or marketing agency;
i) other third parties in order to process your commercial transactions;
j) legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or
k) customs, immigration or other regulatory authorities applicable to you; and/or
l) safety and security personnel.
In addition to the above, your Personal Data may also be disclosed or transferred to any of the Company’s actual and potential assignee, transferee or acquirer (within or outside Malaysia) (including our affiliates and subsidiaries) of our business, assets or group companies, or in connection with any corporate restructuring or exercise including the our restructuring to transfer the business, assets and/or liabilities.
Where do we store your Personal Data?
We will store your Personal Data in the country in which we are based (i.e. Malaysia). As discussed above, we may also disclose your Personal Data to our group companies and their service providers located in Malaysia and elsewhere, and to employees operating outside of the EEA who work for us or for one of our group companies or their respective service providers.
We want to make sure that your Personal Data is stored and transferred in a way which is secure.
We will therefore only transfer data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data. For example, this could be:
- By way of an intra-group agreement between MAB entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws;
- By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
- By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of Personal Data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
- By transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or
- Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract; or
- Where you have explicitly consented to the data transfer.
How do we keep your Personal Data secure?
We will take all reasonable precautions necessary to protect your Personal Data from misuse, interference and loss; and unauthorised access, modification or disclosure. In addition, the Company will secure your data in following ways:
(a) register all those who are allowed access;
(b) control and limit access based on necessity;
(c) maintain proper record of access and transfer of Personal Data;
(d) ensure all employees of the Company protect confidentiality;
(e) conduct awareness programmes to all employees on responsibility to protect Personal Data;
(f) establish physical security procedures;
(g) bind third parties involved in processing of Personal Data; and
(h) do not use removable device and cloud computing service to transfer or store Personal Data unless with written consent from top management of the Company.
For how long do we retain your Personal Data?
We will not retain your Personal Data longer than necessary for the purposes for which they are collected. However, relevant Personal Data may be retained subject to the conditions below:
(a) as and when required under legislation; or
(b) where legal actions have arisen and are pending.
(c) commercial/operational purposes of Malaysia Airlines
We shall take all reasonable steps to ensure that all Personal Data is destroyed or permanently deleted when no longer required and prepare disposal schedule for inactive data with 24 month period.
Links to third party website
Chief Privacy Officer,
Business Integrity Department, Malaysia Airlines Berhad,
1st Floor, Administration Building, South Support Zone, KLIA,
64000 Sepang, Selangor, Malaysia.
Malaysia Airlines’ UK Office (Waqar Khan),
No. 247-249, Cromwell Road,
Kensington, London SW5 9GA,
Contact Details: +44 (0) 207 341 2075
If you are our Enrich members and wish to change your personal details, you may login to Enrich portal at here. If you wish to amend either your Name or Date of Birth, please contact our Enrich team here.
If you have any queries or issues regarding your reservation and flight details, please click here.