Travel ID Data Protection Notice

The operators of Travel ID are Austrian Airlines AG, Brussels Airlines SA/NV, Deutsche Lufthansa AG, Eurowings GmbH, EW Discover GmbH and Swiss International Air Lines AG as the Lufthansa Group airlines and Miles & More GmbH.

Unless otherwise stated in this Privacy Notice, “we” or “us” or “Travel ID operators” refers to the Lufthansa Group airlines and Miles & More GmbH as the controllers with joint responsibility (“Joint Controllers”) for the processing of your personal data as defined in Article 26 of the General Data Protection Regulation of the European Union (“GDPR”).

Further information and contact addresses for the Lufthansa Group airlines and Miles & More GmbH can be found in the respective Privacy Notice for Travel ID operators.

If you have data protection questions in connection with the Travel ID, please contact the following:

The Data Protection Officer of Deutsche Lufthansa AG, Miles & More GmbH, Eurowings GmbH and EW Discover GmbH:

Deutsche Lufthansa AG
Data Protection Officer
FRA CJ/D
Lufthansa Aviation Center
Airportring
60546 Frankfurt am Main
Germany

Austrian Airlines AG Data Protection Officer:

Austrian Airlines AG
Legal office – Data Protection
Office Park 2
PO box 100
1300 Vienna Airport
Austria

Data Protection Officer of Swiss International Air Lines AG:

Swiss International Air Lines AG
ZRH S/CJ
PO box
8058 Zurich Airport
Switzerland

Brussels Airlines SA/NV Data Protection Officer:

Brussels Airlines
Data Protection Officer
Airport Bld. 26, General Aviation - Ringbaan
1831 Machelen
Belgium

When you register for Travel ID, the only mandatory information we request is your email address, your title, your first and last names, your date of birth and a password. Your country and preferred language settings will be automatically transferred - as far as technically possible - using the country and language settings you entered on the respective websites or other touchpoints of the Travel ID operators. This information is required in order to create a Travel ID profile and to use the Travel ID services described in detail below and in the Travel ID Terms and conditions of use. You have the option to add further information to your Travel ID profile on a voluntary basis. This can be your address, mobile phone number, payment data or your flight preferences (e.g. preferred departure airport).

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

You also have the option of storing documents based on your consent (see Section 10).

If necessary to fulfil the contract, we will send you messages about status changes in your Travel ID profile. This includes, among other things, the expiry of the validity of your travel documents, payment methods or password uploaded via your Travel ID profile.

If you have not logged into your Travel ID profile for three years, we will ask you to log in again. If we do not see any activity in your Travel ID profile within another six months, we will delete it (see paragraph “Deletion of your Travel ID profile”).

The legal basis for processing your data is fulfilment of the contract pursuant to Article 6 (1)(b) GDPR.

If necessary to fulfil the contract, we will send you messages about status changes in your Travel ID profile. This includes, among other things, the expiry of the validity of your travel documents, payment methods or password uploaded via your Travel ID profile.

If you have not logged into your Travel ID profile for three years, we will ask you to log in again. If we do not see any activity in your Travel ID profile within another six months, we will delete it (see the section “Deleting your Travel ID profile”).

The legal basis for processing your data is the performance of the contract in accordance with Article 6(1)(b) GDPR.

We use the data you enter in your Travel ID profile to make the booking process easier for you through pre-populated forms. This could be data you actively provided during registration or added at some later point, or data you gave as part of a previous booking in relation to your Travel ID and which we automatically take into account for another booking. We also use the data you gave during the booking process to provide you with pre-populated forms, for example for online check-in and at self-service check-in machines. If you fill out other forms, such as when participating in a lucky draw or when you send customer feedback using one of our electronic feedback forms on the website, the contact details required are also pre-populated from your Travel ID profile.

The legal basis for processing your data is the performance of the contract in accordance with Article 6(1)(b) GDPR.

For an overview of your bookings made with Travel ID operators, bookings you have made since you registered your Travel ID will be displayed in your Travel ID profile. If you change your previous customer profile from one of the Lufthansa Group airlines to a Travel ID profile, your past bookings from your previous customer profile will also be displayed in your Travel ID profile.
The overview of your bookings includes, amongst other things, the creation and display of flight statistics. These bookings are automatically saved in your Travel ID profile if you made the booking while logged in. It is also possible to add bookings to your profile at a later date. Your Travel ID profile shows the bookings for the last ten years.

The legal basis for processing your data is the performance of the contract in accordance with Article 6(1)(b) GDPR.

We use your data stored in your Travel ID profile to be able to offer you personalized services. We process data that you entered in your Travel ID profile during registration or at a later date, as well as data that we have recorded, for example, as part of the flight bookings made via Travel ID. This also includes flight delays or cancellations and baggage problems. We also process your data from requests to our Service Centres.

As a result of this processing, we can improve our complaint management and offer you a targeted service as a Travel ID customer at all our touchpoints. Your enquiries to our Service Centres will appear in your Travel ID profile and can be managed by you there.

The legal basis for processing your data is the performance of the contract in accordance with Article 6(1)(b) GDPR.

If we were repeatedly unable to offer you the promised service, we may wish to contact you electronically or by post, or our employees may contact you individually. We use data about any problems and customer concerns for this purpose, as well as the number and severity of the incidents.

The legal basis for the processing of your data is our legitimate interest in accordance with Article 6(1)(1)(f) GDPR.

Travel documents

You have the option of having your travel documents, such as passport or visa, checked with regard to entry or transit regulations for the bookings you make. To do this, you can upload the relevant travel documents via your Travel ID profile to a separately secured database. These will then be automatically transferred to our Travel Document Check and reviewed before your journey begins.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6(1)(a) GDPR.

You have the right to withdraw your consent to the use of data from your travel documents at any time without affecting the lawfulness of any processing performed on the basis of this consent until such consent is withdrawn. To do so, you can delete your travel documents in your Travel ID profile under “Personal documents”.

Your travel documents will be deleted automatically once they are no longer valid.

Health documents

You have the option of using the Health Document Check process to have your health-related documents reviewed regarding validity for entry to or transiting a country. You can upload your documents, such as vaccination certificates or proof of recovery, to a specially secured database via your Travel ID profile for this purpose. The Health Document Check is carried out as part of the Travel Document Check described in the section “Travel documents”, but requires your separate consent due to the processing of health data.

The legal basis for processing your data is provided by your separate consent granted in accordance with Article 9 (2)(a) in conjunction with Article 6(1)(a) GDPR.

You have the right to withdraw your consent to the processing of health-related data at any time without affecting the lawfulness of any processing performed on the basis of this consent until such consent is withdrawn. You can delete your health documents in your Travel ID profile under “Personal documents” for this purpose.

The health-related documents are also automatically deleted after the expiry date, but no later than 12 months after upload.

Storing payment methods

We offer you the option of storing your preferred payment methods in your Travel ID profile. You can do this yourself at any time within your Travel ID profile. You also have the option during the booking process of deciding to store in your Travel ID the payment methods you entered for the booking for future purchases.

If you have stored a payment method in your Travel ID profile and make a booking with your Travel ID profile while logged in, we will pre-fill your preferred payment methods or offer you a selection.
You can edit or delete your payment methods at any time.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6(1)(a) GDPR.

You have the right to withdraw your consent to the storage of your payment methods at any time without affecting the lawfulness of any storage on the basis of this consent before such consent was withdrawn. You can delete your payment methods in your Travel ID profile under “Payment methods”.

If you have booked a flight, Lufthansa Group airlines would like to contact you about possible additional services relating to your flight. These additional services may include flight-related services of the Lufthansa Group airlines, such as premium meals or upgrades, but also additional services of partner companies of Lufthansa Group airlines (information about partner companies of the Lufthansa Group airlines: Austrian Airlines, Brussels Airlines, Eurowings, Discover Airlines, Lufthansa, Swiss International Air Lines), such as rental cars or insurance companies. Data stored about you in your Travel ID profile and with the Lufthansa Group airlines (e.g. flight data, preferences) will be processed for this purpose.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6(1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.

Advertising communication from Travel ID operators

As described in the section “Settings for personalizing our offers” in this Privacy Notice, you have the option of giving your consent to our determining your main areas of interest, as well as sending information and personalized offers based on this regarding the services of Lufthansa Group airlines and their respective partner companies (information about partner companies of the Lufthansa Group airlines: ​Austrian Airlines, ​Brussels Airlines, ​Eurowings, Discover Airlines, ​Lufthansa and ​Swiss International Air Lines), via digital communication channels (e.g. by email, SMS/MMS, messenger services, search engines, videos, banners) and by telephone or the websites of LHG airlines.

In addition, you can give Miles & More GmbH permission to send you offers relating to your possible membership of the Miles & More programme if you are not yet a member of the Miles & More programme.

Since we only want to provide you with information and offers that really interest you, we process the booking information stored with Lufthansa Group airlines with your consent, such as travel route, travel period and booking class, as well as preferences stored in your Travel ID profile. For example, by analyzing information regarding your forthcoming trip, we may send you special offers or vouchers for additional services for your trip or for services available at your travel destination.

Personalized advertising through customer data matching (CRM Datamatch)

One way to provide you with personalized information and offers tailored to you is to identify you on partner websites or advertiser websites.

To do this, we transfer the email address and/or telephone number saved in your travel ID profile which is encrypted with the SHA 256 hash algorithm and is recommended by the Federal Security Office as being “cryptographically strong” to what is known as a clean room. A data clean room is a secure environment isolated from external technical influences for the processing of personal data. Its purpose is to facilitate the exchange of data between advertising companies, in this case the Travel ID operators, and partners or providers of advertising spaces, while protecting the privacy of the respective customers as far as possible. For this purpose, the partners or advertising companies also provide data from their customers to the data clean room using the same encryption method. As part of data matching, hits (Datamatch) are sent to what are known as audiences (groups of people), which in turn can be analyzed by the Travel ID operators and used for advertising purposes. Access to the data transferred by us to a data clean room will be granted solely to partners and providers of advertising spaces selected by us and after corresponding data processing contracts have been concluded.

Depending on the technological development and marketer-supported technology, we ensure that stronger and more secure encryption and/or extensions are used.

CRM Datamatch with Google Customer Match

In the case of CRM Datamatch with Google Customer Match, we provide encrypted data to a data clean room operated by Google in a process as described in the section “Personalized advertising through customer data matching (CRM Datamatch)”. In this data clean room, Google compares the data we provide with that of Google Account customers who are encrypted using the same SHA 256 hash algorithm. Matches are then compiled by Google in a list of what are referred to as “audiences”. As soon as this process is completed (max. 48 hours), the encrypted data is deleted. If you belong to such an audience, Google can then identify you when you are surfing using Google platforms and show you our personalized advertising.

Another prerequisite for the processing of your personal data in Google Customer Match is that you have a Google Account for which you have given Google permission to display personalized advertising. You can amend this setting to suit your preferences under the data protection tab in your Google user account.

The controller for the processing of personal data within the scope of Google Ads/Google Customer Match as defined in the GDPR is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd is a subsidiary of Google LLC, which has its head office registered in California, USA, and is subject to the laws of that location, and may therefore also be obliged to provide access to data processed outside of the USA.

You can find further information about the processing of your personal data by Google in the Google Privacy Notice.

The legal basis for all processing of your data listed in the section “Personalized advertising communication” is provided by the consent you have given for this in accordance with Article 6(1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.
You can also decide for yourself the extent to which you wish to receive information and individual offers from us by adjusting your communication settings. You may withdraw your consent to marketing communications for individual areas as well (such as for the email newsletter) in your Travel ID profile.

If you have a Travel ID profile and your Travel ID profile is not linked to a Miles & More member account, Lufthansa Group airlines will exchange your data with one other in order to offer you the services specified in the Travel ID Terms and conditions of use. Miles & More GmbH will only receive data from you that is required to manage your Travel ID profile (e.g. contact details, date of birth and your voluntarily stored profile data) and will not process this data for its own purposes.

If you have linked your Travel ID profile to your Miles & More member account, the Travel ID operators will exchange your data with one other in order to offer you the services specified in the Travel ID Terms and conditions of use. You can decide whether to create this link yourself. Data matching is performed between your Travel ID profile and your Miles & More account when you create the link. Specifically, the data you have stored in both accounts will be transferred as follows:

All master data (such as name, date of birth, postal address, telephone) and preferences (such as preferred departure airport) is automatically transferred from your Miles & More account. The email address will be taken from your Travel ID profile.

The legal basis for the transfer of your data is the performance of the contract in accordance with Article 6(1)(b) GDPR.

If you have given Miles & More GmbH your consent to receive personalized advertising communication (see the section “Personalized advertising communication”), Miles & More GmbH will also process your flight data (such as your route, travel class, departure airport, destination airport) for this purpose.

When you log into a website or another touchpoint of a Travel ID operator for the first time, you will be asked to enter your login details. In order to recognize you during your session, we use a “log-in” cookie. This cookie allows you to visit websites of other Travel ID operators without having to log in using your Travel ID credentials again.

You can also choose actively to enable a “stay logged-in” feature when logged into Travel ID operators’ websites, which means that you will not be required to log in again after ending your session and later re-visiting the website.

We also use cookies for this purpose so that when you return to the website/touchpoint you will be recognized automatically.

When the “stay logged-in” feature expires, you will be asked to log in again. In addition, you will always be prompted to log in again if you are in the process of carrying out activities which require an enhanced level of security.

The legal basis for processing your data is provided by your consent granted in accordance with Article 6(1)(a) GDPR.

We process your data to the extent and for as long as necessary for the processing purposes described in this Privacy Notice.

If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:

• Fulfilment of statutory retention periods, which may result from obligations under commercial or tax law; these periods may be for up to ten years
• Assertion, exercise or defense of legal claims

In these cases, the processing of your data is restricted (“blocked”) so that it can no longer be processed for other purposes.

If you no longer wish to use the Travel ID services, you may delete your Travel ID profile at any time. The personal data collected in connection with your use of Travel ID will then be deleted immediately - subject to conflicting statutory retention requirements.

You can delete your Travel ID profile yourself as well as any specific items of data you have provided in your Travel ID profile by logging into your Travel ID profile and performing the deletion there.

We also delete your provisional Travel ID profile if you do not confirm your registration within the period stated in the confirmation email, or if you have had a confirmation email with an activation link sent to you more than three times and do not use it.

We also delete your profile after a specific period of inactivity (see the section “Notifications about your Travel ID profile”).

Your rights

As the data subject, you can exercise the following rights where the respective statutory conditions exist:

• Right to information, Article 15 GDPR
• Right to rectification, Article 16 GDPR
• Right to erasure (“right to be forgotten”), Article 17 GDPR (see also section “Deleting your Travel ID profile” of this Travel ID Privacy Notice)
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Article 21 GDPR (see also the section “Right to object under Article 21 GDPR of this Travel ID Privacy Notice)

Insofar as we process your data on the basis of consent, you have the right to withdraw this consent at any time without affecting the lawfulness of any processing performed on the basis of this consent before such consent is withdrawn.

To exercise your rights, you can contact the respective Travel ID operators from the section “Who can you contact” of this Privacy Notice. In order to process your application and identify you, we will process your personal data in accordance with Article 6(1)(c) GDPR.

In your Travel ID profile, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example, your postal address, email address or telephone number). To delete your Travel ID profile, you can also proceed as described in the section “Deleting your Travel ID profile”.

Furthermore, you have the right to lodge a complaint with a regulatory authority: Article 77 GDPR.

Regulatory authorities

You will find a list of all data protection authorities responsible for the Travel ID operators below.

The competent supervisory authority for Deutsche Lufthansa AG, EW Discover GmbH and Miles & More GmbH is:

Commissioner for Data Protection and Freedom of Information of the State of Hesse
PO Box 3163
65021 Wiesbaden
Germany

Tel: +49 - 611 - 14 08 - 0
Fax: +49 - 611 - 14 08 - 900 or - 901

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Eurowings GmbH is:

Regional Officer for Data Protection and Freedom of Information
State of North Rhine-Westphalia
PO Box 20 04 44
40102 Dusseldorf
Germany

Tel.: +49 - 211 - 38 424 - 0
Fax: +49 - 211 - 38 424 - 999

Email: poststelle@ldi.nrw.de

The competent supervisory authority for Austrian Airlines AG is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

Tel: +43 - 52 152 - 0

Email: dsb@dsb.gv.at

The competent supervisory authority for Swiss International Air Lines AG is:

Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Bern
Switzerland

Telephone: +41 - 58 46 24 395
Fax: +41 - 58 46 59 996

For data processing that is subject to the GDPR:

Commissioner for Data Protection and Freedom of Information of the State of Hesse
PO Box 3163
65021 Wiesbaden
Germany

Tel: +49 - 611 1408 - 0
Fax: +49 - 611 - 14 08 - 900 or - 901

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Brussels Airlines SA/NV is:

Autorité de protection des données
Gegevensbeschermingsautoriteit
Data Protection Authority
Rue de la presse 35, 1000 Brussels
Belgium

Tel: +32 - 2 - 27 44 800

Email: contact@apd-gba.be

For reasons arising from your specific situation, you have the right to object at any time to the processing of your personal data based on Article 6(1)(f) GDPR.

In the event of an objection, we will no longer process the personal data that concerns you, unless we can prove that there are compelling and legitimate grounds for the processing that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.

If the personal data concerning you is processed by us for the purpose of direct marketing and you object to this processing, the personal data concerning you will no longer be processed for these purposes.

You can object to the processing of your personal data at any time, for example via the contacts specified in the section “Who can you contact?”.

We use technical and organizational security measures to protect your data against accidental or deliberate manipulation, loss, deletion or access by unauthorized persons. Our security measures are being improved continuously as new technology develops.

In connection with the processing operations described in this Travel ID Privacy Notice, we may disclose your data to the following categories of recipients:

• Service providers with whom we cooperate on the basis of a commissioned data processing agreement in accordance with Article 28(3) GDPR;
• Governmental agencies and authorities, e.g. due to police and investigative activities

In such cases, personal data may be transferred worldwide to third countries or international organizations. For your protection and the protection of your personal data, appropriate security measures will be taken for such data transfers in compliance with and in accordance with the law.

If these transfers are made to a third country for which the EU Commission or competent authority has not issued an adequacy decision, we use standard EU contractual clauses. Information about standard EU contractual clauses is available on the European Union website.

In exceptional cases, transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings or if the transfer is necessary for the execution of a contract.

We review this Travel ID Privacy Notice regularly and will update it as required. We will inform you if there are material changes to this Travel ID Privacy Notice (for example on our websites).