Thank you for visiting our website, where we offer you information about our company and our services. Transparency and integrity in the processing of your personal data is an important concern for us. When processing personal data, we observe the data protection regulations, in particular the EU Data Protection Basic Regulation (“DSGVO”) and the Federal Data Protection Act (“BDSG”).
In this data protection information we explain which information (including personal data) is processed by us during your visit and use of our aforementioned Internet offer (“Website”) and which rights you are entitled to with regard to your personal data.
I. Who is responsible for data processing?
The person responsible for the processing of personal data under data protection law is:
Frankfurt Airport, Gate 25, Building 420, Room 4003
60546 Frankfurt am Main
Where this data protection information refers to “we” or “us”, this refers to the aforementioned company.
We have appointed Dr. Barbara Kirchberg-Lennartz as the company data protection officer. If you have any questions regarding the processing of your personal data, you can contact the Data Protection Officer(s) at any time by mail (Deutsche Lufthansa AG – FRA CJ/D, Group Data Protection Officer, Airportring – LAC, 60546 Frankfurt am Main, Germany) or e-mail (firstname.lastname@example.org).
If you have any questions regarding data protection in connection with our website or the services offered, please contact us:
Frankfurt Airport, Gate 25, Building 420
60546 Frankfurt am Main
II. Which principles do we follow?
In compliance with data protection regulations, we process personal data only if a legal regulation allows us to do so or if you have given your consent.
On this website, we may also collect information which in itself does not allow us to draw direct conclusions about your person. In certain cases – especially when combined with other data – this information can nevertheless be considered “personal data” in the sense of data protection law. Furthermore, we may also collect information on this website which does not allow us to identify you either directly or indirectly; this is the case, for example, with summarized information on all users of this website.
III. What data do we process?
You can access our website without directly providing personal data (such as your name, postal or e-mail address). In this case, too, we have to process certain information to enable you to access our website. In addition, we have integrated links to other websites whose operators may process further (personal) data.
- Log files: When you visit this website, our web server automatically records the domain name or IP address of the requesting computer (usually your Internet access provider) including the date, time and duration of your visit, the sub-pages/URLs you visit and information about the application(s) and terminal equipment you use to view our pages.
- Links to other websites: Our website contains links to other websites. Please note that information (including personal data, if applicable) about your visit may be collected by the operator of the other website when you access the respective other website. For further information, please refer to the data protection information of the operator of the respective offer.
- Contact information: On our website, we point out various ways in which you can contact us. If you use one of these ways, we will process the information requested by us and/or the information you provide in order to process your request.
IV. For what purposes and on what legal basis do we process your data?
- Any personal data contained in the log files is processed to enable you to use our website; this is done on the basis of § 15 paragraph 1 TMG or on the basis of article 6 paragraph 1 f) DSGVO to protect our legitimate interest in the operation of our website.
- The processing of the personal data transmitted within the scope of the inquiry addressed to us via the contact channels shown on the website is carried out for the purpose of processing the respective inquiry in order to safeguard our legitimate interest in the execution of an existing business relationship or in the performance of our other business activities on the basis of Article 6 paragraph 1 f) DSGVO.
- We may also process the personal data collected in connection with the use of our website in order to fulfil legal obligations to which we are subject; this is done on the basis of article 6 paragraph 1 c) DSGVO.
- Insofar as necessary, we process personal data beyond the above-mentioned purposes also to safeguard further legitimate interests or the interests of third parties; this is done on the basis of Article 6 Paragraph 1 f) DSGVO. Our legitimate interests include:
a. the assertion of legal claims and the defense in legal disputes
b. the prevention and investigation of criminal offences; and
c. the management and development of our business activities, including risk management and the operation of our IT systems.
V. Am I required to provide data?
If we collect personal data from you, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. In doing so, we generally mark those information whose provision is voluntary and is not based on any of the aforementioned obligations or is not necessary for the conclusion of a contract.
VI. Who receives personal data?
Personal data is always processed within our company. Depending on the type of personal data, only certain departments / organizational units have access to personal data. These include, in particular, the specialist departments involved in providing our digital offerings (e.g. websites) or the business processes described, and our IT department. By means of a role and authorization concept, access within our company is limited to those functions and the scope that is necessary for the respective purpose of processing.
To the extent permitted by law, we may also transfer personal data to third parties outside our company. These external recipients may include in particular
- affiliated companies within the Lufthansa Group to which we transfer personal data for internal administrative purposes and to provide central services (e.g. billing services);
- the service providers engaged by us to perform services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
- non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations,
- Recipient of a shipment that we deliver for one of our business partners; in individual cases, this may also include personal data about you, provided that you are named as the contact person in the transmitted shipment data;
VII. Is automated decision making used?
In connection with the operation of our website, we do not generally use automated decision making (including profiling) within the meaning of Article 22 DSGVO. If we use such procedures in individual cases, we will inform you separately to the extent required by law.
VIII. Is personal data transferred to countries outside the EU / EEA?
In most cases, personal data is processed within the EU or the European Economic Area.
Since the Lufthansa Group operates worldwide and we also provide our services worldwide, we also transfer information to recipients in so-called “third countries”. “Third countries” are countries outside the European Union or the Agreement on the European Economic Area, in which a level of data protection comparable to that in the European Union cannot be assumed without further ado. Recipients in third countries may, for example, be service providers engaged by us.
If the information transferred also includes personal data, we will ensure before such a transfer that the necessary adequate level of data protection is ensured in the third country in question or with the recipient in the third country. This may in particular result from a so-called “adequacy finding” of the European Commission, which determines an adequate level of data protection for a specific third country as a whole. Alternatively, we may base the data transfer on the so-called “EU standard contractual clauses” agreed with a recipient or – in the case of recipients in the USA – on compliance with the principles of the so-called “EU-US Privacy Shield”. We will be happy to provide you with further information on the appropriate and adequate safeguards to maintain an adequate level of data protection upon request; contact details are provided at the beginning of this Privacy Information. Information on the participants of the EU-US Privacy Shield can also be found at http://www.privacyshield.gov/list
IX. How long are personal data stored?
We store personal data as long as we have a legitimate interest in this storage and your interests in not continuing the storage do not outweigh the data.
Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil storage obligations). We delete personal data even without the intervention of the person concerned as soon as the knowledge of the data is no longer necessary to fulfill the purpose of the processing or the storage is otherwise legally inadmissible.
- the log data is deleted within seven days, unless further storage is required for legally intended purposes such as the detection of misuse and the detection and elimination of technical faults;
- the data processed in connection with a business relationship is deleted at the latest after expiry of the statutory retention periods; and
- those personal data which we have to store in order to fulfill our obligation to keep records are stored until the end of the respective obligation to keep records. If we store personal data solely for the purpose of fulfilling storage obligations, these are usually blocked so that they can only be accessed if this is necessary in view of the purpose of the storage obligation.
X. What rights do data subjects have?
a. Right of objection according to Art. 21 DSGVO
A data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her carried out pursuant to Article 6(1)(e) or (f) of the DPA, including profiling based on these provisions. In the event of such an objection, we shall no longer process the personal data relating to that person, unless we can demonstrate compelling reasons for processing which are worthy of protection and which outweigh the interests, rights and freedoms of the data subject, or unless the processing serves to assert, exercise or defend legal claims.
Wenn wir personenbezogenen Daten verarbeitet, um Direktwerbung zu betreiben, hat eine betroffene Person das Recht, jederzeit Widerspruch gegen die Verarbeitung der sie betreffenden personenbezogenen Daten zum Zwecke derartiger Werbung einzulegen; dies gilt auch für das Profiling, soweit es mit solcher Direktwerbung in Verbindung steht. Widerspricht eine betroffene Person der Verarbeitung für Zwecke der Direktwerbung, so werden die betreffenden personenbezogenen Daten nicht mehr für diese Zwecke verarbeitet.
b. Additional rights
A data subject also has the right
- to information on the personal data stored about them, Article 15 DSGVO;
- for the correction of incorrect or incomplete data, Article 16 DSGVO;
- for deletion of personal data, Article 17 DSGVO;
- on restriction of processing, Article 18 DSGVO; and
- on data transferability, Article 20 DSGVO.
In order to exercise these rights, a data subject may contact us at any time – e.g. via one of the contact channels indicated at the beginning of this data protection information.
If a data subject has questions regarding the processing of personal data, he or she can also contact our data protection officer.
A data subject is also entitled to lodge a complaint with a competent supervisory authority for data protection, Article 77 DSGVO.
The competent supervisory authority in matters of data protection law is the State Data Protection Commissioner of the federal state in which the company has its registered office.
For heyworld, the Hessian Commissioner for Data Protection and Freedom of Information is responsible (www.datenschutz.hessen.de). A list of the data protection commissioners and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html