Data Protection Policy for the Miles & More website, app and communication media

“We” refers to Miles & More GmbH, Unterschweinstiege 8, 60549 Frankfurt am Main (“MMG”), as the body responsible for the processing of your personal data within the meaning of the General Data Protection Regulation of the European Union (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”).

Where the “operators” are referred to, this makes reference to MMG and Deutsche Lufthansa AG (“Lufthansa”), the operators and issuers of the Miles & More customer loyalty programme (“Miles & More”) for which they are jointly responsible as defined in Art. 26 GDPR. We are happy to make the principal contents of this Joint Controller Agreement available on request. Complete information relating to these companies can be found in their respective imprints at www.miles-and-more.com and www.lufthansa.com.

On our website and in our app, we make a variety of functionalities available to you, which require the processing of personal data. These functionalities can only be accessed, for example, by Miles & More members after logging in with their identification details (e.g. a Miles & More card number and PIN or User ID and password).

The following functionalities are available to you as a logged-in Miles & More member:

• Profile view and customisation 
• Award requests
• Use of platforms for redeeming and earning miles
• Receiving customised information and offers 
• Participation in surveys or lucky draws

Where the use of functionalities requires you to provide more personal data, this will be identified on our website or in our app. Mandatory information is specifically identified; if mandatory information is not provided, use of the particular functionality will not be possible.

The legal basis for this processing is point (b) of Art. 6(1) GDPR (performance of a contract or to take steps prior to entering into a contract), as well as point (a) of Art. 6(1) GDPR (consent) for the display of offers we have prepared for you as well as participation in surveys and lucky draws.

We may also offer you functionalities on our website and in our app which can be used without logging in, but which nonetheless require the processing of personal data. These functionalities may include, but are not limited to:

• Use of the contact form for sending us enquiries or comments

The legal basis for the processing of your data is point (b) of Art. 6(1) GDPR (performance of a contract or to take steps prior to entering into a contract).

You can use our website without actively providing personal data by registering or logging in to the Miles & More programme. Even in this case, we must process certain information in order to enable your access to our website. 

Our server automatically recognises the following data (known as log files):

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Terminal properties, such as the operating system
• Website referrer (information about the website that you accessed immediately before visiting our website)
• Location data (without your consent, only the region)

This data is processed and retained for 90 days to check security incidents, to allow you to technically access the website, and to ensure its stability and security. The legal basis for this processing is point (f) sentence 1 of Art. 6(1) GDPR (legitimate interest – the company’s interest in technical stability of the website). 

Furthermore, your IP address will be processed in a pseudonymised form in order to protect our website from outside attack (e.g. hacker attack, botnet attacks, other attempted fraud). Your IP address will not be saved with your profile and we cannot trace it back to you personally (without considerable and disproportionate effort). The legal basis for this processing is point (f) sentence 1 of Art. 6(1) GDPR (balancing of interests – the company’s interest in system security).   

Furthermore, we use technology for the recognition of your terminal, such as cookies or local storage. Further information about this can be found under Point 3.3.

In order to use the functionalities described under Point 2.1, you can log on to our website with your Miles & More card number and PIN or with your User ID and password. In addition to the data described under Point 3.1, your master, status and programme data as well as other data after a login will be processed as described in this Data Protection Policy. 

We offer you the option to “remain logged in” to our website. When you select this functionality during the login process, a cookie saves an access token so that you do not have to log in to our website again on a renewed visit and so that we recognise you. We will only ask for your login data again for sensitive, security-relevant functions, such as redeeming miles. If you uncheck this selection or delete all the cookies in your browser settings, the cookie will be removed and you will have to log in again. For security reasons, we do not recommend using this functionality on computers or other devices accessible to the public.

To make our website as user-friendly as possible, we use what are known as cookies and similar tracking methods. You can find more detailed information about this under Cookies and similar technologies.

You can access our app as a guest. However, use of specific Miles & More functionalities is only possible after logging in with your access data.

The following data will be collected automatically upon use:

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Terminal properties, such as the operating system
• Interapp referral link (information about the linked app that you called up immediately before visiting our app) 
• Location data (without your consent, only the region)

When you use the service as a guest, we evaluate this data exclusively in a pseudonymised form for statistical purposes, for example to determine how many visitors our app has had within a certain period. The legal basis for this processing is point (f) sentence 1 of Art. 6(1) GDPR (legitimate interest – the company’s interest in ongoing development of the website, app and offers).

You can use the full functionality of our app after entering the requested access data (Miles & More card number and PIN or User ID and password) or after registering for the Miles & More programme. Your access data is required to enable you to use the app’s functions. The legal basis for processing is point (b) of Art. 6(1) GDPR (performance of a contract or to take steps prior to entering into a contract).

Moreover, when the app is used, we may process the data mentioned under 4.1 for the purpose of data analysis. This data is processed in a pseudonymised form and is not saved with your profile. The legal basis for this processing is point (f) sentence 1 of Art. 6(1) GDPR (legitimate interest – the company’s interest in ongoing development of the website, app and offers). If you have given us your consent, we can merge the data with your profile data. The legal basis for this processing is point (a) of Art. 6(1) GDPR (consent).

If you give permission in the app for your location to be accessed, you are giving the app permission to access the location services of your mobile device. Your device’s location services use information from mobile, Wi-Fi and GPS networks and/or iBeacons in order to determine your approximate location.

Authorisation for your device’s location services to be accessed is required so that the app can offer you location-based functions, such as the display of offers near you. If you do not allow access, only a restricted display of location-based content will be possible.

Configuration on smartphones with the iOS operating system (Apple iPhone and iPad):
You can also switch the location function permissions on or off in the iOS settings at a later date. To do so, open the iOS “Settings” app and select the menu item “Privacy & Security” and the sub-heading “Location Services”. In the next menu, you will find all the apps that are installed on your device which have location-based functions. Select the Miles & More app here. In the next menu, you can select whether access to your location should always be allowed or switched off completely.

Configuration on smartphones with the Android operating system (various manufacturers such as Samsung, HTC, Sony and LG): You can change Android location function settings at any time, depending on the device and the version of the operating system. To do so, please go to the "Settings" app on your device. Tap “Security & location” and then “Location” (or just “Location”; in your work profile, tap “Location” and then “Advanced”). Tap “App-level permissions”. Search for the app you want. Deactivate the location authorisation for the app.

Our app will not make any use of the authorisation without your consent. Location services will only be accessed if you have given your explicit permission in the app. To this end, your permission will be requested by the app after you have registered or logged in. The app will only access location services if you answer the question with “Allow”.

The legal basis for this processing is point (a) of Art. 6(1) GDPR (consent).

We use certain analysis procedures both on our website and in our app. We explain the analysis procedures and integration below.

Our website, app and digital communication media use Adobe Analytics, a web analytics service of Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe Analytics”). 

Adobe Analytics uses cookies, especially from the 2o7.net and omtrdc.net domains belonging to Adobe. Adobe Analytics also uses web beacons (see also Point 3.3.1, last paragraph). A web beacon is a transparent graphic (usually 1 pixel x 1 pixel) that is placed on digital content and detects when such content is accessed by the visitor. Using a web beacon enables us to measure the activities of a visitor opening a website, app or communication medium with the web beacon.

With Adobe Analytics, your IP address is truncated, making it anonymous, and is only used in this anonymised form.

Information acquired by a cookie or web beacon will only be transferred to an Adobe data centre located in a Member State of the European Union or in other states which are party to the Agreement on the European Economic Area. Adobe uses this information solely on our behalf and only for the purposes set out above.

If you do not wish to allow the collection and usage of such information by Adobe Analytics using cookies, you can object to this here. When using our app, you can object to this collection by deactivating the button at the end of the privacy policy. A corresponding opt-out cookie which contains no tracking data is then installed on your device; this merely enables us to recognise your objection and not allow any more data sharing with the Adobe server for tracking purposes.

In addition, you can generally set up your internet browser to not accept any cookies and by doing so prevent data collection by Adobe Analytics. The same applies to the “do not track” function or the deactivation of graphics displays for the web beacon. Please make sure you are clear about the steps required to carry this out by reading the instructions for your own internet browser, as the relevant settings vary according to each browser supplier.

You can find more information about Adobe Analytics and data protection at Adobe at www.adobe.com/privacy.html.

On our website, we use what are known as “CAPTCHAs” from Google (“Google reCAPTCHA”). This is a function which determines whether a person (or in cases of fraud, a computer) has performed a specific operation. “CAPTCHA” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

The Google security check makes use of the following information in particular:

• The IP address of your terminal
• Browser properties (e.g. browser type and browser version, screen resolution, language, time and date of access)
• Your Google account (if you are logged in)
• Your surfing behaviour on websites
• Your entry behaviour (e.g. the movement of your mouse on the reCAPTCHA surfaces)
• Where appropriate, tasks involving the identification of images

You can find more information about data protection at Google at https://policies.google.com/privacy?hl=en&gl=xx.

The legal basis for the processing described in Points 5.1 and 5.2 is point (f) sentence 1 of Art. 6(1) GDPR (legitimate interest – the company’s interest in the relevance and ongoing development of the website). If you have given your consent, we can merge your data with your master and programme data in a pseudonymised form. The legal basis for this processing is point (a) of Art. 6(1) GDPR (consent). The legal basis for this processing under Point 5.3 is point (f) sentence 1 of Art. 6(1) GDPR (legitimate interest – the company’s interest in system security/spam protection).

On our website and in our app we can integrate functionalities relating to social networks (such as Facebook or Twitter).

We currently use links to offers from Miles & More in social networks. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following policy about the treatment of personal data:

By linking our website to one of our offers in social networks, e.g. on our Facebook page, our YouTube channel or our Twitter account, this refers to simple links to the pages of current social networks. When you use these links, we do not share any personal information with the providers of these social networks. However, we wish to point out to you that these providers essentially have the possibility of recognising the provenance of a visit. We have no influence over the data processing of these providers. This Data Protection Policy does not extend to the offers of these providers. Further information can generally be found in the respective providers’ data protection policies.

Our website makes use of the Google Remarketing service. Google Remarketing is an online marketing program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We use the remarketing function within the Google Ads service. With the help of the remarketing function, we can present ads which are relevant to your interests to you on other websites/apps within the Google advertising network. Your surfing behaviour on our website is analysed to this end, e.g. which offers you have viewed. This enables us to continue to display personalised advertising to you even after you have visited our website, on the Google online search engine itself and on other websites/apps. Google stores a cookie in your browser for this purpose when you visit Google services or websites in the Google advertising network. This cookie is used to track your visits. The cookie is only used to ensure clear identification of your web browser and not to identify you personally. 

The use of this service is based on your consent pursuant to point (a) of Art. 6(1) GDPR and Section 25(1) of Germany’s Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG). You may revoke your consent at any time with effect for the future. You may give your consent using our Cookie Consent Manager, and you may also revoke it there at any time using the “Cookie Settings” link at the bottom of each page.

Google can use the data entered together with data that Google collects concerning you to personalise advertising in its own network. If you have a Google account, you may also object to personalised advertising using the following link: https://www.google.com/settings/ads/onweb/. You can find further information in Google’s privacy policy at: https://policies.google.com/technologies/ads?hl=en.

We would like to send you offers which are tailored to your interests. To do so, we define groups into which you may fall based on your usage behaviour. 

Using SHA-256 encryption, which is recommended by the German Federal Office for Information Security as being "cryptographically strong", we generate an attribute based on your email address. We forward this list of encrypted attributes to Google.  

Using Google Customer Match, Google then compares the encrypted attributes we have provided with the attributes that Google creates from its own Google account customers using the same encryption method. Matches are then added by Google to a list of what are referred to as audiences. As soon as this process is completed (max. 48 hours), the encrypted data is deleted. If you belong to such an audience, Google can then identify you when you are surfing using Google platforms and show you our personalised advertising. 

The use of this service is based on your consent pursuant to point (a) of Art. 6(1) GDPR and Section 25(1) of Germany’s Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG). You may revoke your consent at any time with effect for the future. You may give your consent using our Cookie Consent Manager, and you may also revoke it there at any time using the “Cookie Settings” link at the bottom of each page.

Another prerequisite for the processing of your personal data in Google Customer Match is that you have a Google account in which you have given Google permission to display personalised advertising. You can amend this setting to suit your preferences under the data protection tab in your Google user account. 

Google can use the data entered together with data that Google collects concerning you to personalise advertising in its own network. If you have a Google account, you may also object to personalised advertising using the following link: https://www.google.com/settings/ads/onweb/. You can find further information in Google’s privacy policy at: https://policies.google.com/technologies/ads?hl=en.

Google may also use the data concerning your user behaviour collected through our website for its own purposes or for those of other Google customers (e.g. to display personalised third-party advertising).

In these instances, Google Ireland Limited is the sole data controller responsible for this type of processing of your data as well as processing of the data after we have transferred it to Google. 

Google Ireland Ltd is a subsidiary of Google LLC, which has its head office registered in California, USA, and is subject to the laws of that location, and may therefore also be obliged to provide access to data processed outside of the USA. Google Ireland Ltd may also use Google LLC as a service provider, and also transfer data to the USA in this context.

In relation to the USA, the European Court of Justice has determined that the level of data protection there does not match the level within the EU. In particular, there is a possibility that US security agencies may gain access to your data, without there being an adequate legal remedy available to you.

On our website and in our app, we can integrate functionalities relating to social networks (such as Facebook or Twitter).

We currently only use links to Miles & More offers in social networks. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following information regarding how your personal data is handled:

When our website is linked to one of our offers in social networks, e.g. to our Facebook page, our YouTube channel or our Twitter account, these are simple links to the pages of the social network in question. When you use these links, we do not share any personal data with the providers of these social networks. Please note, however, that these providers are generally able to identify at least the provenance of a visit. We have no influence over the data processing of these providers. This Data Protection Policy does not extend to the offers of these providers. Further information can generally be found in the respective providers’ data protection policies.

You can reach third-party websites which are not operated by us via links on our website. For example, these may include the websites of partner companies where you can earn miles, or where special offers are made available for Miles & More members. We have no influence over the processing of your personal data on such third-party websites; this is handled by the relevant website provider. Please therefore read the terms of use and the privacy information on these websites for more detailed information concerning the processing of personal data on these websites.

We process your data for as long as it is required to fulfil our contractual and statutory obligations. If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:

• To fulfil retention periods under commercial and tax law, such as those arising from the German Commercial Code (Handelsgesetzbuch – HGB) or the German Fiscal Code (Abgabenordnung – AO); these periods can be up to ten years
• To retain evidence as part of the provisions on limitation periods. Under Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods can be up to 30 years, whereas the standard limitation period is three years

To be able to offer you our services, we use service providers such as service centres, web hosts and other IT service providers as processors in accordance with Art. 28 GDPR. These service providers were carefully selected and work exclusively in accordance with our instructions. They provide sufficient guarantees of compliance with their obligations under data protection law.

We also receive data from other third parties as part of commissioned processing insofar as such third parties have commissioned us with data processing. This is the case, for example, when processing customer service enquiries for programme partners.
Insofar as personal data is transferred to third countries, appropriate safeguards are provided for the protection of your personal data in accordance with the legal requirements (in particular the EU’s adequacy decision, application of the EU’s standard contractual clauses; information on the EU’s standard contractual clauses can be found on the websites of the European Union) pursuant to Art. 45, 46 GDPR.

The legal bases for the transfer of data to processors are the legal bases stipulated in Section 3 of this Data Protection Policy, in conjunction with Art. 26 GDPR.
Furthermore, we are legally obliged in certain cases to make personal data available to German and international authorities pursuant to point (c) of Art. 6(1) GDPR (legal obligation).

As a data subject, you can exercise the following rights where the respective statutory requirement is met:

• Right of access, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure (“right to be forgotten”), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

You may use our contact form to exercise your right. Please note that we will use your personal data in accordance with point (c) of Art. 6(1) GDPR in order to process your application and identify you.

You can also check the current status of most of your master data yourself at any time in your customer profile on our website. Please update your personal data immediately after any changes occur (for example your postal address, email address or telephone number).

You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR in conjunction with Section 19 BDSG.

The competent supervisory authority for MMG and Lufthansa is:

The Data Protection Commissioner of Hesse
Postfach 3163
65021 Wiesbaden

Gustav-Stresemann-Ring 1
65189 Wiesbaden

Tel.: +49 - 6 11 - 14 080
Fax: +49 - 6 11 - 14 08 900 or 14 08 901
Email: poststelle@datenschutz.hessen.de

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR.

We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of the personal data concerning you for such marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You can object to the processing of your personal data at any time, for example by using our contact form as described in Section 10 of the Data Protection Policy.

When processing your data, we use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological progress.
We store your personal data on servers in Germany, in a European Union Member State or in states which are party to the Agreement on the European Economic Area.

We review this Data Protection Policy regularly and update it as necessary. Where there are significant changes made to this Data Protection Policy, we will notify you (for example on our website or in our app).