KLM Recruitment Privacy Statement

Our privacy commitment to you

When you apply for a job with us, you trust us with your information. We find this relationship extremely important and promise the following to you.

• We always process your data in accordance with the EU Data Protection Rules and other applicable privacy legislation to protect it from unauthorized access and to ensure safe data transfers.
• We are transparent about how we use the data collected from you.
• We make clear to you what your benefit is for sharing your data with us and match our communication with your needs and preferences.
• We do this in easy-to-understand language throughout the whole application process.
• We put you in control of your data and will use your feedback to improve continuously.
• We ensure that your data is safe with us. In the unlikely event that your data has been breached, we will make sure to stop the leak as soon as possible and inform you immediately.
• If we need to disclose your data outside our organization, we describe this explicitly in our Privacy Statement. We do not share, sell, or give your personal information to any outside organization without your explicit consent.
• We are trustworthy with your data and strive for international certifications (e.g. ISO-27001)

About this privacy statement

This privacy statement applies to all personal data that KLM processes when an applicant enters the application process or contacts us. We process your personal data primarily for the application process and to answer your questions. Your personal data will also be used for a screening if you enter into an employment contract with KLM. A ‘certificate of no objection’ (Verklaring van Geen Bezwaar, VGB) is required for several positions. Your personal data will also be used for this application if this requirement applies to your position.

In this privacy statement, we provide more information about the personal data we collect and use and what your rights are.

In case you apply for a job at one of KLM’s subsidiaries via the KLM job site, the privacy statement of that specific subsidiary is applicable for the application process. You can find a link to that applicable privacy statement in the job offer or on the website of the applicable subsidiary. The KLM privacy statement shall also apply to all KLC job offers, except for KLC Cabin Crew job offers.

1. Who are we

We are Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or KLM), a Dutch airline, with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands. KLM is part of the Air France-KLM Group. For more information, please check our website www.klm.com (http://www.klm.com) under “Corporate” (https://www.klm.com/information/corporate). KLM is responsible for the collection and use of your personal data described in this privacy statement.

2. Types of personal data we collect and use

2.1. General We may collect and use the following categories of personal data:

(A) Name, and other identifying data When you apply for a job via the KLM job site, we collect your name and country of residence.

(B) Your contact details We collect your telephone number and e-mail address.

(C) Our communication with you When you send us an e-mail or contact us though one of our social media channels, we register your messages. If you call us, our employees will register your questions or complaints in our database.

(D) Information we collect when you use our websites or other digital services When you visit our websites or any other digital service, we may register your IP address, browser type, operating system, referring website and web-browsing behavior. We collect this information via cookies and similar technologies. For more information, please read our cookie policy (https://www.klm.nl/en/information/legal/cookie-policy).

(E) Information you choose to share with us We collect and use information that you choose to share with us, for example when you share your interests and preferences on our website or fill out a survey.

2.2 Special categories of personal data Some categories of personal data, such as data revealing racial or ethnic origin, data revealing religious or philosophical beliefs, health-related data, and personal data relating to criminal law matters, are subject to stricter rules under applicable privacy laws. We collect and use these categories of personal data when you share these data with us. We normally do not collect or use special categories of personal data.

3. How we collect your data

We collect the categories of personal data referred to above in the following ways:

(A) Personal data provided by you When you apply for a job via the KLM job site, fill out a survey, contact us or subscribe to receive our e-mails.

(B) Personal data received from other parties, such as employment agencies We receive your data from these parties to handle your application(s). We then receive your identifying data and contact details from those third parties.

(C) When you use our website or mobile apps, we collect information using cookies and similar technologies KLM uses its own cookies and third-party cookies. For more information, please read our cookie policy (https://www.klm.nl/en/information/legal/cookie-policy).

(D) We receive certain information from public authorities or government agencies to maintain safety and security within KLM These data relate to the KLM screening process and the application of a VGB, if applicable for the job position.

4. Purposes for which we use your data

4.1. Main purposes for which we use your personal data

(A) To provide our services to you in the application process We use the information described under 2.1 (A) to (E) to handle your application. For example, we use your name and other identifying information to handle your job application. We use your contact details to inform you about the application status.

(B) To send you a survey about the application process You may receive an invitation to fill out a survey about your experiences before, during and after the application process. The results of the survey are fully anonymized. Participating in the survey is on a voluntary basis only and will not affect your job application in any way.

(C) To communicate with you We use your contact details to communicate with you about the job application process, to answer your questions, or to address your complaints.

(D) To conduct our business operations or to comply with statutory obligations We collect, use, and retain your personal data to conduct our business operations, such as for record-keeping purposes, to prevent or combat fraud, or to settle disputes. We also collect and use your personal data to comply with our legal obligations.

4.2 Legal basis We may collect and use your personal data only if we have a legal basis for doing so. In many cases for the job application process, we need your personal data to receive and process your application, to store your job application, set up job interviews, to answer your questions and to perform the KLM screening. (see 4.1 (A), (B) and (D) above). In those cases, the legal basis for processing your data is ‘processing is necessary for the purposes of the legitimate interests pursued by the controller'. We will always consider all interests carefully: your interests, the interests of others, and KLM's interests. If you have consented to the collection and use of your personal data (which consent you may withdraw at any time, see 8 “Your rights” below), we will collect and use your data based on that consent. On that legal basis, we will collect and use your data for, for instance, job offers and surveys. (see 4.1 (B) above for more information) If you refuse to provide the personal data that we need for the application process or to comply with a legal obligation, we may not be able to complete the application process in full. We may have to stop the application process. If you provide incomplete or inaccurate information, we may be forced to deny you entering the application process or to stop the application process.

5. Granting access to or sharing data with third parties

We may share your personal data with third parties in the following cases:

(A) To facilitate the VGB application. To handle your VGB application (when applicable for the job position), we need to share your personal data with the Dutch authorities; the AIVD.

(B) With an employment agency If you have already worked for KLM as a flex worker, it is possible that we may contact the employment agency for which you work / worked in order to determine which form of contract we can offer you. We will always ask for your prior consent for this processing of your personal data.

(C) For support or additional services To provide our services, we use the support or additional services of third parties, such as IT suppliers. All such third parties are required to adequately safeguard your personal data and only use such data in accordance with our instructions. The Air France-KLM group carries out its business operations using centralized databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only use your personal data as required for the relevant business function and in accordance with this privacy statement.

6. Security and retention

6.1. Security

(A) Our commitment Ensuring the security and confidentiality of your personal data is our priority. Taking into account the nature of your personal data and the risks of processing, we have put in place all appropriate technical and organizational measures as required by applicable legal provisions (in particular article 32 of the General Data Protection Regulation (GDPR)) so as to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorized access to these data.

(B) The security measures we have taken

1. Organizational measures We have implemented and maintain various organizational measures intended to strengthen the awareness and accountability of our employees. We have programs in place designed both to ensure awareness and to promote the sharing of good practices and safety standards. In this context, a rich collection of documents on information security challenges and privacy protection have been made available to our employees.

2. Technical measures We strictly control physical and logical access to internal servers hosting or processing your personal data. We protect our network with state-of-the-art hardware devices (Firewall, IDS, DLP etc.) as well as architectures (including secure protocols such as TLS 1.2) to prevent and limit the risk of cybercrime.

3. Contractual measures We may use the services of third parties in the application process like, for instance, an assessment agency. KLM sets strict requirements for these third parties and contractual agreements are made with these parties about the processing and the security of your personal data.

(C) The evolution of our security systemsTo maintain an appropriate level of security, we have internal processes in place based on the best standards (in particular, the ISO 27000 family of standards). We rely on dedicated experts to guarantee the best possible level of protection. In this regard, we maintain a privileged relationship with the NCSC (National Cyber Security Centre).

(D) How to protect yourself Personal data security and confidentiality depend on everyone's best practices. To avoid the risk of hacking, we recommend using different passwords for every online service you use. We cannot be held responsible for theft of your data on a platform that is not managed by us. If you decide to publish these documents on social media, you are responsible for consulting and understanding the general conditions of use, information security practices and privacy policies applicable to those third-party social networks. We cannot be held responsible for how data is processed, stored or disclosed on these platforms.

(E) Management of security incidents There is no such thing as ‘zero risk’ and even if we implement all the security measures recognized as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed.

6.2. Retention

We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods. In case you were rejected for your job application, your job application data will be kept for one year after the end of the job application process. See 4.2. legal basis

7. International transfer of data

KLM will not transfer your personal data outside the European Economic Area.

8. Your rights

8.1. You may contact our Privacy Office (see 8.4 below) to exercise any of the rights you are granted under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data, (C) to erase your data, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing.

(A) Right to access You may ask us whether we collect or use any of your personal data and, if so, to receive access to that data in the form of a copy.

(B) Right to rectification You have the right to have your data rectified if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.

(C) Right to erasure You have the right to have your personal data erased. This means that we will delete your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data is no longer necessary for the purposes for which it was originally processed and situations where your data was processed unlawfully. Due to the way in which we maintain certain services, it may take some time before backup copies are erased.

(D) Right to restriction of processing You have the right to obtain a restriction on the processing of your personal data. This means that we will suspend the processing of your data for a certain period. Circumstances which may give rise to this right include situations where the accuracy of your personal data is contested, and we need some time to verify its (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted.

(E) Right to data portability Your right to data portability entails that you may ask us to provide you with your personal data in a structured, commonly used and machine-readable format, and have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller.

(F) Right to object You have the right to object to the processing of your personal data. This means you may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). You can object to direct marketing at any time and at no cost to you if your personal data is processed for this purpose, which includes profiling to the extent that it is related to direct marketing. If you exercise this right, we will no longer process your personal data for such purposes.

8.2. Withdrawal of consent You may withdraw your consent at any time by following the specific instructions concerning the processing for which you provided your consent. For example, you can withdraw consent by clicking the unsubscribe link in the e-mail or adjusting your communication preferences in your account (if available). You can also contact the KLM Privacy Office. For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our websites or use our mobile apps, please check ourcookie policy (https://www.klm.com/information/legal/cookie-policy).

8.3. Denial or restriction of rights There may be situations where we are entitled to deny or restrict your rights as described in 8.2 above. In all cases, we will carefully assess whether such an exemption applies, and inform you accordingly. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals, or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply if the personal data was not provided by you or if we process the data on grounds other than your consent or for the performance of a contract.

8.4. Privacy Office If you wish to exercise your rights, please send your request to KLM’s Privacy Office: KLM Royal Dutch Airlines Privacy Office - AMSPI PO Box 7700 NL-1117 ZL Luchthaven Schiphol, The Netherlands E-mail: KLMPrivacyOffice@klm.com (mailto:KLMPrivacyOffice@klm.com)

8.5. Questions, comments or complaints If you have any questions, comments or complaints about this privacy statement, please feel free to contact us. If your concerns have not been addressed to your satisfaction, you have the right to file a complaint with the competent supervisory authority. In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (https://autoriteitpersoonsgegevens.nl/) in The Hague is responsible for monitoring compliance with privacy regulations.

9. How this privacy statement is updated

9.1. This privacy statement took effect on 12 April 2024 and replaced our previous privacy statement of 24 August 2023. This privacy statement is amended from time to time. We will notify you of any changes.