Privacy Policy

We look forward to your visit to our website, where we offer you personalized information about our company and our services. We consider transparency and integrity important issues to consider in the processing of your personal data. We observe data protection regulations, namely the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (“BDSG”) and the Telemedia Act (“TMG”).

In this Privacy Policy, we explain what information (including personal data) we process during your visit and use of our above internet offering (“Website”) and what rights you have over your personal information.

1. Responsibilities

The party responsible (under data protection law) for the processing of personal data is EW Discover GmbH ( Hugo-Eckener-Ring 1, FAC Building, 60549 Frankfurt a. M.). Any references to “we” or “us” in these data protection instructions refers in each case to the aforementioned company. If you have any questions or comments about data protection, please send an email to legal4y@lufthansa-group.com or to the Lufthansa Group data
protection officer at datenschutz@dlh.de.

2. Which principles do we observe?

In compliance with data protection regulations, we process your personal data only if permitted by law or if you have given your consent. This also
applies to the processing of personal data for advertising and marketing purposes.

We may also collect information on this website that cannot be used by itself to identify you personally. In certain cases, especially when combined
with other data, this information can nonetheless be considered “personal data” as defined by data protection legislation. We may also collect information on this website that does not allow us to identify you, either directly or indirectly; this includes, for example, aggregated information about all users of this website.

3. What data do we process? For what purposes and on what legal basis does this processing take place?

When you visit this website, our web server automatically stores data and information about the device and browser you are using. This information
includes the browser type and version used, the operating system, the Internet Service Provider, the IP address of your device, the date and time of access, the website from which you visited our website, and the pages you visited on our website. We process this technical information in the log
files of our systems and do not combine them with other personal data about you. We process technical information in order to enable you to
access our website, to ensure the functionality of our website and the security of our IT systems, and to optimize our website. The legal basis for
this type of processing is Article 6, Section1 (f) of GDPR and § 15 Section 1 of TMG. WE collect and process personal data on the following scope:

  • Log Files: When you visit this website, our web server automatically stores data and information about the device and browser you are
    using. This information includes the browser type and version used, the operating system, the Internet Service Provider, the IP address
    of your device, the date and time of access, the website from which you visited our website, and the pages you visited on our website. We process this technical information in the log files of our systems and do not combine them with other personal data about you. We process technical information in order to enable you to access our website, to ensure the functionality of our website and the security of our IT systems, and to optimize our website. The legal basis for this type of processing is Article 6, Section1 (f) of GDPR and § 15 Section 1 of TMG.
  • Flight booking: We process this data for the purpose of fulfilling the contract of carriage into which we have entered with you. This processing is based on Article 6 (1b) of the GDPR.
  • Booking dates: (specifically your first and last name, your date of birth, your billing address and other details on the payment method you selected, and, if applicable, passport/visa information). You can give additional information on a voluntary basis (such as your email address or cell phone number). Required information is designated as such on our website; without this information, the completion of your booking is not possible. We process this data for the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (b) of GDPR. In addition to the means of payment and contact details provided by the customer, the device’s browser data is passed on to payment service providers. The legal basis for this transfer is Article 6 Paragraph 1 Clause 1(c) of the GDPR.
  • Flight-related mailings: We use your email address for sending flight-related information and offers by email, such as to remind you
    of check-in or to offer you additional services for your flight (seat, carry-on luggage, meals, best-in-class seat pitch) as well as to send Private Policy EW Discover GmbH you partner offers. The legal basis for this is Article 6, Section 1 (f) of GDPR as well as Section 7 of UWG.
  • Passenger Information: If you book a flight for one or more other persons, we will also need the first and last names of these passengers, as well as their dates of birth. This information is also required for completing the booking. We process this data to safeguard our legitimate interest in the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (f) of GDPR. When booking a flight for other persons, please provide this privacy policy to one or more of these persons.
  • Advanced Passenger Information (API): An increasing number of destination countries (in the future to include member states of the
    European Union) require us as an airline to provide data about passengers entering or leaving the country, in some cases even when flying over the country in question. Applicable legal provisions typically stipulate the provision of data about the identity and travel documents (passport, visa) of the passengers and crew members on board. Not all of these data are collected by us at the time of booking; in many cases, the collection of this information takes place shortly before departure, potentially via the “machinereadable area” of recent travel documents. We process these data
    exclusively for provision to the authorities of the respective destination country in fulfilment of our legal obligations; the legal basis for this is Article 6, Section 1 (c) of GDPR.
  • Contact Persons: In accordance with Regulation (EU) 996/2010 on the investigation and prevention of civil aviation accidents and
    incidents, there is the possibility for each passenger to name a contact person. This information is linked to the booking and used
    exclusively to meet the requirements of the above regulation. The legal basis for processing this data is Article 6, Section 1 (c) of GDPR.
  • Partner frequent flyer programs: When booking a flight, you can earn reward points/miles from our partner’s frequent flyer programs. For this, we require the corresponding program number (such as Miles & More). Furthermore, we also ask for information required to process your booking. We transfer to our partners the specified program number as well as your first and last name, booking class, route, fare, booking code, seat number and ticket number so that the bonus points/miles can be credited to the respective program. The legal basis for this is Article 6 (1) b) GDPR.
  • Contact: You can communicate with us via our contact form, the call center, by email or social media, as well as using the form for investigation of a compensation claim pursuant to Article 7 of Regulation (EC) No. 261/04. We collect all the information you provide and keep it only as long as is necessary for the processing of your request. After processing is complete, the data could be kept longer for reasons of evidence. The legal basis for this is Article 6, Section 1 (a) (b) as well as (f) of GDPR.
  • Further legitimate interests: To the extent necessary, we process your data beyond the above purposes for the protection of our
    legitimate interests or the interests of third parties; this is done on the basis of Article 6, Section 1 (f) of GDPR. Our legitimate interests include:
    • the assertion of legal claims and the defense of legal disputes;
    • the prevention and investigation of criminal offences; and
    • the management and further development of our business activities, including risk management.

4. Who receives my data?

Your personal data is generally processed within our company. Depending on the type of personal information, only certain departments/organizational units have access to your personal information. These include, in particular, the specialist departments involved in the provision of our services and our IT department. A role and authorization concept limits access within our organization to those functions and to the extent required for the particular purpose of the processing. We may also transfer your personal information to third parties outside our company to the extent permitted by law. In particular, these external receivers may include the following:

  • Affiliates to whom we transfer personal information for internal management purposes within the Lufthansa Group;
  • third parties we use to provide our services (such as the operation of flights), only to the extent the transmission is necessary to fulfil contracts executed with us, such as providers of ground handling services at the airports we serve;
  • the service providers we use, for example in the areas of transport (e.g. resources, persons, etc.), marketing (e.g. ads, newsletters, etc.), IT (e.g. provision of hardware, SaaS, etc.) or payment processing (e.g. payment service providers, direct debiting, etc.), who provide services to us based on a separate contract which may also include the processing of personal data, as well as subcontractors of our service providers whose services are used with our consent;
  • public entities (e.g. customs, federal police), in cases where we are required by law to provide your personal data (e.g. entry requirements or police activities and investigations).

5. Is there automated decision-making?

In general we do not use any automated decision making (including profiling) in connection with users of our website, as per Article 22 of
GDPR. If we use such procedures in individual cases, we will inform you separately about this to the legally required extent.

6. Will data be transmitted to countries outside of the EU?

In principle, the processing of your personal data takes place within the EU or the European Economic Area.

If the information provided includes personal data and we do not have a legal obligation of disclosure (such as Advance Passenger Information), we
will ensure that the third country or the recipient in the third country has required a sufficient level of data protection. Where the information provided includes personal data and we do not have a legal obligation to disclose such data (e.g. Advance Passenger Information), we will ensure that the third country or the recipient in the third country (for cookies: USA, Belarus, Singapore, Australia, South Africa, Turkey and China) has the required adequate level of data protection. Alternatively, we may also base the transfer of data on so-called “EU standard contractual clauses” agreed with a recipient or, in the case of US recipients, on compliance with the principles of the so-called “EU-US Privacy Shield”. We will gladly provide you with further information at your request about the applicable guarantees for maintaining an adequate level of data protection; our contact information can be found at the beginning of this privacy policy.

7. How long will my data be saved?

Your personal data will be deleted when it is no longer needed for the aforementioned purposes. However, in some cases, we may be required to store your data until the mandatory retention periods established by the legislator or supervisory authorities, which may be contained in the German Commercial Code, the German Tax Code, or the Anti-Money Laundering Act, and generally are 6 to 10 years, have expired. In addition, we may store your data until the expiry of the statutory limitation periods (i.e., generally for 3 years; but in individual cases for up to 30 years) where this is necessary for the assertion or exercise of, or defense against, legal claims. Afterwards the relevant data are routinely deleted. Even without a legitimate interest, we can continue to store the data if we are legally obligated to do so (for example, to fulfil record-keeping obligations). We also delete your personal data without your involvement as soon as its retention is no longer necessary to fulfil the purpose for which Private Policy EW Discover GmbH it was processed, or in cases where storing your data is otherwise legally inadmissible.

In general:

  • log data is deleted within thirty days, unless further storage is required for lawful purposes such as the detection of misuse and the detection and removal of technical malfunctions;
  • the data processed in connection with flight bookings is deleted at the latest upon the expiry of the statutory retention periods (i.e., after a maximum of 10 years); and
  • The data processed in connection with customer communication is deleted after a maximum of five years (Regulation [EC] No. 261/2004).

8. What rights do I have?

  • Right to object, according to article 21 GDPR
    You have the right, at any time, to object to the processing of personal data concerning you pursuant to Article 6, Section 1 (e) or (f) of GDPR for reasons arising from your particular situation; this also applies to profiling based on these provisions. In the event of your objection, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or if the processing is for the purpose of asserting, exercising, or defending legal claims. If we process the personal data relating to you for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct mail. If you object to the processing for purposes of direct marketing, the personal data related to you will no longer be processed for these purposes.
    Regardless of Directive 2002/58/EG, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

  • Revocation of consent
    If you have given us consent (for example, in connection with information by email, you may revoke such consent at any time with future effect. In our email communications, we generally provide a corresponding link in every one of our newsletters. You can also contact us via other methods, e.g. by post, fax, or email using any of the contact methods listed on the first page of this Privacy Policy.

  • Further rights
    As the affected person, you have the right:
    – of access by the data subject (Art. 15 GDPR)
    – To rectification(Art. 16 GDPR)
    – To erasure (Art. 17 GDPR)
    – To restriction of processing (Art. 18 GDPR)
    – To data portability (art. 20 GDPR)
    – Entitlement to complaint at a data protection supervisory authority (Art. 77 GDPR)

    To exercise your rights, please contact the responsible entity: EW Discover GmbH (Hugo-Eckener-Ring 1, FAC Building, 60549 Frankfurt a. M.), at legal4y@lufthansa-group.com or contact the Lufthansa Group data protection at datneschutz@dlh.de .