Thank you for visiting our website, where we offer you information about our company and our services. Transparency and integrity in the processing of your personal data is an important concern for us. When processing personal data, we observe the data protection regulations, in particular the EU Data Protection Basic Regulation (“DSGVO”) and the Federal Data Protection Act (“BDSG”).
In this data protection information we explain which information (including personal data) is processed by us during your visit and use of our aforementioned Internet offer (“Website”) and which rights you are entitled to with regard to your personal data.
I. Who is responsible for data processing?
The person responsible for the processing of personal data under data protection law is:
Frankfurt Airport, Gate 25, Building 451, Tower B/C
60546 Frankfurt am Main
Where this data protection information refers to “we” or “us”, this refers to the aforementioned company.
If you have any questions regarding the processing of your personal data, you can contact the Group Data Protection Officer(s) at any time by mail (Deutsche Lufthansa AG – FRA CJ/D, Group Data Protection Officer, Airportring – LAC, 60549 Frankfurt am Main, Germany) or e-mail (firstname.lastname@example.org).
If you have any questions regarding data protection in connection with our website or the services offered, please contact us:
Frankfurt Airport, Gate 25, Building 451, Tower B/C
60546 Frankfurt am Main
II. Which principles do we follow?
In compliance with data protection regulations, we process personal data only if a legal regulation allows us to do so or if you have given your consent.
On this website, we may also collect information which in itself does not allow us to draw direct conclusions about your person. In certain cases – especially when combined with other data – this information can nevertheless be considered “personal data” in the sense of data protection law. Furthermore, we may also collect information on this website which does not allow us to identify you either directly or indirectly; this is the case, for example, with summarized information on all users of this website.
III. What data do we process?
You can access our website without directly providing personal data (such as your name, postal or e-mail address). In this case, too, we have to process certain information to enable you to access our website. In addition, we have integrated links to other websites whose operators may process further (personal) data.
- Log files: When you visit this website, our web server automatically records the domain name or IP address of the requesting computer (usually your Internet access provider) including the date, time and duration of your visit, the sub-pages/URLs you visit and information about the application(s) and terminal equipment you use to view our pages.
- Links to other websites: Our website contains links to other websites. Please note that information (including personal data, if applicable) about your visit may be collected by the operator of the other website when you access the respective other website. For further information, please refer to the data protection information of the operator of the respective offer.
- Contact information: On our website, we point out various ways in which you can contact us. If you use one of these ways, we will process the information requested by us and/or the information you provide in order to process your request.
- Marketing Cookies: Marketing cookies are used to show users targeted, relevant advertisements tailored to their interests. They are also used to assess the effectiveness of certain campaigns. These types of cookies detect whether a website was visited or not. They can be forwarded to third parties. Cookies that help to improve how target groups and advertising are addressed are often linked with the page functionalities of third parties.
If you have given your consent, this website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Scope of processing
We use the function User-ID. The User ID allows us to assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and to analyze user behavior across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalized ads (interests and demographic data). Also ads may be delivered to these users in cross-device remarketing campaigns.
We use the function ‘anonymizeIP’ (so-called IP-Masking): Due to the activation of IP-anonymization on this website, your IP-address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.
During your website visit the following data will be collected:
- the pages you call up, your “click behaviour“
- Achievement of “website goals” (conversions, e.g. newsletter registrations, downloads, purchases)
- Your user behavior (for example clicks, dwell time, bounce rates)
- Your approximate location (region)
- Your IP address (in abbreviated form)
- technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
- Your internet provider
- the referrer URL (via which website/advertising medium you came to this website)
Purposes of processing
On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyse the performance of our website and the success of our marketing campaigns.
The data recipient is
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as data processor. For this purpose we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google.
Transfer to third countries
A transfer of data to the USA cannot be excluded.
Duration of storage
The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by
- not giving your consent to the setting of the cookie or
- downloading and installing the browser add-on to disable Google Analytics.
By setting your browser software accordingsly you can also prevent the storage of cookies. If your browser is set to refuse all cookies, the functionality of this and other websites may be limited.
Legal basis and right of withdrawal
Your consent is the legal basis for this data processing, Art.6 para.1 S.1 lit.a GDPR. You can revoke your consent at any time with effect for the future by changing your selection in the cookie settings.
Linkedin Insight Tag
We also use conversion tracking on our website with LinkedIn Insights Tag, a tool from LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
For this purpose, the LinkedIn Insight tag is integrated on our website and a cookie is set on your device by LinkedIn.
LinkedIn is informed that you have visited our website and your IP address is collected. Timestamps and events such as page views are also stored. This enables us to statistically evaluate the use of our website in order to constantly optimize it.
We learn, for example, which LinkedIn ad or interaction on LinkedIn brought you to our website. This allows us to better control how our ads are displayed.
For more information on Conversion Tracking, see https://www.linkedin.com/help/linkedin/answer/a420536/linkedin-conversion-tracking-overview?lang=en
You can prevent LinkedIn from analyzing your usage behavior and from displaying interest-based recommendations at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
IV. For what purposes and on what legal basis do we process your data?
- Any personal data contained in the log files is processed to enable you to use our website; this is done on the basis of § 15 paragraph 1 TMG or on the basis of article 6 paragraph 1 f) DSGVO to protect our legitimate interest in the operation of our website.
- The processing of the personal data transmitted within the scope of the inquiry addressed to us via the contact channels shown on the website is carried out for the purpose of processing the respective inquiry in order to safeguard our legitimate interest in the execution of an existing business relationship or in the performance of our other business activities on the basis of Article 6 paragraph 1 f) DSGVO.
- We may also process the personal data collected in connection with the use of our website in order to fulfil legal obligations to which we are subject; this is done on the basis of article 6 paragraph 1 c) DSGVO.
- Insofar as necessary, we process personal data beyond the above-mentioned purposes also to safeguard further legitimate interests or the interests of third parties; this is done on the basis of Article 6 Paragraph 1 f) DSGVO. Our legitimate interests include:
a. the assertion of legal claims and the defense in legal disputes
b. the prevention and investigation of criminal offences; and
c. the management and development of our business activities, including risk management and the operation of our IT systems.
V. Am I required to provide data?
If we collect personal data from you, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. In doing so, we generally mark those information whose provision is voluntary and is not based on any of the aforementioned obligations or is not necessary for the conclusion of a contract.
VI. Who receives personal data?
Personal data is always processed within our company. Depending on the type of personal data, only certain departments / organizational units have access to personal data. These include, in particular, the specialist departments involved in providing our digital offerings (e.g. websites) or the business processes described, and our IT department. By means of a role and authorization concept, access within our company is limited to those functions and the scope that is necessary for the respective purpose of processing.
To the extent permitted by law, we may also transfer personal data to third parties outside our company. These external recipients may include in particular
- affiliated companies within the Lufthansa Group to which we transfer personal data for internal administrative purposes and to provide central services (e.g. billing services);
- the service providers engaged by us to perform services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
- non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations,
- Recipient of a shipment that we deliver for one of our business partners; in individual cases, this may also include personal data about you, provided that you are named as the contact person in the transmitted shipment data;
VII. Is automated decision making used?
In connection with the operation of our website, we do not generally use automated decision making (including profiling) within the meaning of Article 22 DSGVO. If we use such procedures in individual cases, we will inform you separately to the extent required by law.
VIII. Is personal data transferred to countries outside the EU / EEA?
In most cases, personal data is processed within the EU or the European Economic Area.
Since the Lufthansa Group operates worldwide and we also provide our services worldwide, we also transfer information to recipients in so-called “third countries”. “Third countries” are countries outside the European Union or the Agreement on the European Economic Area, in which a level of data protection comparable to that in the European Union cannot be assumed without further ado. Recipients in third countries may, for example, be service providers engaged by us.
If the information transferred also includes personal data, we will ensure before such a transfer that the necessary adequate level of data protection is ensured in the third country in question or with the recipient in the third country. This may in particular result from a so-called “adequacy finding” of the European Commission, which determines an adequate level of data protection for a specific third country as a whole. Alternatively, we may base the data transfer on the so-called “EU standard contractual clauses” agreed with a recipient or – in the case of recipients in the USA – on compliance with the principles of the so-called “EU-US Privacy Shield”. We will be happy to provide you with further information on the appropriate and adequate safeguards to maintain an adequate level of data protection upon request; contact details are provided at the beginning of this Privacy Information. Information on the participants of the EU-US Privacy Shield can also be found at http://www.privacyshield.gov/list
IX. How long are personal data stored?
We store personal data as long as we have a legitimate interest in this storage and your interests in not continuing the storage do not outweigh the data.
Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil storage obligations). We delete personal data even without the intervention of the person concerned as soon as the knowledge of the data is no longer necessary to fulfill the purpose of the processing or the storage is otherwise legally inadmissible.
- the log data is deleted within seven days, unless further storage is required for legally intended purposes such as the detection of misuse and the detection and elimination of technical faults;
- the data processed in connection with a business relationship is deleted at the latest after expiry of the statutory retention periods; and
- those personal data which we have to store in order to fulfill our obligation to keep records are stored until the end of the respective obligation to keep records. If we store personal data solely for the purpose of fulfilling storage obligations, these are usually blocked so that they can only be accessed if this is necessary in view of the purpose of the storage obligation.
X. What rights do data subjects have?
a. Right of objection according to Art. 21 DSGVO
A data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her carried out pursuant to Article 6(1)(e) or (f) of the DPA, including profiling based on these provisions. In the event of such an objection, we shall no longer process the personal data relating to that person, unless we can demonstrate compelling reasons for processing which are worthy of protection and which outweigh the interests, rights and freedoms of the data subject, or unless the processing serves to assert, exercise or defend legal claims.
Wenn wir personenbezogenen Daten verarbeitet, um Direktwerbung zu betreiben, hat eine betroffene Person das Recht, jederzeit Widerspruch gegen die Verarbeitung der sie betreffenden personenbezogenen Daten zum Zwecke derartiger Werbung einzulegen; dies gilt auch für das Profiling, soweit es mit solcher Direktwerbung in Verbindung steht. Widerspricht eine betroffene Person der Verarbeitung für Zwecke der Direktwerbung, so werden die betreffenden personenbezogenen Daten nicht mehr für diese Zwecke verarbeitet.
b. Additional rights
A data subject also has the right
- to information on the personal data stored about them, Article 15 DSGVO;
- for the correction of incorrect or incomplete data, Article 16 DSGVO;
- for deletion of personal data, Article 17 DSGVO;
- on restriction of processing, Article 18 DSGVO; and
- on data transferability, Article 20 DSGVO.
In order to exercise these rights, a data subject may contact us at any time – e.g. via one of the contact channels indicated at the beginning of this data protection information.
If a data subject has questions regarding the processing of personal data, he or she can also contact our data protection officer.
A data subject is also entitled to lodge a complaint with a competent supervisory authority for data protection, Article 77 DSGVO.
The competent supervisory authority in matters of data protection law is the State Data Protection Commissioner of the federal state in which the company has its registered office.
For heyworld, the Hessian Commissioner for Data Protection and Freedom of Information is responsible (www.datenschutz.hessen.de). A list of the data protection commissioners and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html