eXperts data protection

1. Controller

Deutsche Lufthansa AG (Linnicher Straße 48, 50933 Cologne, Germany) (hereinafter also referred to as “Lufthansa”, “we”, “us”), wish to inform you how your personal data is processed when you use our website lufthansaexperts.com (“website”).

When we refer to Lufthansa Group airlines in the following, we mean the airlines Austrian Airlines AG, Deutsche Lufthansa AG, Swiss International Air Lines Ltd, Brussels Airlines SA/NV and Eurowings GmbH. The Lufthansa Group comprises Lufthansa Group airlines and the other companies of the Lufthansa Group.

If you have any further queries regarding data protection in connection with our website or the services offered, please contact our data protection officer:
Lufthansa Group corporate data protection officer Deutsche Lufthansa AG
E-Mail: datenschutz@dlh.de

Please send a request for information to: Deutsche Lufthansa AG
Datenauskunft
FRA CY
60546 Frankfurt Germany

Or by e-mail to: dataaccess@dlh.de

Email communication with the Lufthansa Group airlines is generally not encrypted.
In order to enable you to participate in the eXperts program, we transfer the data between the Lufthansa Group Airlines in order to meet the legitimate interest in the concurrent process in the Lufthansa Group.

2. Scope, purpose and legal basis of processing personal data

We collect and use personal data directly from our users and other sources (mentioned below) in the following situations:

2.1. Provision of the website and log file creation

By visiting our website the system automatically records data and information about the user’s computer system each time the website is accessed. The following data (“technical information”) are collected:

  • Information on the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites accessed by the user’s system via our website

The data are also saved in our system’s log files. These data are not stored together with other personal data of the user.

We collect and use this technical information for the purposes of (network) security (to for example ward off cyber-attacks), marketing and to better understand our users’ needs as well as to continuously improve our website and enable users to access the website from their computers.

The data are saved to log files to ensure website functionality. The data also help us improve the website and safeguard our information technology systems.
Art. 6(1)(f) GDPR forms the legal basis for the temporary storage of the data and log files.

2.1.1. Use of cookies

Our website uses cookies. Cookies are text files stored in the web browser or by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive character string which allows for unique identification of the browser when the website is accessed again.

Cookies are stored on the user’s computer, which transmits these to our website. Therefore, users have full control over the use of cookies. You may disable or restrict the transmission of cookies by changing your web browser settings. Previously stored cookies can be deleted at any time. This may also be done automatically. If cookies are disabled for our website, you may no longer be able to use all of its functionality.

For further information on the cookies used by us, their purposes and legal basis, please check our Cookie Policy.

2.2. Use of the services offered on our website

We offer a range of different services on our website lufthansaexperts.com. We must collect and process user or customer personal data in order to perform these.

2.2.1. Website

To visit our website and use its services you have to register once at lufthansaexperts.com. When you register for eXperts, the following data from the input mask is transmitted to us and processed:

  • E-mail address and country of travel agency
  • First name, surname and title
  • Position in travel agency and main activities

You also have the option of providing us with the following information:

  • Telephone number
  • Date of birth

In order to enable you to participate in the eXperts programme, your consent to the conditions of participation are obtained during the registration process.

We analyse the visits to lufthansaexperts.com with the aim of tracking the preferences of visitors and optimising the website accordingly. For this we store the eXperts login, e.g. DE123456 of the visitors by default. The login is not associated with the pages visited. Lufthansa eXperts processes and uses your personal data for service purposes within the website lufthansaexperts.com; i.e. to make you a tailor-made offer and/or to spare you the repetition of entries already made and only to the extent necessary in each case. Within the framework of web analysis, only anonymous, aggregated data is evaluated for statistical purposes.

In order to keep our database up to date, we regularly identify and analyze inactive profiles and delete them if necessary.

This data is initially processed for contract performance (Art. 6(1)(b) GDPR) as well as for the purposes of our legitimate interests (Art. 6 (1)(f) GDPR) in order to contact you with relevant information of the Lufthansa Group Airlines.

In addition, the following data is collected upon registration:

  • Information on the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites accessed by the user’s system via our website

2.2.2. Newsletter

You have the option of subscribing to a free newsletter on our website. When you subscribe, the data from the input screen is sent to us and processed:

  • E-mail address and country of travel agency
  • First name, surname and title
  • Position in travel agency and main activities

You also have the option of providing us with the following information:

  • Telephone number
  • Date of birth

In addition, the following data is collected upon registration:

  • Information on the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites accessed by the user’s system via our website

We process your data in connection with the newsletter in order to send you news informing you about interesting topics of the Lufthansa Group Airlines, Star Alliance or joint venture partners as well as partners from the tourism industry. In addition, we process and use the e-mail address entered to send you personalized offers, invitations and user surveys in connection with the newsletter.

If a link in the newsletter takes you to our website, you also permit us to process and use your IP address, as well as geodata, web beacons and similar technologies, in order to verify whether the offers have met your requirements.

This also includes your interaction with the newsletter, i.e. information about whether, when and how long the newsletter was opened and which links were clicked on in the newsletter. Art. 6(1)(a) GDPR forms the legal basis for data processing following the user’s subscription to the newsletter if the user has given consent.

2.2.3. Promotional microsites for raffles and online training courses

By visiting our promotional eXperts websites (e.g. the domain experts-promotion.com) the system automatically records data and information about the user’s computer system each time the website is accessed. The following data (“technical information”) are collected:

  • Information on the browser type and version used
  • The user’s operating system
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites accessed by the user’s system via our website
  • eXperts ID ("Login") of the user
  • User's e-mail address

The data are also saved in our system’s log files. The user’s IP addresses and other data which enable these data to be attributed to a user are not affected by this. These data are not stored together with other personal data of the user.

We collect and use this technical information for the purposes of (network) security (to for example ward off cyber-attacks), marketing and to better understand our users’ needs as well as to continuously improve our website and enable users to access the website from their computers.

Art. 6(1)(f) GDPR forms the legal basis for the temporary storage of the data.

2.2.3.1. Use of cookies

Our promotional websites use cookies. Cookies are text files stored in the web browser or by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive character string which allows for unique identification of the browser when the website is accessed again.

Cookies are stored on the user’s computer, which transmits these to our website. Therefore, users have full control over the use of cookies. You may disable or restrict the transmission of cookies by changing your web browser settings. Previously stored cookies can be deleted at any time. This may also be done automatically. If cookies are disabled for our website, you may no longer be able to use all of its functionality.

2.2.3.2. Tracking tools

following tracking and (re)marketing tools on our promotional websites:

  • eTracker

Our legitimate interest pursuant to Art. 6(1)(f) GDPR for the purposes of increasing the efficiency of our website and (direct) marketing is the legal basis for the use of the tools listed.

For further information on the individual tools, please check the appendix/“Tracking Tool Policy”.

Appendix – notices on the tracking and remarketing tools used

eTracker:

The following types of personal data (as defined in Art. 4 No. 1, 13, 14 and 15 GDPR) are collected, processed or stored, depending on which eTracker services are used:

  • Abbreviated IP addresses
  • Digital fingerprints
  • User Agents
  • Geo-Information
  • hashed mobile device codes
  • Contact data of account users as well as invoice and reporting recipients
  • Form entries replaced by placeholders (UX Analytics)
  • e-mail addresses of opt-in dialogs (smart messaging)
  • Hashed cross-device identifier (optional)
  • Pseudonymous e-mail recipient IDs (optional)

2.2.4. Surveys and market research

As part of our market research activities, we may invite you to take part in surveys to improve our products and services. Participation in market research surveys is always voluntary. The information received in the course of a market research project is only analyzed in anonymized form and will not be published.

The Deutsche Lufthansa AG works with an external service provider which has access to the personal data for the administration of the surveys and evaluation of the opinions. The service provider supplies the software used to collect opinions, which are then anonymized. The legal basis for conducting market research is Art. 6(1)(b) GDPR.

2.2.5. Statistical analysis

There is a possibility that your data may be analysed in a data warehouse to evaluate the preferences of our registered customers (“statistical analysis”) for the purposes of interest-led marketing, individual approaches and continuous optimisation of our business processes. We undertake this processing in order to acquire a better understanding of what our customers expect from us and to allow us to offer you communication that is tailored to you personally. This analysis also helps us with fraud detection, auditing and safeguarding security, which is why we perform this processing to protect our legitimate interests, Art. 6(1)(f) GDPR.

2.3. Our legitimate interest in processing personal data

If Art. 6(1)(f) GDPR forms the legal basis for the processing, our legitimate interests are, in addition to the purposes listed above:

  • To protect the company against material and immaterial damage
  • Professionalism (of our products and services)
  • Cost optimisation (control and minimisation)

2.4. Other processing commitments

If obliged to do so by law, we process personal data in order to meet duties of retention under commercial or tax law or to meet legal security requirements (such as Section 7 of the Aviation Security Act [LuftSiG]). For further information on retention periods, please refer to “Duration of the data processing”.

2.5. Obligation to provide personal data

The input fields which are mandatory to be filled out for performing the requested service are marked accordingly on the website. The input is either mandatory because of legal or contractual requirements.

3. Duration of the data processing

Your personal data are deleted as soon as they are no longer needed for the specified purposes. In certain circumstances, personal data are kept for the period of time during which claims against Lufthansa Group Airlines may be enforced (statutory limitation period of three to ten years). Personal data are also saved to the extent that and for so long as Lufthansa Group Airlines is legally obliged to do so. Corresponding burdens of proof and duties of retention arise from, among others, the Commercial Code, Tax Code and Money Laundering Act. These prescribe retention periods up to ten years.

4. Right to object pursuant to Art. 21 GDPR

You have the right to object, on reasons relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or processing is necessary for the establishment, exercise or defence of legal claims. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data, which includes profiling to the extent that it is related to such direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

5. Disclosure of personal data to third parties

In order to offer you our products and services, based on our contractual obligations or in accordance with our legitimate interests, we may have to disclose your personal data to third

parties internal or external to the Deutsche Lufthansa AG. These recipients can be categorised as follows:

  • Service providers:
    • Transport
    • Marketing
    • IT (Website hosting service provider, IT support service provider or website analysis service provider)
    • Credit agencies
    • Members of the Lufthansa Group
    • Members of the Star Alliance
    • Touristic partners
    • Other airlines
    • State agencies and bodies

When booking flight tickets via an input mask stored on the eXperts website, we process your personal data (e.g. master data, contact data and payment data). These data are first processed by us to fulfil the contract in order to issue the flight ticket you have requested and to send you the booking confirmation (art. 6 par. 1 lit. b GDPR), but also to safeguard our legitimate interests (art. 6 par. 1 lit. f GDPR) in order to provide you with relevant information on your booked flight and destination.

Personal data may be transmitted to third countries or international organisations as part of this. For your protection and the protection of your personal data, appropriate safeguards are provided for such data transmissions as per and in accordance with legal requirements (particularly, the use of EU standard contractual clauses) or an adequacy decision has been issued by the EU Commission (Art. 45 GDPR).

For information on EU standard contractual clauses, please visit https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=DE. The EU Commission provides the relevant information relating to its adequacy decisions at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy- protection-personal-data-non-eu-countries_en#dataprotectionincountriesoutsidetheeu. A copy of the security precautions used may also be requested from datenschutz@dlh.de . We are also legally obliged to provide personal data to German and international authorities, Art. 6(1)(c) GDPR together with local and international regulations and agreements.

6. Rights of the data subject

The Deutsche Lufthansa AG is committed to ensuring fair and transparent processing. That is why it is important to us that data subjects can not only exercise their right to object but also the following rights where the respective legal requirements are satisfied:

  • Right of access, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure (“right to be forgotten”), Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR

To exercise your right, please emaildataaccess@dlh.de. In order to process your request and for identification purposes, please note that we will process your personal data in accordance with Art. 6(1)(c) GDPR.

You also have the right to lodge a complaint with a supervisory authority. The relevant supervisory authority for the Deutsche Lufthansa AG is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
PO Box 20 04 44
40102 Dusseldorf
Germany

Kavalleriestr. 2-4
40213 Dusseldorf
Germany

Phone: +49 (0)211/38424-0
Fax: +49 (0)211/38424-10
Email: poststelle@ldi.nrw.de

7. Consent

If you give your consent to us for processing your personal data, please note that you may withdraw this consent at any time.

If you wish to revoke this consent, please send us an e-mail to dataaccess@dlh.de If you have given us your consent for the newsletter, you can cancel it yourself via the "Unsubscribe" link in the newsletter or cancel it in your profile settings (under "My profile" within lufthansaexperts.com).

In all other cases or if you have problems withdrawing your consent on the website, you can contact dataaccess@dlh.de

Please note that your consent can only be withdrawn with future effect and such a withdrawal does not have any influence on the lawfulness of past processing. In some cases, we may be entitled in spite of your withdrawal to continue to process your personal data on a different legal basis – e.g. to perform a contract.

8. Disclaimer and limitations of these data protection notices

These data protection notices only apply to processing for the website lufthansaexperts.com and any external websites (e. g. experts-promotion.com). Other websites are not covered by these data protection notices and provide their own specific data protection notices.