Travel ID Data Protection Notice

Austrian Airlines AG, Brussels Airlines SA/NV, Deutsche Lufthansa AG, Eurowings GmbH, EW Discover GmbH and Swiss International Air Lines AG, further referred to as 'Lufthansa Group airlines' and Miles and More are the operators of Travel ID.

Unless otherwise stated in this Data Protection Notice, “we” or “us” or “Travel ID operators” refers to the Lufthansa Group airlines and Miles & More GmbH as the controllers with joint responsibility (“Joint Controllers”) for the processing of your personal data as defined in Article 26 of the General Data Protection Regulation of the European Union (“GDPR”).

Further information and contact addresses for the Lufthansa Group airlines and Miles & More GmbH can be found in the respective Data Protection Notice for Travel ID operators.

If you have data protection questions in connection with the Travel ID, please contact the following:

The Data Protection Officer of Deutsche Lufthansa AG, Miles & More GmbH, Eurowings GmbH and EW Discover GmbH:

Deutsche Lufthansa AG
Data Protection Officer
FRA CJ/D
Lufthansa Aviation Center
Airportring
60546 Frankfurt am Main
Germany

Austrian Airlines AG Data Protection Officer:

Austrian Airlines AG
Legal office – Data Protection
Office Park 2
PO box 100
1300 Vienna Airport
Austria

Data Protection Officer of Swiss International Air Lines AG:

Swiss International Air Lines AG
ZRH S/CJ
PO box
8058 Zurich Airport
Switzerland

Brussels Airlines SA/NV Data Protection Officer:

Brussels Airlines
Data Protection Officer
Airport Bld. 26, General Aviation - Ringbaan
1831 Machelen
Belgium

When you register for Travel ID, the only mandatory information we request is your email address, your title, your first and last names, your date of birth and a password. Your country and preferred language settings will be automatically transferred - as far as technically possible - using the country and language settings you entered on the respective websites or other touchpoints of the Travel ID operators. This information is required in order to create a Travel ID profile and to use the Travel ID services described in detail below and in the Travel ID Terms and conditions of use. You have the option to add further information to your Travel ID profile on a voluntary basis. This can be your address, mobile phone number, payment data or your flight preferences (e.g. preferred departure airport).

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

You also have the option of storing documents based on your consent (see Section 10).

If necessary to fulfil the contract, we will send you messages about status changes in your Travel ID profile. This includes, among other things, the expiry of the validity of your travel documents, payment methods or password uploaded via your Travel ID profile.

If you have not logged into your Travel ID profile for three years, we will ask you to log in again. If we do not see any activity in your Travel ID profile within another six months, we will delete it (see paragraph “Deletion of your Travel ID profile”).

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

When you visit our websites, use our mobile apps and other touchpoints, our aim is to make it easier and quicker for you to find and use the information that is relevant to you. Therefore, you have the option of registering there with your Travel ID, and being personally addressed, as well as receiving relevant information in relation to your flight booking, for example.

If you do not wish to use the login service, you are, of course, free to use the website/touchpoints without logging in. In this case, the respective content will be displayed without being personalised to you.

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

We use the data you enter in your Travel ID profile to make the booking process easier for you through pre-populated forms. This could be data you actively provided during registration or added at some later point, or data you gave as part of a previous booking in relation to your Travel ID and which we automatically take into account for another booking. We also use your data given during your booking to provide you with pre-populated forms for online check-in and at self-service check-in machines for example. If you fill out other forms, such as when participating in a lucky draw or when you send customer feedback using one of our electronic feedback forms on the website, the contact details required are also pre-populated from your Travel ID profile.

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

For an overview of your bookings made with Travel ID operators, bookings you have made since you registered your Travel ID will be displayed in your Travel ID profile. If you change your previous customer profile from one of the Lufthansa Group airlines to a Travel ID profile, your past bookings from your previous customer profile will also be displayed in your Travel ID profile.
The overview of your bookings includes, amongst other things, the creation and display of flight statistics. These bookings are automatically saved in your Travel ID profile if you made the booking while logged in. It is also possible to add bookings to your profile at a later date. Your Travel ID profile shows the bookings for the last ten years.

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

We use your data stored in your Travel ID profile to be able to offer you personalised services. We process data that you have entered in your Travel ID profile during registration or at a later date, as well as data that we have recorded, for example, as part of the flight bookings made via Travel ID. This also includes delays or cancellations of flights, as well as issues with baggage. We also process your data from requests to our Service Centres.

As a result of this processing, we can improve our complaint or customer service management and offer you tailored services as a Travel ID customer at all our touchpoints. Your enquiries to our Service Centres will appear in your Travel ID profile and can be managed by you there.

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

If we were repeatedly unable to offer you the promised service, we may wish to contact you electronically or by post, or our employees may contact you individually. For this purpose, we use data regarding any issues and customer concerns, as well as the number and severity of the incidents.

The legal basis for the processing of your data is our legitimate interest in accordance with Article 6, (1)(1)(f) GDPR.

10.1 Travel documents

You have the option of having your travel documents, such as passport or visa, checked with regard to entry or transit regulations for the bookings you make. To do this, you can upload the relevant travel documents via your Travel ID profile to a separately secured database. These will then be automatically transferred to our Travel Document Check and reviewed before your journey begins.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6 (1)(a) GDPR.

You have the right to withdraw your consent to the use of data from your travel documents at any time without affecting the lawfulness of any processing performed on the basis of this consent until such consent was withdrawn. To do this, you can delete your travel documents in your Travel ID profile under “Personal documents”.

The travel documents will be deleted automatically when they have reached their expiry date.

10.2 Health documents

You have the option of using the Health Document Check process to have your health-related documents reviewed regarding validity for entry to or transiting a country. You can upload your documents, such as vaccination certificates or proof of recovery, to a specially secured database via your Travel ID profile for this purpose. The Health Document Check takes place as part of the Travel Document Check described under Section 10.1, but requires your separate consent due to the processing of health data.

The legal basis for processing your data is provided by your separate consent granted in accordance with Article 9 (2)(a) in conjunction with Article 6 (1)(a) GDPR.

You have the right to withdraw your consent to the processing of health-related data at any time without affecting the lawfulness of any processing performed on the basis of this consent until such consent was withdrawn. You can delete your health documents in your Travel ID profile under “Personal documents” for this purpose.

The health-related documents are also automatically deleted after the expiry date, but no later than 12 months after upload.

If you have booked a flight, Lufthansa Group airlines would like to contact you about possible additional services relating to your flight. These additional services may include flight-related services of the Lufthansa Group airlines, such as premium meals or upgrades, but also additional services of partner companies of Lufthansa Group airlines (information about partner companies of the Lufthansa Group airlines: Austrian Airlines, Brussels Airlines, Eurowings, Eurowings Discover, Lufthansa, Swiss International Air Lines), such as rental cars or insurance companies. For this purpose, data stored about you in your Travel ID profile and with the Lufthansa Group airlines (e.g. flight data, preferences) will be processed.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6 (1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.

12.1 Advertising communication from Travel ID operators

You have the option, as described under Section 11 "Settings for personalising our offers" described in this Data Protection Notice, to grant consent to determine your main areas of interest, as well as send information and personalised offers based on this regarding the services of Lufthansa Group airlines and their respective partner companies (information on partner companies of the Lufthansa Group airlines: ​Austrian Airlines, ​Brussels Airlines, ​Eurowings, Eurowings Discover, ​Lufthansa, ​Swiss International Air Lines), via digital communication channels (e.g. by email, SMS/MMS, messenger services, search engines, videos, banners), by telephone or the websites of LHG airlines.

In addition, you can give Miles & More GmbH permission to send you offers relating to your possible membership of the Miles & More programme if you are not yet a member of the Miles & More programme.

Since we only want to provide you with information and offers that really interest you, we process the booking information stored with Lufthansa Group airlines with your consent, such as travel route, travel period and booking class, as well as preferences stored in your Travel ID profile. For example, by analysing information regarding your forthcoming trip, we may send you special offers or vouchers for additional services for your trip or for services available at your travel destination.

12.2 Personalised advertising through customer data matching (CRM Datamatch)

One way to provide you with personalised information and offers tailored to you is to identify you on partner websites or advertiser websites.

To do this, we transfer the e-mail address and/or phone number saved in your travel ID profile which is encrypted with the SHA 256 algorithm and is recommended by the Federal Security Office as being "cryptographically strong" to what is known as a clean room. A data clean room is a secure environment isolated from external technical influences for the processing of personal data. It aims to facilitate the exchange of data between advertising companies, in this case the Travel ID operators, and partners or providers of advertising spaces, while protecting the privacy of the respective customers as far as possible. For this purpose, the partners or advertising companies also provide data from their customers to the data clean room using the same encryption method. As part of data matching, hits (Datamatch) are sent to what are known as audiences (groups of people), which in turn can be analysed by the Travel ID operators and used for advertising purposes. Access to the data transferred by us to a data clean room will be granted solely to partners and providers of advertising spaces selected by us and after corresponding data processing contracts have been concluded.

Depending on the technological development and marketer-supported technology, we ensure that stronger and more secure encryption and/or extensions are used.

12.3 CRM Datamatch with Google Customer Match

In CRM Datamatch with Google Customer Match, we transfer encrypted data to a data clean room operated by Google in accordance with the procedure described under Section 12.2. In this data clean room, Google compares the data we provide with that of Google Account customers who are encrypted using the same SHA 256 hash algorithm. Matches are then compiled by Google in a list of what are referred to as “audiences”. As soon as this process is completed (max. 48 hours), the encrypted data is deleted. If you belong to such an audience, Google can then identify you when you are surfing using Google platforms and show you our personalised advertising.

Another prerequisite for the processing of your personal data in Google Customer Match is that you have a Google Account for which you have given Google permission to display personalised advertising. You can amend this setting to suit your preferences under the data protection tab in your Google user account.

The controller for the processing of personal data within the scope of Google Ads/Google Customer Match as defined in the GDPR is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd is a subsidiary of Google LLC, which has its registered head office in California, USA, and is subject to the laws of that location, and may therefore also be obliged to provide access to data processed outside the USA / United States.

You can find further information about the processing of your personal data by Google in the Google Data Protection Notice.

The legal basis for all processing of your data listed under Section 12 "Personalised advertising communication" is provided by the consent you have given for this in accordance with Article 6 (1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.
You can also decide for yourself the extent to which you wish to receive information and individual offers from us by adjusting your communication settings. You may withdraw your consent to marketing communications for individual areas as well (such as for the email newsletter) in your Travel ID profile.

If you have a Travel ID profile and your Travel ID profile is not linked to a Miles & More member account, Lufthansa Group airlines will exchange your data with each other in order to offer you the services specified in the Travel ID Terms and conditions of use. Miles & More GmbH will only receive data from you that is required to manage your Travel ID profile (e.g. contact details, date of birth and your voluntarily stored profile data) and will not process this data for its own purposes.

If you have linked your Travel ID profile to your Miles & More member account, the Travel ID operators will exchange your data with each other in order to offer you the services specified in the Travel ID Terms and conditions of use. You can decide whether to create this link yourself. Data matching is performed between your Travel ID profile and your Miles & More account when you create the link. Specifically, the data you have stored in both accounts will be transferred as follows:

All master data (such as name, date of birth, postal address, telephone) and preferences (such as preferred departure airport) are automatically transferred from your Miles & More account. The email address will be taken from your Travel ID profile.

The legal basis for the transfer of your data is the fulfilment of the contract in accordance with Article 6 (1)(b) GDPR.

If you have given Miles & More GmbH your consent pursuant to Section 12 for personalised advertising communication, Miles & More GmbH will also process your flight data (such as your route, travel class, departure airport, destination airport) for this purpose.

When you log in to a website or another touchpoint of a Travel ID operator for the first time, you will be asked to enter your login details. In order to recognise you during your session, we use a "log-in" cookie. This cookie allows you to visit websites of other Travel ID operators without having to log in using your Travel ID credentials again.

You can also choose to actively enable a “stay logged-in” feature when logged into Travel ID operators’ websites, which means that you will not be required to log in again after ending your session and later re-visiting the website.

We also use cookies for this purpose so that when you return to the website/touchpoint you will be recognised automatically.

When the “stay logged-in” feature expires, you will be asked to log in again. In addition, you will always be prompted to log in again if you are in the process of carrying out activities which require an enhanced level of security.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6 (1)(a) GDPR.

We process your data to the extent and for as long as necessary for the processing purposes described in this Data Protection Notice.

If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:

• Fulfilment of statutory retention periods, which may result from obligations under commercial or tax law; these periods may last up to ten years
• Assertion, exercise or defence of legal claims

In these cases, the processing of your data is restricted (“blocked”) so that it can no longer be processed for other purposes.

If you no longer wish to use the Travel ID services, you may delete your Travel ID profile at any time. The personal data collected in connection with your use of Travel ID will then be deleted immediately - subject to conflicting statutory retention requirements.

You can delete your Travel ID profile yourself as well as any specific items of data you have provided in your Travel ID profile by logging into your Travel ID profile and performing the deletion there.

We also delete your provisional Travel ID profile if you do not confirm your registration within the period stated in the confirmation email, or if you have had a confirmation email with an activation link sent to you more than three times and do not use it.

We likewise delete your profile after a certain period of inactivity (see Section 4).

17.1 Your rights

As the data subject, you can exercise the following rights where the respective statutory conditions exist:

• Right to information, Article 15 GDPR
• Right to rectification, Article 16 GDPR
• Right to erasure (“right to be forgotten”), Article 17 GDPR (see also Section 16 of this Travel ID Data Protection Notice)
• Right to restrict processing, Article 18 GDPR
• Right to data portability, Article 20 GDPR
• Right to object, Article 21 GDPR (see also Section 18 of this Travel ID Data Protection Notice)

Insofar we process your data on the basis of consent, you have the right to withdraw this consent at any time without affecting the lawfulness of any processing performed on the basis of this consent before such consent was withdrawn.

To exercise your rights, you can contact the respective Travel ID operators from the “Who can you contact” section of this Data Protection Notice. In order to be able to process your application and identify you, we will process your personal data in accordance with Article 6 (1)(c) GDPR.

In your Travel ID profile, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example, your postal address, email address or telephone number). To delete your Travel ID profile, you can also proceed as described in the “Deletion of your Travel ID profile” section.

Furthermore, you have the right to lodge a complaint with a regulatory authority: Article 77 GDPR.

17.2 Competent supervisory authorities

You will find a list of all data protection authorities responsible for the Travel ID operators below.

The competent supervisory authority for Deutsche Lufthansa AG, Eurowings Discover GmbH and Miles & More GmbH is:

Commissioner for Data Protection and Freedom of Information of the State of Hesse
Postfach 3163
65021 Wiesbaden
Germany

Tel: +49 (0)611 1408-0
Fax: +49 (0)611 1408-900 or -901

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Eurowings GmbH is:

Regional Officer for Data Protection and Freedom of Information
State of North Rhine-Westphalia
Postfach 20 04 44
40102 Dusseldorf
Germany

Tel.: +49 - 211 - 38 424 - 0
Fax: +49 (0)211 38 424-999

Email: poststelle@ldi.nrw.de

The competent supervisory authority for Austrian Airlines AG is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

Tel: +43 (0)52 152-0

Email: dsb@dsb.gv.at

The competent supervisory authority for Swiss International Air Lines AG is:

Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Berne
Switzerland

Telephone: +41 (0)58 46 24 395
Fax: +41 (0)58 46 59 996

For data processing that is subject to the GDPR:

Commissioner for Data Protection and Freedom of Information of the State of Hesse
Postfach 3163
65021 Wiesbaden
Germany

Tel: +49 (0)611 1408-0
Fax: +49 (0)611 1408-900 or -901

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Brussels Airlines SA/NV is:

Autorité de protection des données
Gegevensbeschermingsautoriteit
Data Protection Authority
Rue de la presse 35, 1000 Brussels
Belgium

Tel: +32 (0)2 27 44 800

Email: contact@apd-gba.be

For reasons arising from your specific situation, you have the right to object at any time to the processing of your personal data based on Article 6 (1)(f) GDPR.

In the event of an objection, we will no longer process the personal data that concerns you, unless we can prove that there are compelling and legitimate grounds for the processing that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.

If the personal data concerning you is processed by us for the purpose of direct marketing and you object to this processing, the personal data concerning you will no longer be processed for these purposes.

You can object to the processing of your personal data at any time, for example by using the contacts specified in the “Who can you contact?” section.

We use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, deletion or access by unauthorised persons. Our security measures are being continuously improved as new technology develops.

In connection with the processing operations described in this Travel ID Data Protection Notice, we may disclose your data to the following categories of recipients:

• service providers with whom we cooperate on the basis of a data processing agreement pursuant to Article 28 (3) GDPR
• Governmental agencies and authorities, e.g. due to police and investigative activities

In such cases, personal data may be transferred worldwide to third countries or international organisations. For your protection and to protect your personal data, appropriate security precautions will be taken for such data transfers in accordance with and pursuant to the law.

If these transfers are made to a third country for which the EU Commission or competent authority has not issued an adequacy decision, we use standard EU contractual clauses. Information about standard EU contractual clauses is available on the European Union website.

In exceptional cases, transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings or if the transfer is necessary for the execution of a contract.

We review this Travel ID Data Protection Notice regularly and will update it as required. We will inform you if there are material changes to this Travel ID Data Protection Notice (for example on our websites).