Data privacy and IT systems protection

Permanent benchmarking and an independent cyber ranking agency enable us to remain informed of the measures implemented by other air transport industry players and thus adapt our own processes if necessary. In December 2021, the Air France-KLM IT centers had a cyber score situated above the top end of the range for the air transport industry.

To manage cyber-security risks, the Group’s strategy is underpinned by several initiatives:

• Close cooperation with the national authorities and the relevant European agencies (EASA, ENISA).

• Calling on the expertise of consultants who are leaders in the cyber security market and actively collaborating with the companies connected to its information system.

• Participating in working groups with the main airline associations (IATA, A4E, etc.) and contributing to the research of associations specialized in cyber security (CLUSIF, CESIN, CIGREF, etc.)

To offer the best level of protection on the ground and in the air, Air France-KLM has reinforced its teams dedicated to cyber security and increased the financing of a number of major programs:

• An overall awareness-raising program for all the Group’s staff with mandatory Cyber training

• A regulatory compliance program which notably includes a specific level of protection and supervision for the critical systems.

• A digital transformation support program to provide a simplified and secure experience for the user.

• a plan directed at delivering the best effective cybersecurity solutions and infrastructures to adapt permanently to the evolving cyber threats. This includes a cyber insurance policy 
• a state-of-the-art cybersecurity infrastructure and services, with a robust organization coordinated around the SOC (Security Operations Center), including our affiliates and partners.

An annual presentation on these programs is made to the Group Executive Committee and to the Audit Committee of the Air France-KLM Board of Directors, guaranteeing sponsorship at the highest level. These programs are supported by a Cyber Security Governance composed of:

• A cyber security regulatory framework for ground IT and onboard systems (safety policy based on the ISO27000 series of international standards and other standards or regulations applicable to Air France-KLM’s activities)

• An annual monitoring plan for risks linked to the digital technologies, and testing of the cyber crisis mechanism overseen by the Operations Control Center and the Authorities

• Three management committees with complementary perspectives. The Group’s IT Executive Committee notably reviews the match between the cyber risks and IT investment. The Cyber Plane Committee, chaired by the Accountable Manager, decides on the orientations to be adopted to reduce potential cyber risks to Flight Safety. Lastly, the Safety Performance Committee evaluates the effective mitigation of generic safety risks, including cyber security.

• A report on the residual cybersecurity risk in the major operating risk sheets steered by Internal Control.

In 2022, in addition to strengthening the existing processes for Data Privacy governance, the management of data compliance breaches and training as part of the annual compliance program, the main focus was on the compliance of transfers of personal data outside the European Economic Area, after the invalidation by the Court of Justice of the European Union of the Privacy Shield in the “Schrems IT” case. As a consequence, the European Data Protection Board (EDPB) recommended, for these transfers,  the performance of Data Transfer Impact Assessments (DTIA) and the use of new models of Standard Contractual Clauses. 

The overall effectiveness of the Data Privacy management system is regularly evaluated thanks to a dedicated Internal Audit program. This framework has been improved and reinforced since 2019. An ex-post audit will be carried out to ensure the adequacy of the improvements made.

In 2022, in parallel with the GDPR (European General Data Protection Regulation) requests sent directly to the airlines, Air France and KLM recorded and handled a total of 9 complaints concerning personal data privacy: 1 from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and 8 from the CNIL.