Data Protection Information

Deutsche Lufthansa AG (Venloer Strasse 151-153, 50672 Cologne, Germany) (also referred to below as “Lufthansa”, “we” and “us”) would like to inform you how we process your personal data in connection with our product offers. You can access these offers directly via lufthansa.com (the “website”) and the Lufthansa app.

Any reference below to Lufthansa Group airlines refers to the airlines Lufthansa, SWISS International Airlines AG, Austrian Airlines AG, Brussels Airlines S.A. and Eurowings GmbH. The Lufthansa Group includes the Lufthansa Group airlines and the other companies that belong to the Lufthansa Group.

Please contact our Data Protection Officer if you have any further questions about data protection relating to our website or the services offered there:

Corporation Data Protection Officer for the Lufthansa Group
Deutsche Lufthansa AG
Email: ​datenschutz@dlh.de
Please address any requests for information to:
Deutsche Lufthansa AG
Data Information
FRA CJ/D
60546 Frankfurt

or by email to:
​dataauskunft@dlh.de

Correspondence is not encrypted if you contact us by email.

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).

We process personal data to fulfil our contractual obligations under Art. 6 (1) (b) GDPR. These include in particular:

• sale of flight tickets and upgrades 
• sale and provision of flight-related services, such as a-la-carte menus, pre-ordered in-flight meals, pre-flight shopping, eJournals and baggage services
• customer communications, such as sending booking confirmations and providing flight-related information
• managing check-in and boarding processes, from the check-in invitation, through the travel and entry documents checks, to waiting list processing and baggage handling
• collecting and transmitting contact details as required by local authorities based on mandatory statutory regulations, and therefore necessary to ensure compliance with the terms of the contract of carriage
• access to a lounge
• recording and processing customer feedback and customer enquiries

We also process your data to safeguard our legitimate interests under Art. 6 (1) (f) GDPR

• so that we can send you relevant information about your booked flight and your destination
• to prevent, investigate and prosecute criminal acts such as fraud, e.g. credit card fraud, identity theft, or the use of fraudulent means to obtain special terms and conditions or fare offers
• to pursue legal claims, including debt collection and defence in the event of legal disputes
• for audit purposes
• to guarantee IT security and security of the airline’s operations
• to guarantee air safety
• for marketing purposes, unless you have objected to the use of your data
• to prepare international aviation statistics
• to prepare statistics in order to improve our products and services. In individual cases, we create customer profiles for this purpose while processing the booking data. However, these profiles are immediately anonymised and are not used for analysing or predicting personal preferences.
• to communicate with you, where an ongoing business relationship with you or your employer already exists, or where it is intended to initiate one (business contacts)
• to plan support services and improve punctuality. Thanks to the early detection of a passenger’s potential delay at the gate during the boarding process, the unloading of baggage can be initiated at an early stage. To this end, Fraport AG at Frankfurt Airport records the time when boarding passes were checked before passengers accessed the security area. It then provides this information to us/LH at the departure gate shortly before departure so that we can search for any missing or potentially delayed passengers. You can find further information about this data collection and processing by Fraport AG in their privacy policy.

We process your data on the basis of your consent under Article 6 (1) (a) GDPR for specific purposes, in particular:

• to send out the “Best Price Alert” newsletter with personalised offers from Lufthansa
• to send out newsletters with regular offers from Lufthansa
• for you to receive targeted information and offers from Lufthansa and its partner companies
• for market research and customer surveys
• for personalised use of the website and personalised offers, including profiling
• to assist with processes related to the use of the website, with reminder functions and live chats
  
• for analytical purposes, to improve our offers to you.

We process your data to check your Covid-19 entry documents. This is done on the basis of your consent to the verification of Covid-19 entry documents under Art. 9 (2) (a) GDPR.

Any consent given can be withdrawn at any time. This also applies to the withdrawal of any declarations of consent that you gave us before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of your consent does not apply retroactively and does not affect the legality of data processing prior to the date of withdrawal.

We process passenger data based on our statutory obligations under Art. 6 (1) (c) GDPR.

When we are legally required to do so, we process personal data to fulfil our retention obligations under commercial and tax laws, or our statutory security and safety requirements (for example under Section 7 of the German Aviation Safety Act (Luftsicherheitsgesetz - LuftSiG)). Please refer to the section “Duration of data processing” if you would like further information about these retention periods.

Data transmission to immigration authorities:

• based on the Passenger Data Agreement between the EU and USA, and the EU and Canada
• based on the German Passenger Data Act (Fluggastdatengesetz - FlugDaG) in Germany and within the EU where the EU destination countries have implemented EU Directive 2016/681
• based on the Trade and Cooperation Agreement between the European Union and the United Kingdom
• API* (Advance Passenger Information) – we transmit data to the extent we are obliged to in order to comply with international travel control measures

Transmission to health authorities:

• to fight a pandemic

We process passenger data based on our statutory obligations under Art. 9 (2) (g) GDPR.

Where we are legally required to do so, we process personal data to check your health status, as required to enter the country concerned.

* Data stored in the machine-readable area of passports or ID cards 
You can request further information about this from the relevant authorities.

We have marked some fields as mandatory in the forms on our website, for which information is legally or contractually required. You must complete these fields so that we can provide you with the contract or service you wish.

Your personal data will be deleted as soon as it is no longer required for the stated purposes. However, we have to continue to store your data until the end of the retention periods and deadlines stipulated by the legislator or the supervisory authorities in the German Commercial Code, Tax Code and Money Laundering Act. These deadlines are generally between six and ten years. We may also retain your data until the expiry of the statutory limitation periods (generally three years, in individual cases up to 30 years) where required for the establishment, exercise or defence of legal claims. The relevant data will then be routinely erased.

Within the context of the above-mentioned data processing and the various relevant legal bases (contract performance, legitimate interests, consent or statutory processing obligations), your data may be shared with the following categories of recipients:

• Lufthansa Group Airlines 
• vicarious agents, e.g. service providers for ground handling and other additional services in this context
• other airlines that provide part of the carriage
• other service providers, e.g. for provision of the website, issuing newsletters, processing feedback and the preparation of international aviation statistics
• government authorities and institutions, e.g. on the basis of entry regulations or police activities and investigations.

In such cases, personal data may be transferred to third countries or international organisations. Appropriate security measures will be taken for such data transfers to protect you and your personal data, in line with and in compliance with the statutory regulations.

We use EU standard contractual clauses if no legal basis exists for such transfers, or when they are made to a country for which the EU Commission has not issued an adequacy decision.

For information on EU standard contractual clauses, see the Commission Decision on standard contractual clauses for the transfer of personal data to commissioned processors in third countries.

Lufthansa is committed to fair and transparent data processing. It is therefore important to us that data subjects – providing the relevant legal requirements are met – are not only able to exercise their right to object, but also the rights listed below:

• right of access by the data subject, Art. 15 GDPR
• right of rectification, Art. 16 GDPR
• right to erasure (“right to be forgotten”), Art. 17 GDPR
• right to restriction of processing, Art. 18 GDPR
• right to data portability, Art. 20 GDPR
• right to object, Art. 21 GDPR

If you wish to exercise your rights, please send an email to ​dataauskunft@dlh.de.
Please provide the following information, so that we can identify you:

• name
• postal address
• email address, and optionally: your customer number or booking code/ticket number

If you send us a copy of your passport or ID card, please redact (black out) all data apart from your first name(s) and surname and address.

Please note that we will use your personal data, in accordance with Article 6 (1) (c) GDPR, to process your request and for identification purposes.

You have the right under Art. 77 GDPR in conjunction with Section 19 BDSG to lodge a complaint with a supervisory authority. The relevant supervisory authority for Lufthansa is:

Commissioner for Data Protection and Freedom of Information of the State of Hesse
PO Box 3163
65021 Wiesbaden

You have the right to object to the processing of your personal data at any time in accordance with the legal bases that relate to your specific situation. This right is based on Art. 6 (1) (e) and (f) GDPR. This also includes profiling based on these regulations.

The data controller will then no longer process your personal data, unless the data controller can prove valid, legitimate grounds for processing that override your interests, rights and liberties, or if the processing is required for the establishment, exercise or defence of legal claims.

If your personal data are processed for the purposes of direct marketing, you have the right to object to the processing of your personal data for such marketing at any time. This also includes profiling when this is carried out in connection with direct marketing.

If you object to the processing of your personal data for the purposes of direct marketing, your personal data will no longer be processed for such purposes.

You can exercise your right of objection in connection with the use of the services of an information company – notwithstanding Directive 2002/58/EC – in an automated process in which technical specifications are used.

Lufthansa uses browser cookies, scripts, web beacons, tracking URLs, pixel tags and similar technologies (referred to below as “cookies”) to provide, protect and improve our website and applications.  

You will find more detailed information about the data processed and our partners in our cookie policy.

You can change your consent via the link “Change cookie settings” found at the bottom of each page.

You can use the LufthansaChat Assistant to contact us and communicate with us on our website lufthansa.com.

We recommend you to be cautious about disclosing personal data and only share information in the chat that is necessary for the service you would like to use.

a) Chat function

If you contact the chat assistant via a web chat, a session-based anonymised User ID will be assigned to you. The content of your inputs and the answers from the chat assistant will be stored against this User ID.

All the data you enter during the course of the web chat dialogue with the chat assistant are passed to a commissioned data processor and processed there for the purpose of handling your request. Your chat entries will be analysed to help process your request and compared against the functions and information provided by us to our commissioned data processor. If it is not possible to handle your enquiry in this process step using a dialogue provided in the software, your input texts will be shared with another commissioned data processor who analyses them using special software and compares them to a knowledge database, whose content we have also provided. Entries that match your input text will be sent back to you.

If you send us an enquiry via Facebook Messenger, you will be assigned a session-based, anonymised User ID by Facebook. This will be transferred to us, as well as your Facebook username. This will allow us to identify you again in the event of later enquiries using Facebook Messenger, and place your enquiry in the context of previous conversations with you. Facebook also transmits your language and gender, which allows us to address you in a more personalised form.
No other data and information about you that you have stored on Facebook will be transmitted.

The legal basis for processing your data is:

• Art. 6 (1) (b) GDPR if your concern relates to an existing or planned booking
• Art. 6 (1) (f) GDPR to safeguard our legitimate interest, to prevent fraud or for the assertion, exercise and defence of legal rights.

b) Live chat function

If the chat assistant is unable to process your questions or enquiries, the live chat function of the chat assistant gives you the option of contacting our Service Centre. If you decide to use this live chat function, the personal data you entered during the course of the chat are transferred to our commissioned data processors, who will reply to you via the chat assistant on our website.

The legal basis for processing your data is:

• Art. 6 (1) (b) GDPR if your concern relates to an existing or planned booking
• Art. 6 (1) (f) GDPR to safeguard our legitimate interest, to prevent fraud or for the assertion, exercise and defence of legal rights.

To maintain and continuously improve the quality of the customer services provided by our service centre staff, we would like to evaluate samples of live chat session communications. To do this we need your consent, which we request before forwarding you to our live chat agents. You can withdraw your consent at any time during and after the live chat session. You can inform our agents that you want to withdraw your consent during the live chat session, or you can contact us for this purpose using our online form.

If you do not give your consent, our service centre staff will of course still take care of you.

The legal basis for processing your data is Art. 6 (1) (a) GDPR.

c) Feedback function

You can also use the “Thumbs up” and “Thumbs down” function to send us your feedback about the information provided by the chat assistant. Your feedback will be stored as part of the flow of your web chat. If you wish to give us feedback about the chat assistant, you have to request this explicitly by text input. You then have the option of entering your feedback in text form in the web chat.

The legal basis for processing your data is Art. 6 (1) (f) GDPR to protect our legitimate interest in improving the functions of the chat assistant, based on your feedback

d) Push notifications
If you contacted us via Facebook Messenger and gave us your consent there, we will also send you information about your booking, for example when your flight is ready for check-in, providing you have shared your booking data with us on Facebook Messenger.

You can withdraw your consent with future effect at any time. Please enter the word “Withdraw” in the Facebook Messenger dialogue window to do so and confirm the withdrawal option offered to you, or follow the “Data Protection” menu link provided in the dialogue window.

The legal basis for processing your data is Art. 6 (1) (a) GDPR.

e) Technical troubleshooting and quality improvement

In the case of technical malfunctions, we have to analyse chat histories in detail on a case-by-case basis to be able to identify the causes of the technical malfunction and to take corrective action.

The legal basis for processing your data is Art. 6 (1) (f) GDPR to protect our legitimate interest in identifying and correcting technical errors.

We analyse all dialogues and your feedback in order to improve the quality of the chat assistant functionalities. To do so, all references to you are removed, so that only anonymised data are used for this purpose and your data cannot be analysed or linked to you.

We share your personal data with other affiliated companies within the Lufthansa Group, or with external companies, in order to process your enquiry via the chat assistant. We reserve the right to disclose information about you if required by law, or if we are required to do so by official authorities or the courts.

We will delete the data you submitted via the chat assistant after 30 days. If you gave your consent, this also includes the data we use for the purposes of improving the quality of our customer services (see b) Live chat function). The 30-day retention period for the chat assistant function does not affect the retention period for personal data processed for the performance of a contract of carriage. In this regard, please refer to our General Terms and Conditions of Carriage as well as the relevant explanations in our Privacy Policy.

If you have agreed in the newsletter area of our website to receive our newsletter (which continues to apply until you either withdraw your consent or Lufthansa stops sending the newsletter), we would like to draw your attention to the following:

Your consent is the legal basis for the processing.

Your consent refers to the processing of the following personal data that you have given us voluntarily:

• email address
• surname, first name, title, gender/salutation
• country of origin
• preferred newsletter language
• preferred airport

The newsletter is sent to the email address you gave us, based on your consent. The newsletter provides you with information on a wide range of topics related to Lufthansa and our ​partner companies.

To personalise our communication, we analyse your usage behaviour with each newsletter, by means of cookies and similar technologies. This analysis includes for example, which pages were opened, clicks, reading time and potential bookings.

The basis for the personalisation of the newsletter is the analysis of the following data:

• your interaction with the newsletter
• your master data that you provided voluntarily (departure airport, gender, etc.)
  
• your IP address
  
• your existing and future bookings

The following systems and technologies are used in our newsletter:

Oracle Responsys
The following data are processed by the Responsys delivery tool, for marketing, improvement and legal purposes:

• delivering the email
• opening the email
• time of opening and time of each click
• end device used to open the email, click and book
• click behaviour in the email
• booking completed from the email

Litmus
The following data are processed by the Litmus email marketing tool for the purposes of marketing and improvement:

• reading time and reading behaviour
• location when opening
• email programme and end device used

These data are stored on a subscriber/customer basis (email address).

Exactag
Exactag GmbH collects, processes and stores data on this web page and its sub-pages, for the purposes of measuring reach, statistical analysis and to generate cost optimisation. Cookie technology is used to identify your browser. Exactag cookies are only processed in Germany and only contain anonymised data.

If you do not agree to the use of these technologies and analyses in the newsletter, and wish to withdraw your consent, you can unsubscribe from the newsletter. To do so, use the link that is included in each issue of the newsletter.

You can choose from an extensive range of films, music, magazines and much more as part of our in-flight entertainment programme. You can use the free FlyNet portal to search for useful information, check the current weather conditions at your destination, purchase items in the Lufthansa Worldshop and find out about services for your connecting flight. We only process the personal data (internet protocol data) necessary for the display and functioning of the website. The FlyNet programme also offers you internet access on our flights for an additional fee. You can buy the access package that best meets your needs directly from our partner, Deutsche Telekom, in the FlyNet portal. 

The legal basis for processing your personal data is the contract of carriage we concluded with you. 

You can also log in with your Travel ID profile and customise our in-flight entertainment programme and FlyNet services to suit you.

You can register on our website for the Miles & More programme.

You will find further information about the processing of your personal data as part of the Miles & More programme ​in the Miles & More Privacy Policy.

Star Alliance Biometrics is a Star Alliance product that enables voluntary biometric identification (facial recognition) of the passenger at the airport. Lufthansa currently offers the use of biometric services at the following access points: boarding.

Deutsche Lufthansa AG is responsible for the processing activities described below.

Lufthansa processes the following personal data: 

• We send your Miles & More membership number and your name, in encrypted form, from the Lufthansa app to the Star Alliance Navigator app for registration with Star Alliance Biometrics. Your consent is required under Art. 6 (1) (a) GDPR.
• Star Alliance is responsible for further registration. Please read the ​Star Alliance Privacy Policy for additional information about this registration.
• Your Miles & More number and your boarding pass data are transmitted to Star Alliance to create a specific daily identification file (“Gallery of the Day”). For registered users, this is done on the basis of their consent under Art. 6 (1) (a) GDPR; for potential users with a Miles & More number, this is done to ensure seamless processing in accordance with Art. 6 (1) (f) GDPR.
• A short video sequence is recorded at access points/devices operated by Lufthansa at the airports that are fitted with the Star Alliance Biometrics integrated biometric services. A photo is extracted from this and is used to identify you.
  For registered users this is done based on their consent under Art. 6 (1) (a) GDPR; for unregistered passengers, this is done to ensure the process operates seamlessly and complies with Art. 6 (1) (f) GDPR.

Categories of recipients

• Lufthansa uses IT service providers who have been placed under a contractual obligation of compliance with the GDPR. 
• Lufthansa forwards the data to Star Alliance.

Duration of data storage

• As soon as the identification process has been completed, or your data have been transmitted, these data are deleted from the access points/devices.
• The creation and processing of the specific daily identification file (“Gallery of the Day”) is the responsibility of Star Alliance. In every case, this file is deleted two hours after departure.

You can withdraw your consent to the use of biometric identification at any time. Go to the “Manage profile” area in the Star Alliance Navigator app and delete your biometric profile there. The withdrawal of your consent does not affect the lawfulness of any processing carried out based on your consent prior to its withdrawal.

You are not legally or contractually required to provide personal data. However, it is required for you to use the Star Alliance Biometrics product.

There is no automated decision-making, e.g. profiling.

Flight bookings

In principle we process the following personal data about you when you buy a flight ticket on our website:

• title, first name, surname (collectively “master data”)
• landline and/or mobile phone number, email address (for the booking confirmation) (collectively “contact details”)
• your preferred payment method and associated data, together with the payer’s master data, address and contact details (collectively “payment details”).

Optionally, you may provide the following data:

• date of birth
• nationality and passport details (“identification data”)
• information about frequent flyers, such as the programme of which you are a member, and your membership number (“frequent flyer data”)
• your preferred meal
• “Redress Code” (US Immigration Authorities)
• PartnerPlusBenefit programme (for companies)

Travel information about your flight

A few days before your departure date you will receive an email with information about your upcoming trip, together with offers of personalised additional services and any free travel services available. You can object to the sending of the pre-flight email at any time using the link in the travel information relating to your flight.

Check-in services

You will receive a notification as soon as the online check-in for your flight is open so that you can select your seat in good time.
You will be offered a link to online check-in if you access your booking on lufthansa.com, or if you are logged into lufthansa.com or the Lufthansa app and an upcoming trip is linked to your customer profile.

We will inform you through an unencrypted email that the online check-in for your upcoming trip is open, if you have stored an email address in your customer profile and your current booking is linked to your customer profile, or if you provided an email address when making your booking. You can go from this email directly to the online check-in for your flight. This access is enabled using an encrypted direct link.

Alternatively, you can provide the following information to the online check-in:

• frequent flyer data (frequent flyer programme and card number)
• mobile phone number and/or email address to receive mobile boarding passes and notifications of flight disruptions (emails sent for this purpose are explicitly unencrypted)

Automated check-in

If you have agreed in your customer profile (Miles & More or Travel ID) to automated check-in (which is the default setting for all Miles & More customers), you will be sent your mobile boarding pass automatically for flight bookings which are completely within the Schengen area and booked no later than 24 hours before departure.

Notifications about flight status and flight disruptions

You have the option of giving us a mobile phone number and/or an email address when booking, when updating your booking, or in the customer profile (Travel ID or Miles & More) linked to your booking. This will allow us to send you your boarding pass and/or enable you to use the Lufthansa app for your flight. We will inform you (either by SMS or unencrypted email and/or via the app) about any changes to the flight status and in particular about flight disruptions.

Additional services for your journey using the Lufthansa app

Personal details

You have the option to store personal data locally on your mobile device using the Lufthansa app. This ensures that the necessary information is pre-filled during the check-in process, making check-in faster and more convenient.
Travel documents (passport, ID card, residence permit and visa) can also be saved using the scan function.

The personal data stored on your device is only processed locally in the app and includes:

• identification data for check-in (type of frequent flyer card, card number, surname and first name)
• contact details (mobile phone number or email address)
• data about travel documents (passport, ID card, residence permit, visa and other documents)

Please note that it is not possible to rule out misuse by third parties, e.g. if your mobile phone is stolen. We therefore recommend you protect your mobile phone accordingly, e.g. with a code. Lufthansa explicitly points out that the storage of this data is at your own risk, and Lufthansa cannot be held liable for any misuse.

Location services and airport maps

We can show you your current location on our digital airport maps if you grant the Lufthansa app access to your location (using the app location service settings in the respective operating system). This setting is needed so that we can offer you further services relevant to your location.
We process tracking data to determine your position (dynamic IP address, location data from Bluetooth, Wi-Fi or the GPS function on your device).

Location-linked services

For our location-linked information, we take your location into account providing you have consented in your smartphone settings under location service settings of the app in the operating system.

This enables us to send you the offers that are relevant to your location. Processing the movement data of your smartphone in anonymised form also helps us to predict waiting times, e.g. at security checkpoints.

Your location will only be used for the above purposes.

If you do not wish to use our location-linked services, you can deactivate them at any time using the settings in the Lufthansa app.

You can give us your opinion via various channels. You are also free to decide how you would like to communicate with us. You also have the option of sending us data via the feedback form on our website. Another option is to communicate with us by letter. You can also use other channels to give us feedback, e.g. your email address, a fax or the Lufthansa app. Please note that your individual feedback may be used for training and quality purposes.

• If your message includes a request for financial compensation, we may, in individual cases, ask you for a copy of your official photo ID for your protection and to positively identify you.