Privacy Policy

 

At China Eastern Airlines Company Limited (“China Eastern”, “we” or “us”), we respect and protect your privacy rights. This Privacy Policy describes how we treat the Personal Data we collect.Specifically, this includes how we treat the Personal Data when you use our website www.ceair.com or any other Internet properties operated by us that link to this Privacy Policy (collectively, the "Sites") or call our customer service team. 

Please read the following Privacy Policy to understand what information we collect, for which purposes we use it and your rights regarding your Personal Data. By providing your Personal Data to us, you are consenting to this Privacy Policy and the collection, use, disclosure, access, sharing, transfer, storage and processing of your Personal Data for the purposes described in this Privacy Policy (except where your express consentis required under applicable law). We will not use your Personal Data beyond the collection purpose notified at the time of collection of the Personal Data. If it is truly necessary to use Personal Data beyond such scope, we will inform you in a timely manner and use it after we have obtained your renewed consent. 

Please note that we reserve the right to review and update this Privacy Policy from time to time.If we make any material changes to the Privacy Policy, we will notify you by means of a general notice on the Sites or other legally required means prior to the new policy's taking effect. If you use a Site after the updated Privacy Policy becomes effective, you will be deemed to have agreed to the amended Privacy Policy. If you believe that, during the period from the issuance date to the effective date of this Privacy Policy, the updated Privacy Policy would be more advantageous to you, then we agree that the updated Privacy Policy will govern.  

The latest issuance date of this Privacy Policy is [October 31], 2018.  This Privacy Policy will officially become effective on [November 15], 2018.

Table of Content 

1.INFORMATION THAT WE COLLECT ABOUT YOU

2.WHY WE COLLECT YOUR PERSONAL DATA AND WHAT IS THE LEGAL BASIS 

3.USE OF COOKIES ON OUR SITES 

4.LINKS TO OTHER WEBSITES 

5.SECURITY AND STORAGE 

6.DISCLOSURE AND TRANSFER OF PERSONAL DATA 

7.DIRECT MARKETING 

8.WHAT ARE YOUR RIGHTS 

9.DATA CONTROLLER AND CONTROLLER’S REPRESENTATIVE 

Privacy Policy

 

1.  Information that We Collect about You

a) Browsing Data 

In general, the browsing of the Sites does not imply collection and processing of personal data.  The computer systems used to operate the Sites could acquire, during the normal course of operation, some personal data whose transmission is implicit in the communication protocols of the internet. Such data are not collected with the aim to identify you, but could lead to your identification in some circumstances if, by way of example, combined with data held from third parties. This category of data includes the IP address and domain name of your computer, URI addresses (Uniform Resource Identifier) of requested resources, the time of request, the method utilized to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server and other parameters related to your operating system. Such data are used only to obtain anonymous statistical information on the use of the Sites and to check its correct functioning and are deleted immediately after their processing.  

b) Data voluntarily provided by you

We collect Personal Data voluntarily provided by you upon interaction with the functionalities of our Sites, mobile services and other channels that may be used to personally identify you (“Personal Data”).  If we obtained your Personal Data indirectly from a third party, we will confirm the legality of the source of the Personal Data, based on our agreement with the third party.  We will use your Personal Data after such confirmation, subject to compliance with relevant laws and regulations.  Personal Data include:

·  Your personal information such as your name, gender, date of birth, identity card number, passport or other personally identifiable number and information about your registered status with any of our subsidiaries, associated companies and/or business associates;

·  Your contact information such as your telephone numbers, mailing addresses, email addresses, and fax numbers;

· Your credit or debit card information and billing information, including name of cardholder, card number, billing address and expiry date;

·   Your business information such as company name, business title and associated contact information;

·  Your travel details such as flight information, travel companions’ personal information, destination contact information, seat and meal preferences, flight and hotel preferences, and information related to traveler special needs;

· With your free and express consent, your responses to market surveys and contests conducted by us or on our behalf;

· Your online identification information, such as account name, account nickname, email address, passwords relating to the foregoing, and password protection questions and answers. 

Please note: Your [identity card, passport, permanent residence booklet and telephone numbers, online identification information, bank account numbers, itinerary information and web page browsing records] are sensitive personal information.  

c) If you are 16 years of age or younger, you are not allowed to use our Sites, mobile services, etc.  Considering that we cannot tell the age of online visitors, if a minor provides Personal Data to us without the consent of his or her parent or guardian, his or her parent or guardian may send an email toCEAPrivacyOffice@ceair.com to remove the information or remove the opportunity of being contacted for the scheduled promotional activity. We neither intend nor try to collect information on minors.

2.  Why We Collect Your Personal Data and What is the Legal Basis

We may use the Personal Data you provided and process them both through automatic and manual means for the following purposes.  It should be pointed out that we provide two types of services to you, namely core services and auxiliary services: 

a)    Core Services 

Our products and/or services include core service features [necessary for providing you with travel and transportation services and ensuring transaction security].  These features include: 

·         Processing and administering your reservation and/or travel services with or through us;

·         Your participation in our mileage program as a frequent flyer;

·          Providing other airport and travel related services, such as duty free sales and travel packages.

·              Processing and administering your reservation and/or use of our freight services;

·        Your use of the online services available at any of our Sites and/or through other telecommunication channels;

·         Supplying any products and/or services which you may require;

·         Confirmation and verification of your identity in connection with any of the services or products that may be supplied to you;

·         Contacting you regarding your enquiries;

·         Disclosing information to a third party to comply with any laws, legal requirements, orders, directions or requests from any court, authority or government body of any jurisdiction, which may be within or outside of the People's Republic of China;

·         Facilitating the payment for products and services provided by us or our subsidiaries, associated companies and/or business associates including verification of credit card details with third parties and using the Personal Data you provide to conduct matching procedures against databases of known fraudulent transactions (maintained by us or third parties);

·         Improving our security, including in relation to the processing of payment by credit card to guard against the risk of fraud including carrying out matching procedures against databases of known fraudulent transactions (maintained by us or third parties);

·         Processing any baggage or loss claims. 

The types of Personal Data we collect include the following (please note that the following information includes some of your sensitive personal information (sensitive personal information is shown in bold print)): 

·         Your title and full name (including your surname, first name and any former names);

·         Your date of birth;

·         Your gender;

·         The type,number, validity period and issuing country of your passport;

·         You frequent flyer program and membership number;

·         Youremail address;

·         Yourmobile phone number

·         Your country of residence;

·         The name, gender and mobile phone number of your emergency contact person and that person's relationship to you. 

The legal basis for our collection of the Personal Data includes performance of the contracts signed with you and fulfilment of our legal obligations. 

Providing your Personal Data for the above mentioned purposes is necessary and denial thereof will prevent us from fulfilling contractual obligations with you, processing your reservation, providing you with customer support, answering your enquiries or providing you with other requested services (e.g. travel and shipping services). 

b)    Auxiliary Services 

We may also use your Personal Data for the following auxiliary services: 

·         Administering contents and sweepstakes conducted by us or in our name.

·         With your free and express consent, we may also use your Personal Data for marketing, promotional and customer relationship management purposes, carried out through both automatic (email, SMS, MMS, fax) and non automatic means (traditional mail, telephone). Service content includes sending you updates on latest offers and promotions in connection with our products and services and conducting market research.You always have the choice to select your preferred contact means or not to receive marketing information at all. For further information and instructions please see Section 7 - Direct Marketing. With your free and express consent we can also communicate your data to our business partners for marketing purposes carried out by said third parties through both electronic (email, sms, mms, fax) and non-electronic means (traditional mail, telephone).

·         With your free and express consent, we may also process your Personal Data in order to build individual user and group profiles (i.e. profiling activities). 

Please note that providing your Personal Data for the above mentioned purposes is optional and denial thereof will not prevent us from fulfilling contractual obligations with you, processing your reservation, providing you with customer support, answering your enquiries and providing you with other requested services (e.g. travel and shipping services). 

In addition, we may from time to time use non-identifying information about our customers to better design our Sites and/or to improve our services and products. This means we may provide this information to third parties.  However, this information will never identify any single user in particular. 

c)   Except as provided otherwise in this Privacy Policy, the Personal Data you provide to us will not be shared by us with third parties, transferred by us to third parties or made public by us for use in ways unrelated to the aforementioned purposes without your prior consent. 

Please note that you are fully aware that your authorization or consent will not be required for our collection and use of Personal Data: 

·            In connection with national security or defense;

·            In connection with public security, public hygiene or important reasons of public interest;

·            In connection with criminal investigations, institution of legal actions, trials or enforcement of judgments, etc.;

·          In order to protect material legal rights and interests such as the lives or property of Personal Data subjects or other individuals, where it is very difficult to obtain the consent of the person concerned;

·         Where the Personal Data collected was made public by the Personal Data subject himself or herself; 

·             In other circumstances provided for in laws or regulations.

3.  Use of Cookies on Our Sites

Our Sites use cookies which amongst other things, help us to improve your experience of Sites and to ensure that they perform as you expect them to. 

Cookies are text files containing small amounts of information, which are downloaded to your computer or mobile device by websites that you visit.  

We use cookies to remember users’ settings and market products and services, and for authentication purposes.You can set your browser to notify you when you receive a cookie and give you the option to accept or reject it, or you can set your browser to generally reject cookies.Please note that if cookies are disabled or removed, not all features of our Sites will operate as intended.To learn more about the cookies we use please visit our Cookie Policy .

4.  Links to Other Websites

Our Sites contain links to websites that are owned and/or operated by third party companies. We are not responsible for the privacy practices or the content of such websites. You should check the applicable privacy policies of those third parties prior to providing them with any information.

5. Security and Storage

a) Security Measures 

To maintain the accuracy of the Personal Data, as well as to prevent unauthorized access and ensure the correct use of Personal Data, we undertake that we have implemented appropriate physical, technical, and organizational measures to safeguard and secure the Personal Data we collect in compliance with applicable laws and regulations. 

For example, we use Secure Socket Layer (SSL) protocol—an industry standard for encryption over the Internet—to protect in transmission the Personal Data we collect online.  When you type in sensitive information such as credit card details, it will be automatically converted into codes before being securely dispatched over the Internet.  All electronic Personal Data that we maintain are securely stored and further protected through our use of appropriate access controls.  We also authenticate the identity of Personal Data processing staff and control their authority.  In addition, we sign confidentiality agreements with our staff and cooperation partners who have access to your Personal Data, which spell out their rights and duties and ensure that only authorized staff can access your Personal Data.  When disposing of Personal Data, paper documents containing Personal Data are securely destroyed, and electronic files storing Personal Data are permanently deleted. 

In addition, to better protect your Personal Data, some areas of our Sites or our mobile services channels are inaccessible unless you supply individually identifiable and verifiable information, such as your Eastern Miles Membership Number and Password, or log in using your User ID and PIN. 

Furthermore, we organize security and privacy protection training courses to strengthen security awareness and increase our employees' appreciation of the importance of Personal Data protection. 

As stated above, in some instances we may entrust third party service providers within or outside of China with the use of Personal Data for the purposes we specify, subject to their giving of an undertaking that they will abide by the applicable laws and regulations on the security and protection of Personal Data. For further details on disclosure and transfer of your Personal Data, please refer to Section 6 below. 

b) Handling of Security Incidents 

To deal with potential risks such as divulgence, damage, destruction and loss of Personal Data, we have formulated several regulations providing methods and procedures for responding to, and dealing with, security incidents.  In addition, to deal with security incidents in a proper manner, we will arrange for dedicated personnel to respond to and deal with such incidents, adopt effective contingency plans for different security incidents, formulate and adopt timely measures to stem and remedy the damage, and actively cooperate with the relevant authorities. 

Should a Personal Data security incident occur, we will inform you in a timely manner, as required by laws and regulations, of matters such as the basic circumstances of the incident, the possible impact, the response adopted or to be adopted by us, the precautions and remedies that you could consider, etc.  Such information will be communicated to you by means such as email, letter, telephone, push notification, etc.  If the actual circumstances at the time make it difficult for us to inform affected Personal Data subjects individually, we will publish the information by reasonable and effective means.  In addition, we will proactively report our handling of the Personal Data security incident to the authorities, as required by the regulators. 

c) Storage of Personal Data  

We may retain your Personal Data for as long as needed to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law.When the retention period set by us is exceeded, we will delete or anonymize your Personal Data. In particular, Personal Data will be stored according to the below:  

Purposes of the processing	Categories of data	Retention period
Core services (e.g. processing and administering your reservation and/or travel services with or through us)	·  personal information ·  contact information · credit or debit cardinformation ·  office information ·  travel details · responses to market surveys · online identification information   Please note that the above-mentioned information includes sensitive personal information about you.	Data will be stored as long as necessary and legally permitted to provide you with the services/products, pay damages and manage contracts;
Auxiliary services (sending you marketing communications; enabling you to participate in contests and sweepstakes conducted by us or in our name; providing you with other airport and travel related services)	·         personal information ·         contact information ·         online identification information   Please note that the above-mentioned information includes sensitive personal information about you.	Maximum period permitted by applicable laws and regulations
Auxiliary services (creating a profileof your traveling choices and personal characteristics, so as to enhance your customer experience; your participation in our mileage program as a frequent flyer)	·         personal information ·         contact information ·         office information ·         travel details ·         responses to market surveys ·         online identification information   Please note that the above-mentioned information includes sensitive personal information about you.	Maximum period permitted by applicable laws and regulations

We will inform you in a timely manner, as required by laws and regulations, in the event of discontinuation of any of our services. Such information will be communicated to you by means such as email, letter, telephone, push notification, etc.  If the actual circumstances at the time make it difficult for us to inform affected Personal Data subjects individually, we will publish the information by reasonable and effective means.

6.  Disclosure and Transfer of Personal Data

All Personal Data collected by China Eastern will be stored [inside China].  However,China Eastern is a global airline company with operations, offices, affiliates, and business partners located worldwide.  As such, the Personal Data you submit to us in one country may be transferred, used, processed, stored, and accessed worldwide, for the purposes described in this Privacy Policy. By accepting the content of this Privacy Policy, you will be deemed to have consented to the foregoing and your Personal Data may be transferred to the country of destination of the flight that you reserved with China Eastern. 

In addition, we may disclose and transfer Personal Data to and jointly use Personal Data with our subsidiaries, associated companies, business associates, service providers, and other persons concerned with the services and products received or requested by you, whether they be located inside or outside China.  We may disclose this information to facilitate communication of news and information about such services and products and otherwise for the purposes mentioned above, under Section 2, " Why We Collect Your Personal Data." 

We will share your Personal Data only for lawful, proper, necessary, specific and clear-cut purposes, and only to the extent necessary for provision of the services.  Personal Data will be processed only by parties previously duly appointed as data processors or as data controllers, as applicable for the purposes specified above.  We will make all commercially reasonable efforts to review the data security capabilities of, and enter into confidentiality agreements with, third parties with which we share Personal Data, requiring them to process your Personal Data in accordance with this Privacy Policy and other relevant non-disclosure and security measures. 

In particular, we may share your Personal Data with the entities set forth below.  Please note that the Personal Data we disclose to the following third parties may include some of your sensitive personal information: 

·         any China Eastern Airlines group companies, including but not limited to, China Eastern Airlines E-Commerce Company Limited;

·         China Travel Sky Holding Company and its subsidiaries;

 any agent, contractor or third party service provider who provides administrative, marketing and research, distribution, data processing, telemarketing, telecommunications, computer, payment or other services to China Eastern in connection with the operation of its business;

other business associates such air carriers, land or sea transport operators, loyalty program operators, and other companies involved in providing customer service or fulfilling customer requests;

credit reference agencies;

credit, debit and /or charge card companies and/or banks;

government or non-government authorities, agencies, and/or regulators;

medical professionals, insurers, and clinics/hospitals. 

Where permitted by applicable local law, we may also disclose your Personal Data to third parties:  (i) when required by law, by court order, or in response to a search warrant or other legally valid inquiry; (ii) to an investigative body; (iii) to enforce our agreements with you; (iv) when requested by other government or law enforcement authorities (such as immigration and customs control and/or border control agencies); (v) with your express consent; or (vi) pursuant to our good faith belief that disclosure is required by law or otherwise necessary to the establishment of legal claims or defenses, to obtain legal advice, to exercise and defend our legal rights, to protect our rights or property and those of our subsidiaries or associated companies, or to protect the life, body or property of an individual. This also applies when we believe that disclosing the Personal Data is necessary to identify, contact or bring legal action against someone who may be causing interference with our rights or properties, whether intentionally or otherwise, or when anyone else could be harmed by such activities. 

We may also transfer any information we have about you as an asset in connection with a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of China Eastern or as part of a corporate reorganization or stock sale or other change in corporate control, to an actualor proposed assignee, transferee, participant or sub-participant.Following such change, the above-mentioned entities will continue to fulfill the responsibilities and obligations set out in this Privacy Policy, and any change they may wish to make to the purpose for which Personal Data are used will be subject to your renewed consent.  

Please be advised that the Personal Data that China Eastern collects or obtains may be transferred to jurisdictions that offer lesser protection of Personal Data than that provided in your jurisdiction.When Personal Data are transferred to recipients in countries not ensuring an adequate level of data protection, we will take appropriate measures to ensure that the recipient implement adequate safeguards to your Personal Data in accordance with applicable laws and regulations (including but not limited to standards contractual clauses and adequacy decisions). 

You can obtain copy of such safeguards contacting us as specified under Section 8 – “What Are Your Rights” below.

7.  Direct Marketing

We intend to occasionally use your Personal Data (i.e. your name and contact details) to send you marketing communications such as emails containing news, offers, promotions and joint marketing offers about our travel services and packages, loyalty programs, duty-free sales and other travel related auxiliary services such as travel insurance, hotel transfers and car rentals. However, we will require your express consent before doing so. Please see below on how to provide us with your consent. 

With your free and express consent, we may also provide your Personal Data (i.e. your name and contact details) to third parties, namely our subsidiaries, associated companies, business associates, marketing partners, and travel service partners, for the purpose of marketing their products and services to you, namely travel services and packages, loyalty programs, duty-free sales and other travel related auxiliary services such as travel insurance, hotel transfers and car rentals. 

  You may indicate your consent to the above by the following ways: 

 when providing us with your Personal Data through our Sites or a form, ticking boxes indicating your consents; or

 when providing us with your Personal Data through the telephone, tell our customer representative that you consent. 

 You may opt-out from receiving marketing communications at any time, free of charge, by: 

following the opt-out instructions contained in the communications;

writing to us at the address listed below, under Section 8 – “How to Access or Correct Your Personal Data”; or 

updating your email subscriptions by sending an emailto CEAPrivacyOffice@ceair.com.

8.  What are Your Rights

At any time you have the right to exercise your rights  under applicable laws and regulations: 

a) Right of access:You have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, to request access to the Personal Data. The access information includes – in particular – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed.

You have the right to obtain a copy of the Personal Data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on administrative costs. 

b)Right to rectification:You have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. 

c)Right to erasure (right to be forgotten):You have the right to ask us to erase your Personal Data. 

d)Right to restriction of processing:You have the right to request that we restrict the processing your Personal Data. In this case, the respective data will be marked and may only be processed by us for certain purposes. 

e)Right to data portability:You have the right to request to receive your Personal Data in a structured, commonly used and machine-readable format and you have the right to transmit those Personal Data to another company without hindrance from us. 

f)Right to object: 

You have the right to object, based on your particular situation, at any time to the processing of your Personal Data by us and we can be required to no longer process your Personal Data. If you have a right to object and you exercise this right, your Personal Data will no longer be processed for such purposes by us. Exercising this right will not incur any costs. However, in certain circumstances such a right to object may not exist, e.g. if the processing of your Personal Data is necessary to take steps prior to entering into a contract or to perform a contract already concluded. [Please understand that any service feature requires some basic Personal Data before it can be provided.  After you exercise your right to object, we will be unable to continue providing the service corresponding to the Personal Data involved in the objection and we will no longer process your corresponding Personal Data.]

 

g)Right to cancel account 

You have the right to cancel a previously registered account at any time.  You may request cancellation of your account by sending an email toCEAPrivacyOffice@ceair.com. Upon completion of the cancellation of your account, all information therein will be deleted or anonymized and we will no longer collect, use or provide to third parties Personal Data relating to the account.  Nevertheless, the information provided by you or generated during CEAPrivacyOffice@ceair.com your use of our services will need to be retained by us for the period required by laws and regulations, and authorities will have the right to access such information according to law during that legal retention period. 

If you wish to make a request for access or correction to, or deletion or data portability of Personal Data, or a request for account cancellation or any other request concerning your rights (such as the right to obtain the restriction of the processing of your Personal Data), or if you would like to obtain information regarding policies and practices and the kinds of Personal Data held by us, you can contact us at the following address: 

China Eastern Airlines Company Limited

36 Hong Xiang San Road

Minhang District, Shanghai 201100

China

CEAPrivacyOffice@ceair.com  

You also have the right to lodge a complaint with the relevant Data Protection Authority. Normally we will reply within [30] days.  If you are dissatisfied with our reply, and particularly if you believe that our processing of Personal Data infringed your lawful rights and interests, you can also file a complaint or report with regulators such as the civil aviation administration authority, the Cyberspace Administration of China, the Market Supervision Administration, etc.

9.  Data Controller and Controller’s Representative

Any Personal Data provided to or gathered by China Eastern is controlled primarily by China Eastern Airlines Company Limited, with its registered office at66Jichang Avenue, Pudong International Airport, Shanghai, China.  Its Italian branch is at Via Barberini 86, Rome; its German branch is atRossmarkt 5, D-60311 Frankfurt am Main, Germany; its French branch is at 20 Avenue de l'Opéra 75001 Paris, France; its UK branch is at 37-39 George Street, London, W1U 3QD, UK; its Spanish branch is at C/Gran Via, 57.11-H.28013, Madrid, Spain; its Dutch branch is at 7th floor Tower C, World Trade Centre, Schiphol Boulevard 343, 1118BJ Schiphol, the Netherlands; and its Czech branch is at Florentinum | Na Florenci 2116/15,Prague 1, Czech Republic.

 

*****