L’investissement dans d’autres projets sur la connaissance et la conservation de la biodiversité contribue également à comprendre le dilemme associé aux services écosystémiques comme à la production des biocarburants durables. Si certains types de biocarburants destinés au transport routier peuvent avoir un impact négatif sur la biodiversité, le groupe Air France - KLM veut garantir l’utilisation de carburants aéronautiques durables qui ont l’impact le plus faible sur l’approvisionnement en nourriture, la biodiversité et un impact positif sur le développement local.

Data and IT systems protection

Passenger bookings, flight schedule management, baggage check‑in, the calculation of ticket prices, aircraft maintenance and crew information: IT is at the heart of all of Air France – KLM’s activities. Privacy and data protection constitutes a major operational and financial challenge for the business, and for customer trust.

The Air France – KLM Group manages its cybersecurity risks in liaison with the national authorities and cooperates with the relevant European agencies (EASA, ENISA). Air France – KLM also takes part in the cybersecurity working groups of the main professional airline associations (IATA, A4E, etc.) and contributes to research by associations specialized in cybersecurity (CLUSIF, CESIN, CIGREF, R2GS, European Aviation ISAC).

Permanent benchmarking and an independent cyber rating agency enable Air France – KLM to be compared with other companies in the air transportation industry. In December 2019, the Group was ranked amongst the leading large companies. Air France – KLM also calls on the expertise of leading consultants in the cybersecurity market and actively cooperates with companies with which its Information System is connected.

To offer the best level of protection on the ground and in the air, the Air France – KLM Group has developed four major cybersecurity programs in recent years:

  • a program directed at more effective cybersecurity techniques, to adapt to the evolving cyber threats;
  • an awareness‑raising program for all staff;
  • a program to ensure regulatory compliance;
  • a program to support the digital transformation to offer a simplified user experience.


An annual presentation on these programs is made to the Group Executive Committee and to the Audit Committee of the Board of Directors, guaranteeing sponsorship at the highest level of the company. These programs are supported by Cybersecurity Governance composed of:

  • a cybersecurity regulatory framework for ground IT and onboard systems (safety policy based on a series of international ISO 27000 regulations and other standards or regulations concerning Air France – KLM’s activities);
  • an annual monitoring plan for risks linked to the digital technologies (audits) and testing of the Cyber Crisis mechanism overseen by the Operations Control Center and the Authorities;
  • three management committees with complementary perspectives. The Group’s IT Executive Committee notably evaluates the coherence between the cyber risks and investment in IT. The Cyber Plane Committee, chaired by the Accountable Manager, decides on the orientations to be adopted to reduce the potential cyber risks for Flight Safety. Lastly, the Safety Performance Committee, chaired by the Head of Safety, evaluates the effective mitigation of generic safety risks, including cybersecurity;
  • a report on the residual cybersecurity risk in the major operational risk sheets managed by Internal Control.

Data privacy

In force since May 25, 2018, the European General Data Protection Regulation (GDPR) to protect personal data firstly extended the rights of data subjects and, secondly, strengthened the accountability and obligations for data controllers, requiring proof of compliance on personal data protection.

To respond to the GDPR requirements, in 2018 Air France and KLM deployed a broad‑ranging program to reinforce their cybersecurity policies and define a strengthened personal data management framework to ensure compliance with privacy by design and by default principles.

In 2020, based on a Customer Digital audit, several key points were identified which can also be applied more generally to data privacy governance:

several steps forward were achieved on improving progress monitoring within a sole governance framework with, notably, the implementation of improved meeting structures and a dashboard;

  • the register of processing activities was finalized and aligned between Air France and KLM;
  • the roll‑out of a privacy tool, suspended in March 2020 owing to the public health crisis, resumed in November 2020;
  • the data breach procedure was also reinforced in 2020.

The overall effectiveness of the privacy compliance framework is assessed on a regular basis thanks to a dedicated Internal Audit program. This framework was improved and reinforced in 2019 and 2020. An ex post audit will be carried out to ensure the adequacy of the improvements made. The risks associated with the protection of privacy and data are becoming increasingly material, meaning that privacy and data protection compliance remains an absolute imperative for the Air France – KLM Group.

In 2020, alongside with of GDPR requests sent directly to the companies, Air France and KLM registered and handled a total of “14 complaints” concerning personal data complaints, 6 came from the Dutch DPA (Autoriteit Persoonsgegevens) and 8 came from the CNIL (which is the reference authority in France).