• Start
  • Transparency
  • Personal data protection policy

Personal data protection policy

Valid since December 15, 2023

Iberia Privacy Policy for Customers and Passengers

Our Privacy Commitment

Iberia is committed to respecting your privacy and protecting your personal information.

  • We will be transparent about the information we are collecting and what we will do with it.

  • We will use the information you give us for the purposes described in our Privacy Policy, which include providing you with services you have requested and enhancing your experience with IBERIA.

  • We will also use the information to help us understand you better and so that we can give you relevant offers.

  • If you tell us you don’t want to receive marketing messages we will stop sending them. We will, of course, continue to send important information relating to a product or service you have purchased to keep you informed about your booking and travel itinerary.

  • We will put in place measures to protect your information and keep it secure.

  • We will respect your data protection rights and aim to give you control over your own information.

You can access our full Privacy Policy below to help you to understand better how we use your personal information. In it, we explain in more detail the types of personal information we collect, how we collect it, what we may use it for and who we may share it with.

Within our full Privacy Policy you can find some specific examples of why and how we use your personal information. If you have further questions please get in touch with us at our Data Protection Office by email at OficinaDPO@iberia.es .

Without prejudice of your rights under the relevant applicable laws, this Privacy Policy and the information above have no contractual nature and are not a part of your contract with us.

Personal Data Controller

All the personal data processed by Iberia with regard to this Privacy Policy are the responsibility of Iberia Líneas Aéreas de España S.A. Operadora, Sociedad Unipersonal, with tax code A85850394 (hereinafter “IBERIA”), which has the status of "data controller" in accordance with the applicable data protection legislation. Our contact address for these purposes is “Oficina de Protección de Datos de Iberia Líneas Aéreas de España S.A. Operadora, Sociedad Unipersonal”, Calle Martínez Villergas 49, 28027 Madrid, Spain, or alternatively the above-mentioned email address.

If you have made a booking with us but one or more of the flights are operated by other airlines, each of those airlines will be the individual data controller, in accordance with the applicable data protection legislation.

Any third-party service provider accessible through our website, such as a hotel or vehicle hire company, will also be the individual data controller. You may access the services provided by these third-party companies through our website, which will automatically redirect you to their websites where you will find the data protection policies of these providers.

IBERIA belongs to the IAG Group, whose parent company is a Spanish registered company called International Consolidated Airlines Group, S.A. You will find additional information about the companies that make up the IAG Group below.

If you are a member of the IBERIA PLUS loyalty programme, Avios Group Limited (“AGL”), which also belongs to the IAG Group, will be jointly responsible with IBERIA for processing your personal data relating to the management of this loyalty programme. The address of Avios Group (AGL) Limited is Astral Towers, Betts Way, Crawley RH10 9XX, United Kingdom. Its website is www.avios.com and you can contact its Data Protection Office by post, addressing your correspondence to the “Data Protection Officer” at the above-mentioned address, and also by sending an email addressed to data.protection@avios.com.

If you are a member of the ON BUSINESS loyalty programme, British Airways Plc ("BA"), also belonging to the IAG Group, and American Airlines will also be responsible, jointly with IBERIA, for processing your personal data relating to the management of this loyalty programme. The address for British Airways is Waterside (HCB3), PO Box 365, Harmondsworth, UB7 0GB, UK. For American Airlines it is 1 Skyview Drive, MD 8B503 Fort Worth, TX 76155 (US A). On their websites www.britishairways.com and www.americanairlines, you will find information regarding their privacy policies and you will be able to contact their data protection offices:DPO@ba.com and privacy@aa.com.

If you have registered with the "Facial Recognition" programme to verify the identity of passengers during check-in processes and at the security filters and boarding gates in the airport network managed by Aena, S.M.E., S.A., with tax code A86212420 and registered address at Calle Peonías 12, 28042 Madrid ("Aena"), please bear in mind that while Aena will be the data controller, IBERIA will carry out the processing on Aena's behalf. Aena's privacy policy is available at www.aena.es, and you can contact its data protection office by sending an email to dpd@aena.es.

What do we mean by personal information?

Personal information means details which identify you or could be used to identify you, such as your name and contact details, your travel arrangements and purchase history. It may also include information about how you use our websites and mobile applications.

When does this policy apply?

This Privacy Policy applies to personal information about you that we collect, use and otherwise process in connection with your relationship with us as a customer or as a potential customer or as a member of our loyalty schemes IBERIA PLUS or ON BUSINESS, including when you travel with us or use our other services –such as our auction website or our gift cards service- , use our websites or mobile apps, contact our service agents or call centres and book to use our services through third parties -such as travel agents and other airlines.

When we refer to other entities being data controllers within Sections “Data Controller” or “Who do we share your personal information with?”, you should consult their own privacy policies for further information.

If you decide to hire additional services with us, such as making an on board purchase or using our in-flight entertainment devices or taking part in one of our contests organised by Iberia together with third party collaborators, please take into account that further terms and conditions may apply.

How can you protect your personal information?

We make serious efforts to care for and protect your personal information when you share it with us. Below you can find some recommendations on how to keep your personal data safe.

Do not share your booking code or locator

When you make a booking you will be furnished with a reservation code –also known as PNR or Passenger Record. This reference will be included in your booking confirmation email or within the ticket of each passenger within that reservation.

Please always keep your reservation code confidential. If you share it with a third person he/she may access your booking data in our systems.

If you travel with others and you do not want them to have access to your booking data it might be advisable that you carry out your reservation separately.

Do not share your Iberia Plus, Iberia Joven or On Business personal area log-in data

To make sure that access to your personal area in our webpage and mobile application is safe please do not share your Iberia Plus; Iberia Joven or On Business –the specialised companies for companies we sponsor together with British Airways Plc- log-in data with anyone. When you finish using our website, online services or mobile applications please make sure to end your session if someone else may access your computer or device. This is particularly relevant in the case that you are using a public access computer or device.

Be cautious and protect yourself from internet fraud and “Phishing”

There is a broadly spread type of internet fraud practice known as “Phishing” aimed to illegally obtaining your personal information by deception. Unsolicited emails are sent to individuals from a list that has been illegally obtained, and recipients are requested to insert or confirm their passwords or bank details in a false or cloned website.

When do we collect personal data?

We collect personal data about you every time you use our services (whether provided by us or by other companies or agents acting on our behalf), including when you travel with us, when you use our website and when you interact with us via electronic means or our customer service centres.

The following are some examples of when and how we collect information:

  • When you book or search for a flight or other products or services on our website or mobile app.

  • When you book a flight or any other product through other sales channels, such as a travel agency.

  • When you show up at the boarding gate for any of the flights listed in your reservation.

  • When you register with our Iberia Plus, Iberia Joven or On Business loyalty programmes, our auction service, or when you buy one of our gift cards.

  • When you use one of our virtual assistants to check in for flights, request information about the status of your flights or book services related to them.

  • When you contact us through our call centres or other customer service agents.

  • When you fill in a customer satisfaction survey or send us complaints, praise, recommendations or suggestions.

  • When you take part in our competitions or register for one of our promotions, and when you decide to interact with us through your social media profile, Facebook or Twitter, for example.

  • When you travel with us and use the VIP lounges at the airports where we operate.

  • When you use our on-board entertainment systems or our communications services.

  • When you click on any of our e-mails or browse on our website. We may also receive information about how you found us on the internet or about the sites you have visited previously.

In all of the above cases and directly from you, we may collect personal data about third parties who may be adults or minors. In those cases, when you supply data about these people you must have previously obtained their consent and/or necessary legal powers to provide their data for processing on the grounds indicated in this privacy policy. If you do not have their consent, kindly refrain from providing us with that information.

For further information, please refer to the section below "What type of personal data do we collect and keep?"

We may also receive personal data about you from third parties such as:

  • Companies to which we have outsourced the provision of specific services to you.

  • Companies involved in your travel plans, including airlines and other types of transport companies involved in your previous or subsequent journey, airport operators and customs and immigration authorities.

  • Companies involved in our loyalty programmes and other customer programmes (such as car hire companies and hotels).

  • Companies that provide us with data in accordance with privacy policies that include information that may be shared with Iberia.

What types of personal information do we collect and retain?

When you use our services you will need to provide us with your personal details or the details of those individual(s) who will be travelling.

We collect the following categories of personal information:

  • Information you provide in order for Iberia to complete and manage a booking you have made with us or a service you have requested from us.

    Examples: Your name, address, email, contact details, date of birth, gender, passport or other national ID number, your account details and payment information.

    If you buy tickets for someone else we may collect your billing information but may communicate with the passengers directly about their flight.

    We will know whether you have made your booking at iberia.com or in any other sales channel such as a travel agency or our contact centres.

  • Information collected during your travel with us

    Examples: We may collect information such as your interactions with our personnel and cabin crew before and during the flight.

    We may track location data from your devices where you have permitted us to use it.

    We collect information about your use of our services during travel, such as your use of our inflight entertainment system or our VIP lounge facilities.

  • Information about your travel arrangements

    Example: Details of your booking, travel itinerary, details of any additional assistance you require and other information related to your travel with us such as meal preferences or dietary requirements.

  • Information about the services we have provided to you in the past

    Example: Details of your previous travel arrangements, such as your previous flights and travel-related issues, including upgrades received, your baggage requirements, airport disruption, luggage incidents and your customer feedback.

  • Information about your online logins and other interactions.

    Examples We will retain your data to guarantee our correct interaction with you when you have joined our loyalty schemes Iberia Plus or Ob Business or when you have identified yourself as a member of our schemes or any other loyalty scheme we accept.

    We will retain your information when you have taken part in any of our contests or promotional initiatives, or when you have interacted with us through social networks such as Facebook or Twitter.

  • Information about your use of our websites, contact centres and mobile applications

    Examples: To help us customise your personal information and to improve our website we use “cookies” and other similar technologies and collect information about your searches and the contents you have visited on our website, such as what website you are surfing from, or the banner advertisements or links appearing in our marketing partners’ websites.

    We will use the information gathered in the cookie to better understand you as our customer. This information may include, if you have fed it into our website, information on a flight booking or a passenger name in the case these data were linked to your personal profile in Iberia Plus.

    From your use data we may learn that you have visited iberia.com and searched for a flight, but you have not made your reservation yet. We might use this information to contact you and offer you further information on this booking or the destination you might be interested in.

When and why do we collect 'sensitive personal data'?

Personal data relating to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories and are referred to as sensitive personal data requiring additional protection in line with European Union legislation and/or the legislation of other jurisdictions. Outside the European Union there may be additional types of data that are treated in a similar manner, such as the data of minors of a certain age, traceability data (cookies) or financial data. Iberia does everything it can to restrict the circumstances in which these categories of data are collected and processed. The following are examples of cases in which we may collect and process sensitive personal data.

  • When in compliance with legal obligations or requirements you need to show us or provide us, or we need to review, your required travel documents including health data, such as results of medical tests or tests to verify contagion or infection by a particular disease (e.g. Covid-19).
  • If you ask Iberia and/or an airport operator for specific medical assistance, such as a wheelchair or oxygen.
  • If you have requested permission to fly with us with a specific medical condition or if you are over 28 weeks pregnant.
  • If you have chosen to provide this information for any other reason and we have received it from a third party, such as the travel agency through which you booked your flight.
  • If you use biometric boarding systems available at some of the airports where we operate flights.

You may also have requested a special service (such as a menu) which does not in itself constitute sensitive data but which may imply or suggest information about your religion, health or other data.

What do we do with your personal data and what is the lawful basis for this?

The main purposes for which we process your personal data are as follows:

In certain cases, this may also be based on the consent that you have previously given us. For example, when you consult or book tickets through our website, we may request your authorisation to send you specific information by electronic means about your visit to the site and about any interest that you have shown, even if you eventually did not end up making any purchases during that visit.

  • Based on our contractual relationship with you, to process all matters relating to your trip and provide you with the requested services.

    For example: We will need to use your name, address, email, contact information, date of birth, gender, passport number or identity document, and your payment data and information in order to process your bookings and any services related to your trip, charge you for our services, provide information to the relevant authorities (such as tax, customs and immigration authorities), and so that Iberia knows who has a booking on a flight.

  • Based on our contractual relationship with you, to manage the boarding process and facilitate connecting flights at the airport.

    For example: If you do not show up at the gate to board your flight, we may have to check whether you have passed through airport security control or if you were on a connecting flight so that we can contact you to inform you that boarding for your flight is under way.

    At some airports where we operate the facial recognition system is used (the use of this technology, unless required by law, is voluntary).

  • Based on our contractual relationship with you, to send you status updates and service or operational communications regarding the contracted service, regardless of the channel (direct sales or through agencies/other airlines, online or over-the-counter sales, etc.) you have used to contract our services.

    For example: We may use different channels, such as WhatsApp, text messages and push messages on our app, to inform you that check-in is open or that your flight has been delayed or cancelled, or in general notify you of any changes that affect the services contracted with Iberia or with airlines with which Iberia has a transportation agreement.

    We may also use the contact information you have provided to notify you of other types of operational communications.

    For example, if you have presented your boarding pass to access one of our VIP lounges, we may give you information and notices about your flight, such as changes to the gate number or the flight boarding time.

  • Based on the fulfilment of our legal obligations, to manage immigration procedures and/or entry or exit from the territory of a country, ensure your safety and comply with any other legal requirements applicable to Iberia as an airline. In certain cases we will need to or be obliged to report your contact details to local or international health authorities.

    For example: As an airline, Iberia is obliged to keep a record with information on the passengers who are on board its aircraft.

    The laws of certain countries such as the USA and the European Union require airlines to provide certain information about their passengers to customs and immigration authorities.

    Furthermore, national regulations that establish requirements for passengers to enter certain countries oblige airlines in many cases to verify the accreditations for such requirements with a view to admitting or denying boarding for a flight.

    Additionally, if you have flown on any of our flights and a case of infectious disease has been detected in any of the passengers on board, we may have to communicate your data to the relevant health authorities, either because a law requires us to do so for reasons of public interest in the field of public health or to safeguard your own vital interests, those of other passengers and those of third parties in general.

    Lastly, in the fight against fraud and major crime (illegal trafficking of people, substances or merchandise, terrorism, etc.) airlines are obliged to respond to the requirements for information issued by the relevant security forces of the countries where they operate.

  • Based on our legitimate business interests, to provide you with services that suit your needs and to offer you more personalised service.

    For example: We can personalise your experience when you travel with us. For instance, a member of our crew may welcome you back on board an Iberia flight.

  • Based on our legitimate business interest, to conduct analyses and market research.

    For example: We will analyse how customers use our sales channels, products and services to learn how to improve the service we offer.

  • Based on our legitimate business interest, to carry out direct marketing activities and keep you informed about Iberia products and services which, in our opinion, best suit your needs or preferences.

    For example: We may send you information about our products and services by email, push messages on our app and text messages.

    We will be able to adapt the content of our websites, applications, emails and other communications to ensure that they are of the greatest possible interest to you, including previous destinations with offers and/or services relating to those or similar destinations.

    To understand your flight preferences and your needs when travelling with us and offer you information on special offers, such as selecting a certain type of seat, checking in additional baggage and access to upgrades.

    In certain cases, this may also be based on the consent that you have previously given us. For example, when you consult or book tickets through our website, we may request your authorisation to send you specific information by electronic means about your visit to the site and about any interest that you have shown, even if you eventually did not end up making any purchases during that visit.

  • If you are a member of the IBERIA PLUS programme, and based on the consent that you have previously given us, to carry out direct marketing activities by electronic means and keep you informed about Iberia products and services which, in our opinion, best suit your needs or preferences; and to send you personalised electronic commercial communications about products and services provided by other companies in the IAG Group and by partner companies in the Iberia Plus programme.
  • Based, as appropriate, either on our legitimate business interest, or on the consent that you have previously given us, we may record the communications and telematic instructions that take place when you are using the customer service or sales office of Iberia, Iberia Express or Iberia Regional/Air Nostrum; as a result, we will process your personal data, including your voice when you contact us through these channels, to record the transactions made for the appropriate legal purposes.
  • Based on our legitimate business interest and providing you do not expressly object to it, we may also use the information you provide or that we obtain to enrich the profiling of our customer database by defining market and customer segments, establishing or calculating different degrees of connection between our customers and Iberia and/or its products and services, in order to offer you more personalised service, such as: inviting you to participate in campaigns or events that better suit your preferences, or developing products, services or purchasing interfaces that improve your purchasing experience or give you greater satisfaction.
  • Based on the consent that you have previously given us through your clear intention to contract services, to share your data with other companies in the IAG Group to which Iberia belongs or with third-party companies that collaborate with the Group (such as third-party companies whose products or services are offered and/or may be contracted through our website, as well as the partners in our Iberia Plus programme), whenever you contract any of these products or services. In these cases, we will only share a limited number of identifying data that you have provided us and that are necessary for contracting the products and services in question.

    You can see the complete list of IBERIA PLUS partners on our website www.iberia.com

  • Based on our contractual relationship with you, to send you updated information and operational communications.

    For example: Even if you have chosen to stop receiving commercial information, we may continue to send you operational communications regarding any services that you have already booked or contracted, such as your travel itinerary. These communications will help you to obtain the details of the contracted services and may include options and extras for the services you are going to use (for example, advance seat selection, additional luggage and advance booking of menus).

  • Based on our legitimate business interest, to improve our website, products and services.

    For example: We will be able to monitor how you and other customers use our website so that we can identify ways to improve your browsing experience. We may also use this information to define and compare common patterns of behaviour and distinguish them from others that may be considered malicious in order to detect and prevent cases of fraud, and to apply and improve established security and cybersecurity protocols.

    We will review the communications you make and send us through social media and other online channels in order to give you a response and to take business actions that will enable us to improve your perception of our brand and our services.

    We may also invite you to participate in surveys to find out your degree of satisfaction with the services and benefits received when travelling with Iberia and using our services.

    If you are a member of the Iberia Plus programme, we may also send you surveys regarding your satisfaction with the programme, with offers and promotions and/or with services and products offered by our partners. In this case, this processing will be based on the consent that you have previously given us.

  • Based on our contractual relationship with you, to be able to manage any transactions, operations, contracting of products and services that may take place by any means, or any type of query, complaint, claim or suggestion that you may submit to us.
  • Based on compliance with our legal obligations, depending on the case, we may also use your data for other management and administration purposes.

    For example: We may use and retain your personal data, including your purchase history, for administrative purposes, which may include, for example, accounting and invoicing, auditing, verification of credit cards or other payment cards, control of fraud (including the use of credit reporting agencies, comparison for these purposes with information from financial institutions and with other companies that operate with electronic means of payment, and validation checks for payment cards), and the testing, maintenance and development of systems.

  • Based on the exercise of a legal obligation to correctly manage emergency situations, catastrophes and force majeure in general, we may need to share your data with different types of people, companies or organisations whose collaboration is essential for Iberia under these circumstances.

In which cases do we undertake automated processing of your data?

There are situations in which the processing of your data will be totally or partially automated. For example:

  • If you use our AI-enabled chatbots and virtual assistants. The use of these interfaces is voluntary, and you can always choose to contact one of our agents at our customer call centre instead.
  • If you use our online Aircheck application to verify in advance whether your travel documents meet the requirements of the country to which you are travelling. Once again, the use of this application is voluntary, and you can always choose to have your documents checked by our agents at the boarding gate. If you use Aircheck and do not get initial validation of the documents submitted, we give you the option of re-checking them online and this second check is carried out manually by one of our agents.
  • If you buy or book tickets on our website or app, there are a number of automated processes, from the inclusion of your booking in our systems and sending electronic communications to confirm this, to the verification of the legality of the transaction with the payment method that you have used to buy your tickets.
  • If you buy or book tickets on our website or app, there are a number of automated processes, including automated decision-making, that may be carried out. These are based on your previous behaviour and/or searches and may entail the personalisation of the prices you are shown.
  • If changes are made to your booking, as a result of a disruption to your flight or a change in our flight schedules, and we send you a communication to inform you of these changes and the options we offer you in accordance with the terms and conditions of our transport contract and/or our legal obligations towards you as a result of this contract.
  • If we send you personalised information about products and services that we believe may be of special interest to you, or if we suggest modifications to your booking which, in our opinion, may better suit your needs or be of special interest to you; either because you have given us your prior consent to do so, or because we have informed you of our intention and you have not raised any objection to this.
  • In the resolution of certain types of claims that you may have submitted through our website (e.g. requests for compensation for delay or cancellation of flights), unless you have informed us of your objection to this automated processing.
  • If you use the biometric identification and boarding systems available at some of the airports where we operate, provided that you have consented to the use of your data when registering for this type of service through our applications or those of third parties (such as airport management agencies or those of any other airline associated with the same programme).

In cases where any of our automated processing or decision-making is based either on our legitimate business interests or on your prior consent, you can always object to processing or revoke your consent later at any time, as applicable, although this objection or revocation may not be applied retroactively.

IMPORTANT: If the processing of your data is subject to regulations other than those of Spain and/or the European Union, the lawful basis for some of the processing described above may differ from what is indicated in each case. This applies in particular to cases where the lawful basis of the processing indicated is our legitimate business interests. In those cases, and unless the processing in question can be understood to be covered by the need to comply with our contractual relationship with you, or with any legal obligation to which we may be subject, this processing may only be covered by the consent that you have provided us in each case, and only to the extent that you have provided it to us in compliance with the validity requirements established by the applicable data protection regulations.

When will we send marketing to you?

When we collect information directly from you we will ask you if you are happy to receive our marketing communications or to join our Iberia Plus loyalty program. Please note that these communications may refer to our own products and services and, sometimes, they may refer to products and services from other IAG Group companies or even from third party entities –such as, in the case of Iberia Plus, from our partners in this loyalty program where our avios currency may be obtained or redeemed.

Should our intention not be based on your consent previously granted for such a purpose, but on our legitimate business interest, we will inform you on this in a clear way and you will be granted the right to opt-out from receiving such communications.

How can you change the type of communications you receive and how you receive them?

If you decide that you no longer wish to receive commercial communications, you can change your mind at any time. The usual channels for unsubscribing from commercial communications are described below.

  • If you are a REGISTERED CUSTOMER, you can change your privacy preferences at any time by editing the communication preferences in your online profile on www.iberia.com, in your private Iberia area; or through the online individual rights management form on our website available at Personal data management.
  • If you are an IBERIA PLUS MEMBER, you can change your privacy preferences at any time by editing the communication preferences in your online profile at www.iberia.com, accessing your Iberia Plus private area in the "My Profile/Preferences" section; or through the online individual rights management form on our website available at Personal data management.
  • If you are an ON BUSINESS MEMBER, you can change your privacy preferences at any time by editing the communication preferences in your online profile at https://onbusiness.iberia.com; or through the online individual rights management form on our website available at Personal data management.
  • If YOU ARE NOT A MEMBER OF IBERIA PLUS OR ON BUSINESS AND NOT A REGISTERED CUSTOMER, you can also unsubscribe from these commercial communications through the online individual rights management form on our website available at Personal data management.

In addition to the above, all the commercial communications that we send you by email will include an "Unsubscribe" or "Change my contact preferences" option that will allow you to edit the commercial electronic communications that you receive from Iberia or stop receiving them completely.

We will respect your choice as to which communications you wish to receive and the channels through which you will receive them by providing you with the option of customising your preferences.

You can also stop receiving SMS/MMS and WhatsApp messages by replying to them with the word “STOP”.

We strive to process unsubscribe requests as quickly as possible within 30 days of receipt.

Please bear in mind that if you tell us that you no longer want to receive commercial communications, you will still receive operational communications related to the products and services you have purchased. For instance, we will send you confirmation of your booking and any updates and changes related to it. If you are a member of IBERIA PLUS or ON BUSINESS, we will still send you information about matters that affect your membership as well as information such as the inclusion of new partners in the programme.

How long do we keep personal information?

We will keep your information for as long as we need it for the purpose it was collected, unless you request us to delete it and in such a case provided that the Iberia has no longer the need to keep your information for other reasons.

For example, where you book a flight with us we will keep the information related to your booking so we can fulfil the specific travel arrangements you have made and after that, we will keep the information for a period which enables us to handle or respond to any complaints, queries or concerns relating to the booking. The information may also be retained so that we can continue to improve your experience with Iberia and to ensure that you receive any loyalty rewards which are due to you.

We will actively review the information we hold and either delete it securely when there is no longer a legal, business or customer need for it to be retained; or in some cases anonymise it in order to keep using it for administrative or statistic purposes or to develop generic profiles and segmentations that help us learn more about our types of customers in general and their relevant needs and preferences.

Please note that when we have collected the personal information based on your consent and you withdraw such consent, or in the cases where you exercise your right to supress your personal information we may still to keep the information blocked and available to courts, tribunals and other relevant authorities for the minimum term established by law in each particular case and in order for Iberia to meet its responsibilities arising from processing your data.

Who do we share your personal data with?

We may share your personal data with the other airlines in our business group, IAG, which includes International Consolidated Airlines Group S.A. (IAG), British Airways, Iberia Express, Vueling, Aer Lingus, Flylevel, S.L., British Airways Holidays, Avios Group Ltd., BA CityFlyer, IAG Connect and IAG GBS. For more information about our group, please visit the website of our parent company IAG at www.iairgroup.com.

We may share information with these airlines so that they can help us to provide services to you or inform us about your preferences. For example, if you have flown with any other IAG airlines or if you belong to their loyalty programmes, we may use that information to form a clearer picture of the type of travel services that probably interest you.

You will only receive commercial emails from other airlines in our group if you have given your consent to them.

We may also share your personal data with the following third parties for the purposes specified below:

  • Customs and immigration authorities in any country in your itinerary or over whose airspace you may fly. Iberia and all other airlines are obliged by the laws of the United States and other countries to provide the border and customs authorities with access to information about bookings and travel if the flight originates or lands in those countries, including stopovers, or if you fly over them to reach your destination.
    • For example: If your flight involves flying over the US A, we will supply this information to the relevant US authorities.

  • Airlines, maritime or land transport operators, and other service providers that are necessary to provide you with the services you request: for example, if part of your travel itinerary includes a flight operated by a different airline and includes specific services related to the flight that you have decided to book. These airlines, transport operators and service providers will be identified when you make your booking and we will inform you of the data we will need to share with them, either in advance or when we share your data. Your interest in booking these services with third parties will be understood as your express consent to share your data.

    Iberia follows strict criteria when selecting service providers in order to comply with data protection obligations. It also undertakes to sign a data protection agreement with them imposing a set of obligations, including the following: use appropriate technical and organisational methods; process personal data for the agreed purposes and strictly in accordance with the written instructions from Iberia; and erase or return the data to Iberia once the services have been provided.

    • Examples: If travelling to your destination involves changing from an Iberia flight to a flight operated by a different airline, whether it belongs to IAG or not.

    • If you book a ticket through our website to make a journey with a pre-booked transport service, we will provide your name, email address and any other necessary details to the transport company so that they can issue your ticket and make your booking.

    • If you book Bag On Board ("BOB"), the service where we collect your baggage from your home, take it to the airport and check it in, which is available for certain Iberia flights, we will have to provide your data to the service provider so that they can manage the contractual relationship you have requested.

  • Our partner and franchise airlines (such as Air Nostrum Líneas Aéreas del Mediterráneo, S.A. and Air Nostrum): for example, to facilitate your connecting flights or manage benefits derived from the collaboration between loyalty programmes. In addition, travel agencies and other third parties through which you book journeys.

  • If you are a member of the ON BUSINESS or IBERIA PLUS programmes, or any other associated loyalty programme (such as those belonging to other airlines in the ONEWORLD ALLIANCE), we will share information with our partners so that we can manage the joint benefits to which you are entitled. To find out more about the members of OneWorld, please go to the official website: www.oneworld.com.

  • Credit and debit card companies, banks and financial institutions, credit reporting agencies and fraud prevention and control service providers, to process payments and carry out prevention and control processes, respectively. In some cases, these entities may act as independent data controllers. More information about each of them can be obtained upon request.

  • Among the latter, based on our legitimate business interest, we may share the data we collect from you when you buy or book products and services on our website with Riskified Ltd., an Israeli company that will process your data as an independent data controller in accordance with its privacy policy, www.riskified.com in order to:

    • review its transactions to detect and prevent any that may constitute fraudulent activities, and

    • to store that information in their databases in order to increase its comparison sources and improve the future accuracy of its fraud control and prevention services.

    Riskified will carry out automated processing of your data, comparing them with additional data related to other transactions you may have conducted with Iberia and/or on other electronic commerce platforms with which Riskified has similar agreements, in order to analyse the consistency of your payment order according to previously defined criteria. To find out more about how Riskified processes your data and the purposes and lawful basis for doing so, and/or about your data protection rights with the company and how to exercise them, please click on the above-mentioned link to its privacy policy.

  • If you register through the IBERIA website or app, or if you already appear as registered with the “Facial Recognition Programme” to verify the identity of passengers during check-in processes and at the security filters and boarding gates in the airport network managed by Aena (the “Aena Programme”), based on the consent that you have previously given us for these purposes and until you revoke it, each time you fly with us through the Aena airport network we will share your data (i.e. your identity document and the data relating to boarding passes) so that Aena can do the following:

    • verify that you appear as registered with the programme, and

    • if so, link your boarding pass to your profile in Aena.

    To find out more about how Aena processes your data and its purposes and lawful basis for doing so, and/or about your data protection rights with the company and how to exercise them, please refer to its privacy policy available atwww.aena.es.
    You may also revoke your consent to IBERIA sharing information with Aena for these purposes by using any of the channels we provide. Please check the section below entitled "What are your rights when you provide us with your data?".

  • With companies that you have used to obtain information about our flights and special service offers (e.g. metasearch engines for flight deals, holidays and special offers), for the sole purposes of managing the relationships between Iberia and those companies (e.g. conversion fees on purchases) and at all times ensuring as little personal information as possible is disclosed.

  • In response to legal and valid requests from governments and law enforcement agencies, such as customs and immigration authorities or fraud and major crime control authorities, as well as when required by health authorities in investigations of possible infectious outbreaks or contagion on board, to trace possible contacts with infected people and contain the spread of disease. Please remember that, for reasons of control and public safety, Iberia is authorised to disclose your passenger details to the national security governmental authorities of the country of origin, transit or destination at any time prior to arrival. The United States also requires this information for aircraft that fly over its airspace. This information may also be provided to other countries which, by virtue of the applicable laws or treaties, require these details for aircraft that fly over their airspace.

  • External providers to which we outsource services such as carrying out marketing initiatives or conducting customer surveys on our behalf.

  • Third parties such as law firms and courts, insurance companies, intermediaries and experts, to demand compliance with or the execution of an agreement with you, or to defend our legitimate interests in legal, administrative, judicial or extrajudicial actions and proceedings.

  • Third parties such as police and regulatory authorities, to protect our rights and properties or the safety of our customers, employees and assets.

  • If required to comply with a legal obligation in any jurisdiction, even if the obligation is derived from an action or omission by Iberia (for example, our decision to operate in a specific country or a decision related to that).

We will not sell your personal data to third parties and we will only allow third parties to send you commercial communications if you have given your consent.

For USA and Canada only: Your consent to participate in the Iberia SMS/mobile text message programme is specific and voluntary. Iberia will not purchase any consent for this purpose, and Iberia will not sell, lease or share this consent with any third parties.

What countries will your personal information be sent to?

Your personal information may be sent to and stored by us and third parties in countries outside the country in which you are located and in particular outside the European Economic Area.

The nature of Iberia’s business means it is often necessary for us to send your personal information outside the European Economic Area in order to fulfil your travel arrangements, in order to either fulfil our contractual relationship with you or to fulfil our legal obligations as an airline, in accordance to what we have explained in section “What do we use your personal information for and under what legal basis do we use it?” above.

This occurs in the course of providing your travel arrangements and the services you have requested because our business and the third parties identified in “Who do we share your personal information with?” have operations in countries across the world. For example, where you are flying outside of the European Economic Area, your personal information will be transferred to border control and immigration outside of these territories.

Likewise we may have to transfer your personal information to third parties located outside your country in order to allow such third parties deliver services and products you have requested us for.

  • Example: we will need to provide access to our booking and check-in systems to agents of our handling companies that provide these services to us outside Spain.

What are your rights when you provide us with your data?

If you want, you may exercise your right to access, rectify and erase your personal data, or request the restriction of processing of your data, object to their processing, request the portability of your data, and withdraw your consent to automated individual decisions through the following channels:

  • If you are a REGISTERED CUSTOMER, you can exercise most of these rights through your online profile on www.iberia.com, by logging in to your private area.
  • If you are an IBERIA PLUS MEMBER, you can exercise most of these rights through your online profile on www.iberia.com, by logging in to your private Iberia Plus area and selecting "My Profile/Preferences".
  • Likewise, if you are an ON BUSINESS MEMBER, you can also exercise most of these rights through your online profile at onbusiness.iberia.com, by logging in to your private corporate area.
  • To exercise all your other rights, or if YOU ARE NOT AN IBERIA PLUS OR ON BUSINESS MEMBER, or a REGISTERED CUSTOMER, you can exercise each of the aforementioned rights by filling in the online individual rights management form on our website, accessible at Personal data management.

In any case, to be able deal with your request, we need you to send us the information and documents stated as mandatory on the aforementioned form:

  • Your full name
  • Your ID document
  • Your contact details (at least email address)
  • Specific data that are the subject of your request.
  • Any information that may help us to locate the data of your request, such as the record locator or flight numbers and dates.
  • A photocopy of your ID document or passport so we can verify your identity.
  • If you submit the request on behalf of someone else, you will need to provide signed authorisation from the person along with their relevant ID document.

Contact details for other countries outside the European Economic Area

For matters related to the protection of data from Chine or Brazil, select the country on the list of Iberia branches and under 'Data protection' you will see the contact details for our local representatives.

For all over countries, send an email to our Data Protection Office OficinaDPO@iberia.es.

What Data Protection Authority should I address in order to defend or exercise my rights?

You may always address the Spanish Data Protection Authority (“Agencia Española de Protección de Datos”) and submit a claim, especially in the cases where you deem that we have not satisfied your individual rights regarding how we process your personal information. To learn more please visit www.aepd.es.