Privacy Policy

We look forward to your visit to our website, where we offer you personalized information about our company and our services. We consider transparency and integrity important issues to consider in the processing of your personal data. We observe data protection regulations, namely the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (“BDSG”) and the Telemedia Act (“TMG”).

In this Privacy Notice, we explain what information (including personal data) we process during your visit and use of our above internet offering (“Website”) and what rights you have over your personal information.

1. Responsibilities

The party responsible (under data protection law) for the processing of personal data is EW Discover GmbH ( Hugo-Eckener-Ring 1, FAC Building, 60549 Frankfurt a.M.). Any references to “we” or “us” in these data protection instructions refers in each case to the aforementioned company.

If you have any questions or comments about data protection, please send an email to datenschutz@dlh.de.

2. Which principles do we observe?

In compliance with data protection regulations, we process your personal data only if permitted by law or if you have given your consent. This also applies to the processing of personal data for advertising and marketing purposes.

We may also collect information on this website that cannot be used by itself to identify you personally. In certain cases, especially when combined with other data, this information can nonetheless be considered “personal data” as defined by data protection legislation. We may also collect information on this website that does not allow us to identify you, either directly or indirectly; this includes, for example, aggregated information about all users of this website.

3. What data do we process? For what purposes and on what legal basis does this processing take place?

When you visit this website, our web server automatically stores data and information about the device and browser you are using. This information includes the browser type and version used, the operating system, the Internet Service Provider, the IP address of your device, the date and time of access, the website from which you visited our website, and the pages you visited on our website. We process this technical information in the log files of our systems and do not combine them with other personal data about you. We process technical information in order to enable you to access our website, to ensure the functionality of our website and the security of our IT systems, and to optimize our website. The legal basis for this type of processing is Article 6, Section1 (f) of GDPR and § 15 Section 1 of TMG.

  • Flight booking: We process this data for the purpose of fulfilling the contract of carriage into which we have entered with you. This processing is based on Article 6 (1b) of the GDPR.
  • Booking dates: (specifically your first and last name, your date of birth, your billing address and other details on the payment method you selected, and, if applicable, passport/visa information). You can give additional information on a voluntary basis (such as your email address or cell phone number). Required information is designated as such on our website; without this information, the completion of your booking is not possible. We process this data for the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (b) of GDPR. In addition to the means of payment and contact details provided by the customer, the device’s browser data is passed on to payment service providers. The legal basis for this transfer is Article 6 Paragraph 1 Clause 1(c) of the GDPR.
  • Flight-related mailings: We use your email address for sending flight-related information and offers by email, such as to remind you of check-in or to offer you additional services for your flight (seat, carry-on luggage, meals, best-in-class seat pitch). The legal basis for this is Article 6, Section 1 (f) of GDPR as well as Section 7, Article 3 of UWG.
  • Passenger Information: If you book a flight for one or more other persons, we will also need the first and last names of these passengers, as well as their dates of birth. This information is also required for completing the booking. We process this data to safeguard our legitimate interest in the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (f) of GDPR. When booking a flight for other persons, please provide this privacy policy to one or more of these persons.
  • Advanced Passenger Information (API): An increasing number of destination countries (in the future to include member states of the European Union) require us as an airline to provide data about passengers entering or leaving the country, in some cases even when flying over the country in question. Applicable legal provisions typically stipulate the provision of data about the identity and travel documents (passport, visa) of the passengers and crew members on board. Not all of these data are collected by us at the time of booking; in many cases, the collection of this information takes place shortly before departure, potentially via the “machine-readable area” of recent travel documents. We process these data exclusively for provision to the authorities of the respective destination country in fulfilment of our legal obligations; the legal basis for this is Article 6, Section 1 (c) of GDPR.
  • Contact Persons: In accordance with Regulation (EU) 996/2010 on the investigation and prevention of civil aviation accidents and incidents, we offer each passenger the option of using a call center contact person to be contacted if needed. This information is linked to the booking, is used exclusively to meet the requirements of the above regulation, and is deleted 48 hours after the last flight of the booking. The legal basis for processing this data is Article 6, Section 1 (c) of GDPR.
  • Partner frequent flyer programs: When booking a flight, you can earn reward points/miles from our partner’s frequent flyer programs. For this, we require the corresponding program number (such as Miles&More). Furthermore, we also ask for information required to process your booking. We transfer to our partners the specified program number as well as your first and last name, booking class, route, fare, booking code, seat number and ticket number so that the bonus points/miles can be credited to the respective program. The legal basis for this is Article 6 (1) b) GDPR.
  • Partner offers: Based on your flight data (departure, return date, destination), we will offers you partner services in the areas of car rental, rail transport, hotel business, and travel insurance during the booking of your flight. If you accept the corresponding offers, we will transmit the necessary data to our partner company. The legal basis for this is Article 6, Section 1 (b) of GDPR.
  • Personalized customer communication: We want to make using our services as easy and efficient as possible by personalizing the booking process for you. Therefore, to immediately show you the relevant options for your current booking or use your default settings, we process information about your previous bookings and, if applicable, the preferences saved in your profile. This allows you to book your flights faster, make booking changes or purchase additional services without sifting through the wide range of options we offer to select the ones that may interest you. The legal basis for this is Article 6, Section 1(a) of the GDPR.
  • Contact: You can communicate with us via our contact form, the call center, by email or social media, as well as using the form for investigation of a compensation claim pursuant to Article 7 of Regulation (EC) No. 261/04. We collect all the information you provide and keep it only as long as is necessary for the processing of your request. After processing is complete, the data could be kept longer for reasons of evidence. The legal basis for this is Article 6, Section 1 (a) (b) as well as (f) of GDPR.
  • Further legitimate interests: To the extent necessary, we process your data beyond the above purposes for the protection of our legitimate interests or the interests of third parties; this is done on the basis of Article 6, Section 1 (f) of GDPR. Our legitimate interests include:
    • the assertion of legal claims and the defense of legal disputes;
    • the prevention and investigation of criminal offences; and
    • the management and further development of our business activities, including risk management.

4. Who receives my data?

Your personal data is generally processed within our company. Depending on the type of personal information, only certain departments/organizational units have access to your personal information. These include, in particular, the specialist departments involved in the provision of our services and our IT department. A role and authorization concept limits access within our organization to those functions and to the extent required for the particular purpose of the processing.

We may also transfer your personal information to third parties outside our company to the extent permitted by law. In particular, these external receivers may include the following:

  • Affiliates to whom we transfer personal information for internal management purposes within the Lufthansa Group;
  • third parties we use to provide our services (such as the operation of flights), only to the extent the transmission is necessary to fulfil contracts executed with us, such as providers of ground handling services at the airports we serve;
  • the service providers we use, for example in the areas of transport (e.g. resources, persons, etc.), marketing (e.g. ads, newsletters, etc.), IT (e.g. provision of hardware, SaaS, etc.) or payment processing (e.g. payment service providers, direct debiting, etc.), who provide services to us based on a separate contract which may also include the processing of personal data, as well as subcontractors of our service providers whose services are used with our consent;
  • public entities (e.g. customs, federal police), in cases where we are required by law to provide your personal data (e.g. entry requirements or police activities and investigations).

5. Is there automated decision-making?

In general we do not use any automated decision making (including profiling) in connection with users of our website, as per Article 22 of GDPR. If we use such procedures in individual cases, we will inform you separately about this to the legally required extent. 

6. Will data be transmitted to countries outside of the EU?

In principle, the processing of your personal data takes place within the EU or the European Economic Area.

If the information provided includes personal data and we do not have a legal obligation of disclosure (such as Advance Passenger Information), we will ensure that the third country or the recipient in the third country has required a sufficient level of data protection. Where the information provided includes personal data and we do not have a legal obligation to disclose such data (e.g. Advance Passenger Information), we will ensure that the third country or the recipient in the third country (for cookies: USA, Belarus, Singapore, Australia, South Africa, Turkey and China) has the required adequate level of data protection. Alternatively, we may also base the transfer of data on so-called “EU standard contractual clauses” agreed with a recipient or, in the case of US recipients, on compliance with the principles of the so-called “EU-US Privacy Shield”. We will gladly provide you with further information at your request about the applicable guarantees for maintaining an adequate level of data protection; our contact information can be found at the beginning of this privacy policy. For information on participants in the EU-US Privacy Shield, see www.privacyshield.gov/list; for information about the EU Standard Contract Terms, click here, and for information about the adequacy decisions click here.

7. How long will my data be saved?

our personal data will be deleted when it is no longer needed for the aforementioned purposes. However, in some cases, we may be required to store your data until the mandatory retention periods established by the legislator or supervisory authorities, which may be contained in the German Commercial Code, the German Tax Code, or the Anti-Money Laundering Act, and generally are 6 to 10 years, have expired. In addition, we may store your data until the expiry of the statutory limitation periods (i.e., generally for 3 years; but in individual cases for up to 30 years) where this is necessary for the assertion or exercise of, or defense against, legal claims. Afterwards the relevant data are routinely deleted.

Even without a legitimate interest, we can continue to store the data if we are legally obligated to do so (for example, to fulfil record-keeping obligations). We also delete your personal data without your involvement as soon as its retention is no longer necessary to fulfil the purpose for which it was processed, or in cases where storing your data is otherwise legally inadmissible.

In general:

  • log data is deleted within thirty days, unless further storage is required for lawful purposes such as the detection of misuse and the detection and removal of technical malfunctions;
  • the data processed in connection with flight bookings is deleted at the latest upon the expiry of the statutory retention periods (i.e., after a maximum of 10 years); and
  • The data processed in connection with customer communication is deleted after a maximum of five years (Regulation [EC] No. 261/2004).

8. What rights do I have?

  • Right to object, according to article 21 GDPR
    You have the right, at any time, to object to the processing of personal data concerning you pursuant to Article 6, Section 1 (e) or (f) of GDPR for reasons arising from your particular situation; this also applies to profiling based on these provisions. In the event of your objection, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or if the processing is for the purpose of asserting, exercising, or defending legal claims.

    If we process the personal data relating to you for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct mail. If you object to the processing for purposes of direct marketing, the personal data related to you will no longer be processed for these purposes.

    Regardless of Directive 2002/58/EG, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

  • Revocation of consent
    If you have given us consent (for example, in connection with information by email, you may revoke such consent at any time with future effect. In our email communications, we generally provide a corresponding link in every one of our newsletters. You can also contact us via other methods, e.g. by post, fax, or email using any of the contact methods listed on the first page of this Privacy Notice.

  • Further rights
    As the affected person, you have the right:
    – to information about what personal data has been collected and saved, according to Article 15 of GDPR;
    – to correction of incorrect or incomplete data, according to Article 16 of GDPR;
    – to the deletion of personal data, according to Article 17 of GDPR;
    – to the restriction of processing, according to Article 18 of GDPR, and
    – to data portability, according to Article 20 of GDPR
    To exercise there rights, you may send an email at any time to datenschutz@dlh.de.
    You are also entitled to file a complaint with a competent data protection supervisory authority, according to Article 77 of GDPR.