1. All Firefly passengers SHALL BE REQUIRED to wear face mask in airports and on board flights effective from 23rd April 2020.
2. COVID-19: Important Notice to Passengers Read more
3. Passengers traveling with return flight on the same day are required to present a valid company letter and a letter from Ministry of International Trade and Industry (MITI) with a QR code. Endorsement from PDRM is not required.
4. Passengers traveling for more than 1(one) day for work purposes are required to present a valid company letter and a letter from Ministry of International Trade and Industry (MITI). The inter-state travel form must also be completed and endorsed by PDRM.
FlyFirefly Sendirian Berhad and its group of companies under Malaysia Aviation Group is committed to the protection of your Personal Data and takes the matter of protecting your privacy as high priority.
For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller is Malaysia Airlines Berhad as a centralised entity for the group of companies under Malaysia Aviation Group including FlyFirefly Sendirian Berhad, with its registered office 1st Floor, Administration Building, South Support Zone, KLIA, 64000 Sepang, Selangor. (from now on referred to as (“FlyFirefly Sendirian Berhad”, “we”, or “us”).
“Personal Data” means any information relating to an identified or identifiable natural person.
The types of Personal Data that we collect directly from you or from third parties depend on the circumstances of collection and on the nature of the service requested or transaction undertaken. It may include:
personal information that links back to an individual;
We may collect and receive Personal Data directly from you or from your authorised representatives (i.e. persons whom you have authorised, persons who have been validly identified as being you or your authorised representative pursuant to our security procedures), from third parties (e.g., travel agent or service providers) or the Personal Data of your relatives or principal where you disclose same on their behalf, including when you:
(a) use any of our services, including when you travel with us or use airports where we operate or any facilities within those airports that we operate, such as our lounge facilities;
(b) use or access our Website or Mobile Apps, particularly when completing the "passenger details" section during the course of a booking, even if you do not complete the booking;
(c) communicate with us such as by email, telephone, in writing or through our customer services pages or social media platforms; or
(d) register, create or modify an online or in-app account with us, including your Enrich membership.
We may also collect your Personal Data from publicly available sources through our Website or Mobile Apps and other channels including our ticketing counters and airport operations and third party providers or our subcontractors where you have consented to providing your Personal Data to them or where we subcontract them to assist us in providing services to you (e.g. wheelchair assistance, transfers, special meals).
Where you disclose Personal Data on behalf of another person, you undertake and will ensure that the individual whose Personal Data is supplied to FlyFirefly Sendirian Berhad has authorized the disclosure, is informed of and consents to the terms and conditions of this Privacy Notice. Where the disclosure if in respect of a child’s Personal Data, you should do as only as the parent or legal guardian of that child and enter into relevant contracts on behalf of that child.
We may use your Personal Data for the following purposes:
to enable us to provide our services and perform our obligations to you;
to facilitate your travel (e.g., making a booking) and freight arrangements;
to verify identity of passengers and perform luggage check-ins;
to provide flight alert messages;
to facilitate internet check-in;
to process any commercial transaction (e.g. In-flight sales);
to facilitate your participation in our or third parties’ loyalty programs;
to protect the safety and well-being of yourself and/or other customers;
to investigate and respond to claims and inquiries from you;
to remind you to complete your booking and/or offer our assistance (in case, for instance, failure to complete due to technical difficulties). This is an optional service. You can choose not to receive these emails at any time by following the link at the bottom of each such email;
to provide in-flight catering and other services that best meet your preferences and needs;
for financial purposes such as credit or other payment card verification, accounting, billing and audit; and / or
for business development purposes such as statistical and marketing analysis, systems testing, maintenance and development, customer surveys, customer relations to advise on alterations to flights or to help us in any future dealings with you, for example by identifying your requirements and preference;
to comply with any legal or regulatory requirements;
to communicate promotions, offers, product, services and information on products and activities, offers to upgrade or other notifications in relation to your booking; and/or
to operate our competitions, promotions and events via our newsletters and other communications offered by FlyFirefly Sendirian Berhad, any group of companies under Malaysia Aviation Group or our selected business partners.
What are our legal bases for processing your Personal Data?
There are a number of different ways that we are lawfully able to process your Personal Data. We have set these out below.
Where using your Personal Data is necessary for us to carry out our obligations under our contract with you
We are allowed to use your Personal Data when it is necessary to do so for the performance of our contract with you.
For example, we need to collect your contact details in order to be able to book your flight or provide you with any additional services you have requested.
Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your Personal Data when we need to in order to comply with those other legal obligations
For example, we are required to transfer certain Personal Data to government authorities for anti-terrorism purposes.
Where using your data is in our legitimate interests
We are allowed to use your Personal Data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.
We believe that our use of your Personal Data is within a number of our legitimate interests, including but not limited to:
To enable us to provide our services to our customers;
To help us satisfy our legal obligations (for example, in relation to anti-terrorism);
To help us understand our customers better and provide better, more relevant services to them; and
To help us keep our systems and physical premises secure and prevent unauthorized access or cyber attacks.
Where you give us your consent to use your Personal Data
We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
It has to be given freely, without us putting you under any type of pressure;
You have to know what you are consenting to – so we'll make sure we give you enough information;
You should only be asked to consent to one thing at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and
You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
As part of our relationship with you, we may ask you for specific consents to allow us to use your data in certain ways. For example, we currently ask for your consent to provide you with marketing communications. If we require your consent, we will provide you with sufficient information so that you can decide whether or not you wish to consent.
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this above.
We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your Personal Data where we do so for one of the following reasons:
because it is in our legitimate interests to do so (for further information please see below);
to enable us to perform a task in the public interest or exercise official authority;
to send you direct marketing materials; or
for scientific, historical, research, or statistical purposes.
Right to withdraw consent
Where we have obtained your consent to process your Personal Data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
In particular, you may elect to stop receiving promotional activities by:
unsubscribing from the mailing list;
editing the relevant account settings to unsubscribe; or
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we "erase" your Personal Data in certain circumstances. Normally, this right exists where:
The data are no longer necessary;
You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
The data has been processed unlawfully;
It is necessary for the data to be erased in order for us to comply with our obligations under law; or
You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your Personal Data in certain circumstances, for example if you dispute the accuracy of the Personal Data that we hold about you or you object to our processing of your Personal Data for our legitimate interests. If we have shared your Personal Data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your Personal Data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete Personal Data that we hold about you. If we have shared this Personal Data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete Personal Data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
In particular, you may update or make amendments to your Personal Data as below:
for online registered customers, you may login to your online account and update your Personal Data; or
If you wish, you have the right to transfer your Personal Data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
Right to complain
You have the right to lodge a complaint with our regulator, who is the Commissioner of Personal Data Protection in Malaysia.
We will not trade or sell your Personal Data to third parties. Your Personal Data shall only be disclosed or transferred to the following third parties appointed or authorised by the Company, who may be located within or outside Malaysia:
our travel and freight service providers or travel-related businesses;
our partner airlines and other carriers;
our other affiliates and subsidiaries where it is necessary to facilitate your travel;
credit card verification providers;
IT service providers;
data analytics and/or marketing agency;
other third parties in order to process your commercial transactions;
legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or
customs, immigration or other regulatory authorities applicable to you; and/or
safety and security personnel.
In addition to the above, your Personal Data may also be disclosed or transferred to any of the Company’s actual and potential assignee, transferee or acquirer (within or outside Malaysia) (including our affiliates and subsidiaries) of our business, assets or group companies, or in connection with any corporate restructuring or exercise including our restructuring to transfer the business, assets and/or liabilities.
We will store your Personal Data in the country in which we are based (i.e. Malaysia). As discussed above, we may also disclose your Personal Data to our group companies and their service providers located in Malaysia and elsewhere, and to employees operating outside of the EEA who work for us or for one of our group companies or their respective service providers.
We want to make sure that your Personal Data is stored and transferred in a way which is secure.
We will therefore only transfer data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data. For example, this could be:
By way of an intra-group agreement between MAB entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws;
By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of Personal Data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
By transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or
Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract; or
Where you have explicitly consented to the data transfer.
We will take all reasonable precautions necessary to protect your Personal Data from misuse, interference and loss; and unauthorised access, modification or disclosure. In addition, the Company will secure your data in following ways:
register all those who are allowed access;
control and limit access based on necessity;
maintain proper record of access and transfer of Personal Data;
ensure all employees of the Company protect confidentiality;
conduct awareness programmes to all employees on responsibility to protect Personal Data;
establish physical security procedures;
bind third parties involved in processing of Personal Data; and
do not use removable device and cloud computing service to transfer or store Personal Data unless with written consent from top management of the Company.
Chief Privacy Officer,
Business Integrity Department, Malaysia Airlines Berhad,
1st Floor, Administration Building, South Support Zone, KLIA,
If you are our Enrich members and wish to change your personal details, you may login to Enrich portal at here. If you wish to amend either your Name or Date of Birth, please contact our Enrich team here. If you have any queries or issues regarding your reservation and flight details, please click here.