Information about data protection

The information about data protection set out below applies from 25 May 2018 and reflects the enhanced requirements for transparency laid down in the EU General Data Protection Regulation.

Who is the data controller?

Deutsche Lufthansa AG (Venloer Strasse 151-153, 50672 Cologne, Germany) (also referred to below as “Lufthansa”, “we” and “us”) would like to inform you how we process your personal data in connection with our product offers. You can access these offers directly via lufthansa.com (the “website”) and the Lufthansa app.

Any reference below to Lufthansa Group airlines refers to the airlines Lufthansa, SWISS International Airlines AG, Austrian Airlines AG, Brussels Airlines S.A. and Eurowings GmbH. The Lufthansa Group includes the Lufthansa Group airlines and other companies that belong to the Lufthansa Group.

Whom can I contact?

Please contact our Data Protection Officer if you have any further questions about data protection relating to our website or the services provided there:

Corporate Data Protection Officer of the Lufthansa Group
Deutsche Lufthansa AG
Email: datenschutz@dlh.de
Please address any requests for information to:
Deutsche Lufthansa AG
Data Information
FRA CJ/D
60546 Frankfurt

Or by email to:
datenauskunft@dlh.de

Correspondence is not encrypted if you contact us by email.

Representative in Switzerland:

Our representative in Switzerland in accordance with Art. 14 of the Swiss Federal Act on Data Protection is Swiss International Air Lines AG, PO Box, Data Protection, ZRHS/CJ, CH-8058 Zurich Airport, Switzerland.

 

Why do we process your data (purpose of processing) and what is the legal basis for the processing?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

We process personal data to fulfil our contractual obligations under Art. 6(1)(b) GDPR. These include in particular:

  • The sale, rebooking and refunding of flight tickets and upgrades
  • The sale and provision of flight-related services, such as a-la-carte menus, pre-ordered in-flight meals, preflight shopping, eJournals and baggage services
  • Customer communications, such as sending passenger receipts and providing flight-related information
  • Managing check-in and boarding processes, from the check-in invitation, through the travel and entry documents checks, to waiting list processing and baggage handling
  • Collecting and transmitting contact details as required by local authorities based on mandatory statutory regulations and therefore required to ensure compliance with the terms of the contract of carriage
  • Access to a lounge
  • Recording and processing customer feedback and customer enquiries

We also process your data for the purposes of our legitimate interests in accordance with Art. 6(1)(f) GDPR

  • So that we can send you relevant information about your booked flight and your destination
  • To prevent, investigate and prosecute criminal acts such as fraud, e.g. credit card fraud, identity theft, or the use of fraudulent means to obtain special terms and conditions or fare offers
  • To pursue legal claims, including debt collection and defence in the event of legal disputes
  • For audit purposes
  • To ensure IT security, the operation of IT systems and the operation of the airline, including data use for testing purposes
  • To ensure flight safety
  • For advertising purposes, unless you have objected to the use of your data
  • To produce international aviation statistics
  • To produce statistics in order to improve our products and services. In individual cases, we create customer profiles for this purpose while processing the booking data. However, these profiles are immediately anonymised and are not used to analyse or predict personal preferences.
  • To communicate with you where an ongoing business relationship with you or your employer already exists, or where it is intended to initiate one (business contacts)
  • To plan support services and improve punctuality. By the early detection of a passenger’s potential delay at the gate during the boarding process, the unloading of baggage can be initiated at an early stage. For this purpose Fraport AG at Frankfurt Airport records the time at which boarding passes were checked before passengers accessed the security area. It then provides this information to us/LH at the departure gate shortly before departure so that we can search for any missing or potentially delayed passengers. You can find further information about this data collection and processing by Fraport AG in their privacy policy.

We process your data based on your consent under Art. 6(1)(a) GDPR for specific purposes, in particular:

  • To send out the “Best Price Alert” newsletter with personalised offers from Lufthansa
  • To send out newsletters with regular offers from Lufthansa
  • So you can receive targeted information and offers from Lufthansa and partner companies
  • For market research and customer surveys
  • For personalised use of the website and personalised offers, including profiling
  • To assist with processes relating to the use of the website, with reminder functions and live chats
  • For analytical purposes to improve our offers to you.

We process your data to check your Covid-19 entry documents. We do so on the basis of your consent to the verification of Covid-19 entry documents under Art. 9(2)(a) GDPR.

You may withdraw your consent at any time. This also applies to the withdrawal of any declarations of consent that you gave us before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of your consent does not apply retroactively and does not affect the lawfulness of data processing until the date of withdrawal.

What other obligations require us to process your data?

We process passenger data based on our statutory obligations under Art. 6(1)(c) GDPR.

When we are legally required to do so, we process personal data to fulfil our retention obligations under commercial and tax laws, or our statutory security and safety requirements (for example under Section 7 of the German Aviation Safety Act (Luftsicherheitsgesetz – LuftSiG)). Please refer to the section “Duration of data processing” if you would like further information about these retention periods.

Data transmission to immigration authorities:

  • Based on the Passenger Data Agreement between the EU and USA, and the EU and Canada
  • Based on the German Passenger Data Act (Fluggastdatengesetz – FlugDaG) in Germany and within the EU where the EU destination countries have implemented EU Directive 2016/681
  • Based on the Trade and Cooperation Agreement between the European Union and the United Kingdom
  • API* (Advance Passenger Information) – we transmit data to the extent we are obliged to in order to comply with international travel control measures

Transmission to health authorities:

  • To combat a pandemic

We process passenger data based on our statutory obligations under Art. 9 (2)(g) GDPR.

Where we are legally required to do so, we process personal data to check your health status required for entry to the country concerned.

* Data stored in the machine-readable area of passports or ID cards
You can request further information about this from the relevant authorities.

Which personal data are you obliged to provide?

We have marked some fields as mandatory in the forms on our website where information is legally or contractually required. You must complete these fields so that we can provide you with the contract or service you wish.

How long will your data be stored?

Your personal data is erased as soon as it is no longer required for the purposes stated. However, we must continue to store your data until the end of the retention periods and deadlines stipulated by the legislator or the supervisory authorities in the German Commercial Code, Tax Code and Money Laundering Act. These deadlines are generally between six and ten years. We may also retain your data until the end of the statutory limitation periods (generally three years, in individual cases up to 30 years) where required for the establishment, exercise or defence of legal claims. After that, the relevant data is routinely erased.

Who receives your data?

Your data may be shared with the following categories of recipients in the context of the data processing above and the respective legal bases stated (contract performance, legitimate interests, consent or processing obligations under law):

  • Lufthansa Group airlines
  • Vicarious agents, e.g. service providers for ground handling and other additional services in this context
  • Other airlines and providers of ground transport services that perform part of the carriage
  • Other service providers, e.g. for the provision of the website, distribution of newsletters, the processing of feedback and the preparation of international aviation statistics
  • Government authorities and institutions, e.g. on the basis of entry regulations or police activities and investigations.

Personal data may be transmitted to third countries or international organisations in this context. Appropriate security measures will be taken for such data transfers to protect you and your personal data in accordance with and in compliance with the statutory regulations.

We use EU standard contractual clauses if these transfers have no legal basis or are made to a country for which the EU Commission has not issued an adequacy decision.

For information about EU standard contractual clauses, see the Commission Decision on standard contractual clauses for the transfer of personal data to commissioned processors in third countries.

What are your data protection rights?

Lufthansa is committed to fair and transparent data processing. It is therefore important to us that data subjects – providing the relevant legal requirements are met – are not only able to exercise their right to object, but also the rights listed below:

  • Right of access by the data subject, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure (“right to be forgotten”), Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR

If you wish to exercise your rights, please send an email to dataauskunft@dlh.de.
Please provide the following information, so that we can identify you:

  • Name
  • Postal address
  • Email address and optionally: Customer number or booking code or ticket number

If you send us a copy of your passport or ID card, please redact (black out) all data apart from your first name(s), surname and address.

Please note that we will use your personal data in accordance with Article 6(1)(c) GDPR to process your request and for identification purposes.

You have the right under Art. 77 GDPR in conjunction with Section 19 BDSG to lodge a complaint with a supervisory authority. The relevant supervisory authority for Lufthansa is:

The Officer for Data Protection and Freedom of Information of the State of Hesse
PO Box 3163
65021 Wiesbaden

Information about your right to object under Article 21 GDPR

You have the right to object to the processing of your personal data at any time in accordance with the legal bases that relate to your specific situation. This right is based on Art. 6(1)(e) and (f) GDPR. This also includes profiling based on these provisions.

The data controller will then no longer process your personal data, unless the data controller can prove valid, legitimate grounds for processing that override your interests, rights and liberties, or if the processing is required for the establishment, exercise or defence of legal claims.

If your personal data is processed for the purposes of direct marketing, you have the right to object to the processing of your personal data for such marketing at any time. This also includes profiling when this is carried out in connection with direct marketing.

If you object to the processing of your personal data for the purposes of direct marketing, your personal data will no longer be processed for such purposes.

You can exercise your right of objection in connection with the use of the services of an information company – notwithstanding Directive 2002/58/EC – in an automated process in which technical specifications are used.

Which data do we process when you visit our website?

Lufthansa uses browser cookies, scripts, web beacons, tracking URLs, pixel tags and similar technologies (referred to below as “cookies”) to provide, protect and improve our website and applications.

You will find more detailed information about the data processed and our partners in our Cookie Policy.

You can change your consent via the link “Change cookie settings” found at the bottom of each page.

Chat assistant

To use self-services, request general information or find out about future destinations, you can contact us by means of our chat service on our website or our defined messenger services. Depending on the requirements or complexity of your enquiry, it can also be answered by one of our service agents on a live chat.

We request the personal data required for the respective purpose (e.g. booking number) from you in order for you to use our services, e.g. rebooking or refunding your flight, or to answer questions about products and services relating to your trip.

If you have registered with your Travel ID profile, we can also offer you a personalised service based on the information stored in your Travel ID profile, e.g. display a selection of your bookings. Further details on the processing of your data in the context of Travel ID use can be found in the Travel ID data protection information.

We have a commissioned data processing contract with WhatsApp Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Ireland, for contact via WhatsApp. WhatsApp uses end-to-end encryption for communications. Information disclosed in the chat is therefore not visible to WhatsApp. Information about the processing of personal data when you use WhatsApp can be found in the WhatsApp Privacy Policy.

Your personal data is generally processed within the EU.

Electronic messages and information for marketing purposes

You can receive information, offers, surveys about travel related preferences, customer satisfaction surveys, and newsletters on the topic of travel from us, companies of the Lufthansa Group, or partner companies, via communication channels chosen by you, such as email, SMS, messenger services, and telephone.

These messages and offers can be personalized through the use of technologies that allow us to determine whether the recipients have opened the message or otherwise interacted with electronic advertising communications. Please refer to our Cookie Policies for further details.

If we ask for your consent, for example, when you subscribe to a newsletter, our legal basis for this processing is your consent (Art. 6 Para. 1 lit. a) GDPR). You can revoke your consent to the processing for this purpose at any time with future effect by following the corresponding unsubscribe link in the respective communication.

If we process your personal data for information and marketing activities without asking for your consent, we have concluded in individual cases that our legitimate interest provides a sufficient legal basis for the corresponding processing (Art. 6 Para. 1 lit. f) GDPR).

In-flight entertainment and FlyNet

Our in-flight entertainment programme offers you a wide range of films, music, newspapers and much more to choose from. You can find tips and the current weather report for your destination, make purchases from the Lufthansa Worldshop and obtain information about services relating to your connecting flights using the free FlyNet portal. We only process personal data (internet protocol data) for this that is required for notifications and the functioning of the website. For an additional charge we also offer you internet access on our flights via the FlyNet programme. You can buy the right access package for you with our partner Deutsche Telekom directly on the FlyNet portal.

The legal basis for the processing of your personal data is the contract of carriage concluded with you.

You can also log in with your travel ID profile to customise our in-flight entertainment programme and FlyNet services to your own requirements.

Information about membership of the Miles & More programme

You can register for the Miles & More programme on our website.

You will find further information about the processing of your personal data as part of the Miles & More programme ​in the Miles & More Privacy Policy.

Information about participating in Travel ID

You can register for Travel ID on our website.

You can find further information about the processing of your personal data as part of Travel ID here.

Go to information about the processing of personal data for Travel ID

Biometric identification at the airport

You can register with operators of biometric identification services and benefit from the advantages of a biometric identification system (facial recognition) for selected flights at certain airports, without a boarding pass or smartphone.

The operator concerned is the data controller as defined in the EU GDPR for processing personal data required for the registration of a biometric profile and biometric identification. You may use the biometric identification services of the following operators:

  • Star Alliance

Processing within our responsibility

  • If you have received your digital boarding pass as part of our online check-in, we then forward your digital boarding pass to the operator of the biometric identification service of your choice upon request, i.e. if you make the corresponding selection.
  • We take a brief video sequence at access points/devices operated by us at the airport (e.g. boarding gate) that are equipped with cameras for this purpose. A defined number of non-biometric photos are extracted from this and sent to the operator of the biometric identification service for the purpose of identifying you.

Categories of recipients

  • IT service providers with registered office within the EU (commissioned processors)
  • Suppliers of the biometric identification service (data controllers)

Duration of data storage

As soon as the identification process has been completed and/or your data has been transmitted, the data is deleted from the access points/devices.

Legal basis for processing

Your data is processed on the basis of your consent under Art. 6 (1)(a) and Art. (9)(a) GDPR that you provided to the operator of the relevant biometric identification services during registration. You can withdraw your consent to the use of biometric identification from the relevant operator at any time. For details regarding processing your personal data and the withdrawal of your consent, please refer to the privacy policy of the operators:

  • Star Alliance

Examples of the use of your data for our services

Flight booking

When you purchase a flight ticket on our website, in principle we process the following personal data about you:

  • Title, first name, surname (collectively “master data”)
  • Landline and/or mobile phone number, email address (for the passenger receipt) (collectively “contact details”)
  • Your preferred payment method and associated data, together with the payer’s master data, address and contact details (collectively “payment details”).

Optionally, you may provide the following data:

  • Date of birth
  • Nationality and passport details (“identification data”)
  • Frequent flyer information, such as the programme of which you are a member and your membership number (“frequent flyer data”)
  • Your preferred meal
  • “Redress Code” (US Immigration Authorities)
  • PartnerPlusBenefit programme (for companies)

Flight-related travel information

A few days before your departure date you will receive an email with information about your upcoming trip, together with offers of additional personalised services and any free travel services available. You can object to the sending of the pre-flight email at any time using the link in the travel information relating to your flight.

Check-in services

You will receive a notification as soon as the online check-in for your flight is open so that you can select your seat in good time.
You will be offered a link to online check-in if you access your booking on lufthansa.com, or if you are logged into lufthansa.com or the Lufthansa app and an upcoming trip is linked to your customer profile.

We will inform you through an unencrypted email that the online check-in for your upcoming trip is open if you have stored an email address in your customer profile and your current booking is linked to your customer profile, or if you provided an email address when making your booking. You can go from this email directly to the online check-in for your flight. This access is enabled using an encrypted direct link.

Alternatively, you can provide the following information during the online check-in:

  • Frequent flyer data (frequent flyer programme and card number)
  • Mobile phone number and/or email address to receive mobile boarding passes and notifications of flight disruptions (emails sent for this purpose are explicitly unencrypted)

Automated check-in

If you have agreed to automated check-in (which is the default setting for all Miles & More customers) in your customer profile (Miles & More or Travel ID), you will automatically be sent your mobile boarding pass for flight bookings that are completely within the Schengen area and booked no later than 24 hours before departure.

Notifications about flight status and flight disruptions

You have the option of giving us a mobile phone number and/or an email address when booking, when updating your booking, or in the customer profile (Travel ID or Miles & More) linked to your booking. This will allow us to send you your boarding pass and/or enable you to use the Lufthansa app for your flight. We will inform you (either by SMS or unencrypted email and/or via the app) about any changes to the flight status and in particular about flight disruptions.

Additional services for your journey using the Lufthansa app

Personal details

You have the option of storing personal data locally on your mobile device using the Lufthansa app. This ensures that the necessary information is pre-filled during the check-in process, making check-in faster and more convenient.
Travel documents (passport, ID card, residence permit and visa) can also be saved using the scan function.

The personal data stored on your device is only processed locally in the app and includes:

  • Identification data for check-in (type of frequent flyer card, card number, surname, first name)
  • Contact details (mobile phone number or email address)
  • Entry document data (passport, ID, residence permit, visa, other types of documents)

Please note that it is not possible to rule out misuse by third parties, e.g. if your mobile phone is stolen. We therefore recommend you protect your mobile phone accordingly, e.g. with a code. Lufthansa explicitly points out that the storage of this data is at your own risk and Lufthansa cannot be held liable for any misuse.

Location services and airport maps

We can show you your current location on our digital airport maps if you grant the Lufthansa app access to your location (using the app location service settings in the respective operating system). This setting is required so that we can offer you further services relevant to your location.
We process tracking data to determine your position (dynamic IP address, location data from Bluetooth, Wi-Fi or the GPS function on your device).

Location-linked services

We include your location for our location-linked information providing you have consented to this in your smartphone settings under the location service settings of the app in the operating system concerned.

This enables us to send you the offers that are relevant to your location. Processing the movement data of your smartphone in anonymised form also helps us to predict waiting times, e.g. at security checkpoints.

Your location will only be used for the purposes stated above.

If you do not wish to use our location-related services, you can deactivate them at any time in the settings of the Lufthansa app.

Feedback

You can give us your opinion via various channels. You are also free to decide how you would like to communicate with us. You also have the option of sending us data via the feedback form on our website. Another option is to communicate with us by letter. You can also use other channels to give us feedback, e.g. your email address, a fax or the Lufthansa app. Please note that your individual feedback may be used for training and quality purposes.

  • If your message includes a request for financial compensation, in specific cases we may ask you for a copy of your official photo ID for your protection and to identify you positively.