In this Data Protection Policy, we will explain which personal data is collected when you visit and use this website, and how it is processed.
1. Controllers under data protection law
2. General purpose of data processing
3. Data processing when accessing our website
4. Tracking tools for website analysis
4.1 Website analysis with Google Analytics
4.2 Google Tag Manager
4.3 Google reCAPTCHA
5. Social networks
6. Referrals to and data collection on third-party websites
7. Duration of storage
8. Recipient
9. Your rights as a data subject
9.1 Your rights
9.2 Competent supervisory authority
10. Right to object under Art. 21 GDPR
11. Data security
12. Updating
13. Data protection officer
1. Controllers under data protection law
“We” refers to Miles & More GmbH, Unterschweinstiege 8, D-60549 Frankfurt am Main, Germany (“MMG”), as the body responsible for the processing of your personal data within the meaning of the General Data Protection Regulation of the European Union (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”).
2. General purpose of data processing
We use personal data to ensure that a smooth connection to the website is created, to ensure that our website is user-friendly, to analyse system security and stability and for other administrative purposes. The legal basis for data processing is Art. 6(1)(1)(f) GDPR. Our legitimate interest derives from the above-mentioned data collection purposes. Under no circumstances will we use your personal data to draw conclusions about you personally. It is also possible that we may need your consent in accordance with Art. 6(1)(a) GDPR. In these instances, we will not activate the associated tools until we have received your consent. It is therefore possible that you may not be able to use all of the functions of this website without such consent. Finally, it is also possible that we may process your data for the purposes of initiating or executing a contract, in accordance with Art. 6(1)(b) GDPR. This is the case when you contact us by email or submit an application to us. The general purpose of this processing is to respond to your request. You can find more detailed information on the processing of your personal data in this Data Protection Policy.
3. Data processing when accessing our website
Our server automatically recognises the following data (known as log files):
- Domain name
- Date and time of your visit
- Your client file request (file name and URL)
- http response code
- Number of bytes transferred during the session
- IP address of your terminal
- Terminal properties such as the operating system
- Website referrer (information about the website that you accessed immediately before visiting our website)
- Location data (region only if no consent given)
This data will be processed and retained for 90 days to check security incidents, to allow you to technically access the website and to ensure its stability and security. The legal basis for this processing is Art. 6(1)(1)(f) GDPR (legitimate interest – the company’s interest in the technical stability of the website).
Furthermore, your IP address will be processed in an anonymised form in order to protect our website from outside attack (e.g. hacker attacks, botnet attacks and other forms of attempted fraud). Your IP address cannot (without significant and disproportionate effort) be used by us to trace you personally. The legal basis for this processing is Art. 6(1)(1)(f) GDPR (balancing of interests – the company’s interest in system security).
Cookies and similar technologies
To make our website as user-friendly as possible, we use what are known as cookies as well as other similar tracking methods.
The cookie stores information that is generated in connection with the specific terminal device being used. However, this does not mean that we receive direct knowledge of your identity.
The use of cookies serves to make our offering easier for you to use. To this end, we use what are known as session cookies in order to identify that you have already visited specific pages on our website. These are automatically deleted when you leave our website.
In addition, we use temporary cookies to optimise user-friendliness. These are stored on your terminal device for a certain specified period. The next time you visit our website to utilise our services, it will automatically recognise that you have been here before and remember the inputs and settings you made so that you don’t have to enter them again.
We use these cookies to statistically document website usage and to analyse it in order to optimise our offering for you. On return visits, they enable us to automatically recognise that you have been here before. These cookies are automatically deleted after three months.
The data processed using cookies is required for the above-mentioned purposes to protect our legitimate interests and those of third parties in accordance with Art. 6(1)(f) GDPR.
Your browser will automatically accept our cookies. You can, however, configure your browser to not store any cookies on your computer or to always show a notification before creating a new cookie. However, deactivating cookie storage may mean that you are not able to use all of the functions of our website.
You can find more detailed information about the cookies we use in our Cookie Manager, which you can open at any time by clicking on “Cookie settings” in the website footer. This allows you to independently change or review your settings at any time.
4. Tracking tools for website analysis
4.1 Website analysis with Google Analytics
This website uses functions of the Google Analytics web analysis service. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses what are known as cookies (see section 5). The information generated by the cookie about your usage of this website, including browser type/version, operating system, referrer URL (the page you were on before), hostname of the accessing computer (IP address) and time of the server request, is generally transferred to and stored on a Google server in the USA. Prior to this transfer, however, your IP address will be shortened by Google if you are in a European Union member state or another state that is party to the Agreement on the European Economic Area. Only in exceptional circumstances will the complete IP address be transferred to a Google server in the USA and shortened there. Google will use this information to evaluate your usage of the website in order to compile reports about website activity and to provide the website operator with additional services in relation to website activity and internet usage. The IP address transferred by your browser in the context of Google Analytics will not be combined with other Google data.
You can prevent cookies from being used by activating a corresponding setting in your browser software; please note, however, that you may then not be able to use the full functionality of this website. Furthermore, you can prevent cookie-generated data relating to your use of this website (including your IP address) from being captured and processed by Google by downloading and installing the browser plug-in available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=de
Please note that this website uses the “anonymizelp” extension to Google Analytics in order to anonymise the IP addresses it collects.
You can find additional information on data privacy in connection with Google Analytics in the Google Analytics help at
https://support.google.com/analytics?source=404#topic=3544906
4.2 Google Tag Manager
We use Google Tag Manager on our website. This is also provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The service provider will be referred to below as “Google”.
Using Google Tag Manager, we can take sections of code from different tracking tools used on our website and integrate and manage them in one place (we exclusively use Google Analytics, see Website analysis with Google Analytics for more information). We thus use Google Tag Manager to advertise our offering in a more targeted way, and to organise and manage it more effectively.
The legal basis for this processing is your consent in accordance with Art. 6(1)(a) GDPR. We do not use Google Tag Manager until we have received your consent via the cookie banner.
Unless expressly stated, we only store personal data for as long as is required to achieve the objectives pursued.
Please also note that Google is a supplier from a third country within the meaning of Art. 6(1)(f) GDPR. 44 ff. GDPR. This means that Google comes from a country outside the European Union and/or the European Economic Area. It is therefore possible that your personal data may be processed in the USA. Your personal data will only be accessible by Google, we have no influence over its processing.
You can find further information on the use of your personal data and details of options for preventing data use under the following link:
https://adssettings.google.com/authenticated
https://policies.google.com/privacy
4.3 Google reCAPTCHA
On our website, we use a “captcha” service provided by Google (“Google reCAPTCHA”). This is a function which determines whether a specific operation is performed by a person or, improperly, a computer. “Captcha” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
This Google security check makes use of the following information in particular:
- The IP address of your terminal
- Browser properties (e.g. browser type and browser version, screen resolution, language, time and date of access)
- Your Google account (if you are logged in)
- Your browsing activity on websites
- Your input activity (e.g. the movement of your mouse on reCAPTCHA fields)
- Where appropriate, data from image-identification tasks
You can find more information about Google’s data protection policies at https://policies.google.com/privacy?hl=de&gl=xx.
The legal basis for this processing is Art. 6(1)(1)(f) GDPR (legitimate interest – company interest in the security of the system/spam protection).
5. Social networks
On our website and in our app, we can integrate functionalities relating to social networks (such as Facebook or Twitter).
We currently only provide links to the social media channels of Miles & More. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following information regarding how your personal data is handled:
When our website links to one of our social media channels, e.g. to our Facebook page, YouTube channel or Twitter account, these are simple links to the pages of the social network in question. When you use these links, we do not share any personal data with the providers of these social networks. Please note, however, that providers are at least generally able to identify the referral source when such links are used. We have no influence over the data processing of these providers. This Data Protection Policy does not cover these providers’ networks. Further information can generally be found in the respective providers’ data protection policies.
6. Referrals to and data collection on third-party websites
Links on our website allow you to access third-party websites which are not operated by us. These can include partner company websites where you can earn miles or access special offers for Miles & More members. We have no influence over the processing of your personal data on such third-party websites; this is handled by the relevant website provider. Please therefore read the terms of use and the privacy information on these websites for more detailed information concerning the processing of personal data on these websites.
7. Duration of storage
We process your data for as long as is required to fulfil our contractual and statutory obligations. If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:
To fulfil retention periods under commercial and tax law, such as those arising from the German Commercial Code (Handelsgesetzbuch – HGB) or the German Fiscal Code (Abgabenordnung – AO); these periods can be up to ten years.
To retain evidence as part of the provisions on limitation periods. Under Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods can be up to 30 years, with the standard limitation period being three years.
In these cases, your data is blocked so that it can no longer be processed for other purposes.
8. Recipient
To be able to offer you our services, we use service providers such as service centres, web hosts and other IT service providers as processors in accordance with Art. 28 GDPR. These service providers have been carefully selected, and they only act in accordance with our instructions. They provide sufficient guarantees that they will comply with their obligations under data protection law.
Insofar as personal data is transferred to third countries, appropriate safeguards are provided for the protection of your personal data in accordance with the legal requirements pursuant to Art. 45, 46 GDPR (in particular the EU’s adequacy decision and application of the EU’s standard contractual clauses; information on these standard contractual clauses can be found on the websites of the European Union).
The legal bases for the transfer of data to processors are the legal bases stipulated in Section 3 of this Data Protection Policy, in conjunction with Art. 28 GDPR.
Furthermore, we are legally obliged in certain cases to make personal data available to German and international authorities pursuant to Art. 6(1)(1)(c) GDPR (legal obligation).
9. Your rights as a data subject
9.1 Your rights
As the data subject, you can exercise the following rights where the respective statutory conditions exist:
Right of access, Art. 15 GDPR
Right to rectification, Art. 16 GDPR
Right to erasure (“right to be forgotten”), Art. 17 GDPR
Right of restriction of processing, Art. 18 GDPR
Right of data portability, Art. 20 GDPR
Right to object, Art. 21 GDPR
You can use our contact form to exercise these rights.
You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR in conjunction with Section 19 BDSG.
9.2 Competent supervisory authority
The competent supervisory authority for MMG and Lufthansa is:
The Data Protection Commissioner of Hesse
Postfach 3163
D-65021 Wiesbaden
Gustav-Stresemann-Ring 1
D-65189 Wiesbaden
Tel.: +49 – 6 11 – 14 080
Fax: +49 – 6 11 – 14 08 900 or +49 – 6 11 – 14 08 901
Email: poststelle@datenschutz.hessen.de
10. Right to object under Art. 21 GDPR
You have the right to object at any time, on grounds pertaining to your particular situation, to any processing of personal data relating to you which is based on Art. 6(1)(e) or (f) GDPR.
We will then no longer process any personal data relating to you unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to such processing.
If you object to the processing of personal data relating to you for direct marketing purposes, this data shall no longer be processed for such purposes.
Directive 2002/58/EC notwithstanding, you have the option of exercising your right to object in connection with the use of information society services via an automated procedure using technical specifications.
You can object to the processing of your personal data at any time, for example by using our contact form as described in Section 10 of this Data Protection Policy.
11. Data security
We use technical and organisational security measures to protect data relating to you that is processed by us against accidental or deliberate manipulation, loss, deletion or access by unauthorised persons. Our security measures are continuously being improved as new technology develops.
We store your personal data on servers in Germany, in another European Union member state or in another state that is party to the Agreement on the European Economic Area.
12. Updating
We review this Data Protection Policy regularly and will update it as necessary. We will inform you if there are significant changes to this Data Protection Policy (for example on our website).
13. Data protection officer
The Lufthansa Group data protection officer is also the data protection officer for Miles & More GmbH. If you have any questions concerning data protection at Miles & More, please contact the Lufthansa Group data protection officer (e.g. by post at Deutsche Lufthansa AG, Group Data Protection Officer, FRA CJ/D, Lufthansa Aviation Center, Airportring, D-60546 Frankfurt am Main, Germany or by email at datenschutz@dlh.de).