lastminute.com logo

Privacy Policy of LMnext FR S.A.S.U.

This Privacy Policy describes how personal data are processed by the IATA accredited agency in the distribution of travel services. This Privacy Policy is independent of notices that travel providers such as airlines, hotels and other travel suppliers such as travel agents) may give travelers. This Privacy Policy describes how we collect, use, process, and disclose your personal data in conjunction with your request of flight booking on our Website when this is managed by one of our International Air Transport Association (hereinafter, referred to as “IATA”) accredited agencies and, specifically:

1. Who is the controller of your data?
2. What categories of your data do we collect and use?
3. Why and how do we collect your data?
4. Who sees, receives and uses your data and where? 
5. How long do we retain your data?
6. What are your data protection rights and how can you exercise them?
7. Contact details of the data controller
8. Contact details of our data protection officer 

It also informs you how you can exercise your rights (including the right to object to some of the data handling we carry out). More information about your rights and how you can exercise them is set out in Section 6 below. If you see an undefined term in this Privacy Policy (such as “Service” or “Website”), it has the same definition as in our contractual service conditions.

1. Who is the controller of your personal data? 

When this Privacy Policy mentions “Company”, “we,” “us,” “our” or “Data Controller”, it refers to: LMnext FR, S.A.S.U., a French company belonging to the lm group, with its registered office at 14, Rue d'Uzès 75002, Paris - France and a share capital of EUR 100,000 (R.C.S Nanterre n° 809 437 072. VAT number: FR36 809 437 072, - Guarantor : APST, Assurance RCP ALLIANZ 086 931 092), which is responsible - as IATA accredited agency - for processing the personal data of Customers’ personal data under this Privacy Policy (hereinafter, referred to as the “Company”, “we”, “us”, “our”, “Data Controller”). As an entity located in France, the Company is subject to compliance with French and European regulations on the protection of personal data. Consequently, the Company guarantees compliance with the obligations under the provisions of Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms. In accordance with Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms, we inform our Users and/or Clients that their personal data are processed and stored by the Company in accordance with the methods and purposes detailed below, permitted by Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms.

2. What categories of your data do we collect and use? 

When you book a flight on one of lm group Websites (you as a "Customer") we collect the categories of personal data as follows: 

2.1. Personal data provided by you 

  • The personal data that you provide to us when using our services to book a flight, including the information entered into our booking platform. 
  • More specifically: When you book with us, you may provide us with information such as: Passenger information, passport details, contact details, payment details (i.e. credit data, billing address, account information), date of birth etc. Information about your purchases, including what you booked, when and where you booked it and how you paid for it. Special categories of personal data, for example, relevant medical data and any special dietary or disability requests, so information concerning your health or revealing religious, philosophical or sexual orientation that you might voluntary provide us in the course of making a booking by selecting the box "special transportation need" and filling in the empty field or by other means through the Travel Agent at any moment when making a booking. We will use the special categories of personal data only as strictly necessary to fulfil your request. Where we need to process this data, we will only do it if we have your explicit consent, in accordance with Art.6.1.a) and Art. 9.2 GDPR or if permitted by regulations. 
  • Personal data you provide about other individuals: if you plan to submit someone else's personal data to us, for instance when booking on their behalf, you should only provide us with that third party's details with their consent and after they have been given access to this Privacy Policy. When submitting data about other individuals you declare you have their consent.
  • Personal data about children: Please note that we may collect and use the information of children only as provided by their parent or guardian or with their consent. If we become aware that we have processed information of a child without the valid consent of a parent or guardian, we reserve the right to delete it. The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveler is a party. Without the processing, we may not be able to provide you with all the requested services.

3. Why do we collect your data? 

In general terms, we use your personal data to provide you with the services you request, in particular to process travel reservations, to provide the travel agency access to such information, to issue tickets and other travel related documents, to perform internal business processes (such as testing and quality assurance), and to provide other travel related services. 

More specifically: 

Why?
A. To create and maintain the contractual relation established for the provision of the travel service requested by you in all its phases and by way of any possible integration and modification. On which legal basis?
To fulfil a contract, or take steps linked to a contract (i.e. to provide the travel services) 

Why?
B. To meet the legal, regulatory and compliance requirements and to respond to requests by government or law enforcement authorities conducting an investigation.
On which legal basis?
To comply with the law (i.e. to share personal data with regulatory authorities) 

Why?
C. To verify compliance with our terms and conditions and for the establishment, exercise or defence of legal claims.
On which legal basis?
To pursue our legitimate interest (i.e. compliance with our terms and conditions, protection of our rights in the event of any dispute or claim) 

Where we rely on legitimate interest as a basis for processing your personal information, we carry out an assessment to ensure that our interest in the use of your data is legitimate and that your fundamental rights of privacy are not outweighed by our legitimate interests (‘balancing test’). You can find out more information about the balancing test by contacting our Data Protection Officer at to dpo.en@lastminutegroup.com.

4. Who sees, receives and uses your data and where? 

4.1. Categories of recipients of your data 

We share your personal data, for the purposes described in this Privacy Policy, to the following categories of recipients: 

  • Our authorised employees and/or collaborators that assist and advise us on administration, products, legal affairs, Customer Care Team, and information systems, as well as those in charge of maintaining our network and hardware/software equipment; 
  • Airlines, reservation system providers (also known as Global Distribution Systems or “GDS”, which facilitate the transmission of booking information from us to the airline), travel associations (such as the International Air Transport Association), as well as those other parties to which, according to specific regulations and/or IATA resolutions, it is necessary to disclose your personal data in order to provide you with the requested services, that will be operating as autonomous data controllers. Indeed, to be able to advise you of irregular flight operations and disruptions, airline companies need to have sufficient contact details available to proactively contact you. Consequently, the airlines’ and GDS’ privacy policies may also apply and govern how your booking information is used. An index of: airlines’ privacy policies is available at this link: https://www.iatatravelcentre.com/privacy.htm#index GDS’ privacy policies is available at this link https://www.iatatravelcentre.com/uploads/pdfs/privacy/ReservationSystemProvider.pdf. 
  • Our third-party service providers (including other entities of the lastminute.com group), which process your personal data on our behalf and under our instructions for the purposes described hereinabove acting as data processors, such as those providing us with IT and hosting services call centre and customer support, analytics and administration services etc.
  • Competent authorities when we are required to do so by the current law. 
  • Third parties that receive the data (e.g. business consultants, professionals for delivering due diligence services or assess value and capabilities of the business) when it is necessary in connection with any sale of our business or its assets (in which case your details will be disclosed to our advisers and any prospective purchaser’s advisers and will be passed to the new owners. 
Please also note that airline companies are required, in accordance with the new regulations introduced in the US and other countries, to allow customs and border authorities to have access to flight passenger data. For that reason, in certain situations, we may communicate data collected on passengers included in the reservation to the competent authorities of the countries included in the Customer’s travel itinerary if required by the local law. The complete list of parties to which your personal data may be disclosed is available at our registered office and may be requested by writing to privacy.en@lastminutegroup.com.


4.2. International transfer of your data 

Customers’ personal data is processed at the Data Controller’s registered office (see point 1), on the lm group servers, and at the offices of other entities to which data may be provided in order to provide the services requested of the Data Controller. Given the fact that we are part of an international travel group of companies and, as an IATA accredited agency, we are authorized to sell international and/or domestic tickets on behalf of IATA member airlines, we can also transfer your personal data to: 

  • non-European Economic Area (EEA) countries offering an adequate level of data protection such as Switzerland in accordance with the “Adequacy decisions” of the EU Commission that recognises some countries as providing adequate protection; 
  • non-European Economic Area countries where data protection laws may be less protective than the legislation in the EEA. This happens when: we disclose your data to autonomous data controllers such as airlines, hotels, car hire companies, tour operators, automated reservations system (such as the above mentioned Global Distribution Systems) etc. that might process your data outside the EEA in order to provide you with the requested services. 
Should you want to obtain further details about the safeguards put in place, you can contact us by writing to privacy.en@lastminutegroup.com. 

5. How long do we retain your data? 

We retain your personal data for as long as is required to achieve the purposes and fulfil the activities as set out in this Privacy Policy, otherwise communicated to you or for as long as is permitted by applicable law. Further information about the retention period is available here: 

CUSTOMER RECORDS 

Document
Booking records (name, address, contact information, PNR, ID Booking, birth date, number or identity document, date of issue, date of expiring, issuer country, typology ) including: - Product details - records of customer contacts related to the Agent section (i.e. Notes/Events in the BO), - purchase data - Checkout "Special request" section
Retention period
10 years
Starting date
From the date of the purchase 

Document
Reports or claims
Retention period
10 years 

Document
Contractual documentation (log of the acceptance)
Retention period
10 years
Starting date
From the date of the purchase 

Document
Cleartext credit card data
Retention period
Not retained 

Document
Finance/transactional information
Retention period
10 years
Starting date
From completion of financial transaction

6. What are your data protection rights and how can you exercise them? 

You can exercise the rights provided by the Regulation EU 2016/679 (Articles 15-22), including the right to: 

Name of the right
Right of access
Content
To receive confirmation of the existence of your personal data, access its content and obtain a copy. 

Name of the right
Right of rectification
Content
To update, rectify and/or correct your personal data. 

Name of the right
Right to erasure/right to be forgotten and right to restriction
Content
To request the erasure of your data or restriction of your data which has been processed in violation of the law, including whose storage is not necessary in relation to the purposes for which the data was collected or otherwise processed. 

Name of the right
Right to data portability
Content
To receive a copy of your personal data you provided to us for a contract or with your consent in a structured, commonly used and machine-readable format (e.g. data relating to your purchases) and to ask us to transfer that personal data to another data controller. 

Name of the right
Right to withdraw your consent
Content
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes. 

Name of the right
Right to object, at any time 
Content
You have the right to object at any time to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement) . 

Name of the right
Right not to be subject to a decision based solely on automated processing, including profiling
Content
You can always request a manual decision- making process instead, express your opinion or contest decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. 

You can exercise the above rights at any time by: Contacting us via email at privacy.en@lastminutegroup.com. Your rights in relation to your personal data might be limited in some situations. For example, if fulfilling your request would reveal personal data about another person or if we have a legal requirement or a compelling legitimate ground we may continue to process your personal data which you have asked us to delete. You also may have the right to make a complaint if you feel your personal information has been mishandled. We encourage you to come to us in the first instance but, to the extent that this right applies to you, you are entitled to complain directly to the relevant Data Protection Supervisory Authority.

7. Contact details of the data controller 

The contact details of the Data Controller of the data processing described hereinabove are: LMnext FR, S.A.S.U., a French company belonging to the lm group, with its registered office at 14, Rue d'Uzès 75002, Paris - France (R.C.S Nanterre n° 809 437 072. VAT number: FR36 809 437 072, - Guarantor : APST, Assurance RCP ALLIANZ 086 931 092).

8. Contact details of our data protection officer (DPO) 

Our Data Protection Officer (or "DPO") is available at: dpo.en@lastminutegroup.com 14, Rue d'Uzès 75002, Paris - France

Be inspired!

Looking for travel inspiration and other deals? Sign up with your email address and we'll send you automatically-created, personalised content from us and our selected partners. For more info, or if you've already signed up and wish to unsubscribe, check out our  Privacy Policy.

Mobile App
Connect with us