(Microsoft Word - Politique de confidentialit\351 du dispositif d'alerte AF 13072023 V1.2 EN)

AIR FRANCE WHISTLEBLOWING SYSTEM

Version of 13 July 2023

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER:

In accordance with the regulations applicable to the protection of personal data, in particular the

provisions of the French Data Protection Act of January 6, 1978 as amended and the General Data

Protection Regulation (EU Regulation 2016/679 known as the "GDPR"), Air France (hereinafter, the

"Entity"), data controller, whose registered office is located at 45, rue de Paris, 95 747 Roissy CDG

cedex hereby informs you that the information collected in the context of the whistleblowing system

(hereinafter, the "System") of the Air France KLM group (hereinafter, the "Group") is subject to

personal data processing.

The purpose of the System is to collect and process professional alerts reporting any violation of

applicable laws and regulations or, more generally, any situation contrary to the Group's values and

internal rules.

The System is accessible through the following website: https://integrity.airfranceklm.com/.

2. PERSONAL DATA COLLECTED

The categories of personal data collected in the context of this System are the following:

- Information concerning the identity of the whistleblower: surname, first name,

country of residence, position held, professional address, personal address, telephone

number, e-mail address;

- Information about the person who is the subject of the alert: surname, first name,

position held, professional contact details;

- Where applicable, information relating to the persons mentioned in the alert as

witnesses or victims of the practices or events reported: surname, first name, position

held, professional contact details;

- Information relating to the facts reported: the system offers a free text box to make

the report. Personal data you enter in this area may also be subject to data processing

and it is possible that sensitive data may be collected;

- Information collected as part of the verification of reported facts;

- Information relating to the reports of verification operations;

- Information on the follow-up given to the alert.

- Information relating to the persons involved in the collection or processing of alerts:

surname, first name, position held, professional contact details, data related to the

"workflow" of reports, connection logs to the platform.

3. PURPOSES OF PROCESSING

This data is collected and processed in order to receive and process alerts or reports that reveal a

breach of a specific rule. These may include breaches of legal or regulatory rules, ethical breaches, or

breaches of the Group's internal policies.

4. LEGAL BASIS FOR PROCESSING

The legal basis for the processing is, depending on the alert:

- The Entity's compliance with a legal obligation requiring it to implement a

whistleblowing system, or

- The realization of the legitimate interests pursued by the Entity.

5. DATA RETENTION PERIOD:

The Entity keeps the personal data of System’s members strictly for as long as it is necessary for the

fulfillment of the purposes pursued, in accordance with the applicable guidelines.

If the data relates to an alert considered by the Entity as not falling within the scope of the System, the

data is destroyed without delay, or anonymized;

- If no follow-up action is taken with regard to an alert falling within the scope of the

System, the data relating to the alert is destroyed or anonymized within two (2)

months following the last verification is completed;

- If disciplinary or litigation proceedings are initiated following the investigation of an

alert, the related personal data relating to the alert is conserved until the proceedings

are terminated.

6. DATA RECIPIENTS:

Data collected by the Entity as part of the System will only be accessible to the Entity and its authorized

personnel. Data may also be shared with Group entities to enable verification and/or processing of the

alert issued. More specifically for this mechanism, Group entities include:

- Air France - KLM, a public limited company, whose head office is at 7 rue du Cirque -

75008 Paris,

- Air France, a public limited company with its head office at 45, rue de Paris - 95747

Roissy CDG Cedex,

- Koninklijke Luchtvaart Maatschappij NV (also known as KLM Royal Dutch Airlines or

KLM) with its office at Amsterdamseweg 55, 1182 GP Amstelveen, The Netherlands,

- HOP, a société par actions simplifiée (simplified joint-stock company),

headquartered at Aéroport Nantes Atlantique - 44340 Bouguenais,

- Transavia, a simplified joint-stock company with headquarters at 7 avenue de l'Union

- 94310 Orly, and

- BlueLink, a public limited company with headquarters at 74 avenue Vladimir Illitch

Lenine - 94110 Arcueil.

The Entity may also disclose data in order to respond to legal or regulatory requests, court orders,

subpoenas or legal proceedings, if required to comply with applicable regulations.

Under no circumstances does the Entity sell or rent your personal data to third parties for their own

activities.

7. TRANSFER OF DATA OUTSIDE THE EU:

The data collected within the framework of the System is processed within the European Union.

In cases where transfers of personal data outside the European Union take place, the Entity undertakes

to ensure that the recipient is located in a country benefiting from an adequacy decision by the European

Commission or that measures are put in place to ensure that the transferred data benefit from adequate

protection, in accordance with the provisions set out in the GDPR.

8. DATA SUBJECTS’ RIGHTS:

In accordance with the applicable regulations on the protection of personal data, you have the right

(a) access, (b) rectification, (c) erasure, (d) restriction of processing of your data, (e) data portability and

(f) object to the processing of your data.

In addition, you have the right to define guidelines relating to the conservation, erasure

and communication of your personal data after your death (g).

a) Right of access

You have the right to request confirmation that the Entity is processing your personal data and, if so,

to receive a copy of such data.

b) The right of rectification

You have the right to request rectification of your personal data if you find it to be inaccurate.

c) The right to erasure (“right to be forgotten”)

You have the right to request the erasure of your personal data. This right can only be exercised in

certain cases, where one of the grounds set out in Article 17 of the GDPR applies. This may involve, for

example, personal data that is no longer necessary for the purposes for which we collected it or that has

been processed unlawfully. If you exercise this right and if one of the grounds is applicable to your

request, we will proceed to erase your personal data as soon as possible.

d) The right to restriction of processing of your data

You have the right to restriction of processing of your personal data. This means that we mark this

data, if we do indeed keep it, with a view to temporarily suspending its processing. This right may be

exercised on the grounds set out in Article 18 of the GDPR. This right does not give rise to the data

erasure and we are obliged to inform you before the corresponding processing restriction is lifted.

e) The right to data portability

You have the right to request the provision of personal data that you have directly communicated to

us in a structured, commonly used and machine-readable format, if their processing is automated and

based on the collection of your consent. This right does not apply to other legal bases for processing.

Where applicable and technically possible, you also have the option of requesting the transfer of this

data directly to another data controller.

f) The right to object

You have the right to object to the processing of your personal data when the processing is legally based

on the legitimate interests of the Entity.

However, this right of opposition cannot be exercised for processing that is necessary for the Entity to

comply with its legal obligations.

g) The right to decide what happens to your personal data after your death

You have the right to organize the status of your personal data post-mortem by adopting general or

specific guidelines. The Entity undertakes to respect your respective instructions.

9. HOW TO EXERCISE YOUR RIGHTS:

If you wish to exercise your rights, simply send a request to the Entity's Data Protection Department:

AIR FRANCE

Délégué à la Protection des Données/Data Protection Officer - ST.AJ IL

45, rue de Paris 95747 Roissy CDG Cedex

France

Adresse e-mail : mail.data.pro[email protected]

In order to process your request as efficiently as possible, we kindly ask you to include the necessary

identification details (surname, first name, e-mail) with your request, as well as any other information

required to confirm your identity. If there is any doubt about your identity, you may be asked to

provide an identity document.

Requests are processed as quickly as possible, and in any event within one month of receipt. If

necessary, this period may be extended to two months, depending on the complexity and number of

requests we receive. In this case, you will be informed of the extension and the reasons thereof.

If, after contacting the Entity and despite its efforts, you believe that your rights have not been

respected, you may also file a complaint to the Commission Nationale de l'Informatique et des Libertés

(CNIL) in France (3 Place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07 or https://www.cnil.fr) or any

other competent data protection authority.

10. DATA SECURITY

As the confidentiality and security of personal data is one of the Entity's core concerns, technical and

organizational security measures are put in place to preserve their security and, in particular, to prevent

any accidental or unlawful destruction, loss, alteration, disclosure, intrusion or unauthorized access to

such data.

The Entity implements such technical and organizational measures in order to ensure that personal data

is conserved securely for the time necessary to fulfil the purposes for which it is to be used, in

accordance with applicable law.

In accordance with the applicable regulations, in the event of a proven risk of personal data breach

infringing the rights and freedoms of the data subjects, the Entity undertakes to communicate this

breach to the competent supervisory authority and, where required by the said regulations, to the

data subjects.

11. POLICY UPDATE

The Entity reserves the right to modify or update this Privacy Policy.

Any changes or updates will be effective immediately upon publication on the System’s website.

12. APPLICABLE LAW

This Privacy policy is governed by French law, unless otherwise provided by the law of any other country

in which the person concerned by the processing of personal data implemented in the context of the

System resides.