Travel ID Privacy Policy

The operators of Travel ID are Austrian Airlines AG, Brussels Airlines SA/NV, Deutsche Lufthansa AG, Eurowings GmbH, EW Discover GmbH and Swiss International Air Lines AG as the “Lufthansa Group airlines”, as well as Miles & More GmbH.
 

Unless otherwise stated in this Privacy Policy, “we” or “us” or “Travel ID operators” refers to the Lufthansa Group airlines and Miles & More GmbH as joint controllers (“Joint Controllers”) for processing your personal data as defined in Article 26 GDPR.
 

More information and contact addresses for the Lufthansa Group airlines and Miles & More GmbH can be found in the respective privacy policies of the Travel ID operators.

If you have any privacy-related questions in connection with Travel ID, please contact the following offices:

The data protection officer of Deutsche Lufthansa AG, Miles & More GmbH, Eurowings GmbH and EW Discover GmbH:

Deutsche Lufthansa AG

Data Protection Officer
FRA CJ/D
Lufthansa Aviation Centre
Airportring
60546 Frankfurt/Main
Germany

Data protection officer of Austrian Airlines AG:

Austrian Airlines AG
Legal Office – Data Protection
Office Park 2
PO Box 100
1300 Vienna Airport
Austria

Data protection officer of Swiss International Air Lines AG:

Swiss International Air Lines AG
ZRH S/CJ
PO box
8058 Zurich Airport
Switzerland

Data Protection Officer of Brussels Airlines SA/NV:

Brussels Airlines
Data Protection Officer
Airport Bld. 26, General Aviation - Ringbaan
1831 Machelen
Belgium

When you register for Travel ID, we ask for your email address, your title, your first and last names, your date of birth and a password as mandatory information. Your country and preferred language settings will be automatically transferred, as far as technically possible, using the country and language settings you entered on the respective websites or other contact points of the Travel ID operators. This information is required in order to create a Travel ID profile and to use the services described in detail in the Travel ID Terms and Conditions of Use. You are free to add further information to your Travel ID profile on a voluntary basis. For example, these may include your address, mobile phone number, payment data or your flight preferences (such as preferred departure airport).
 

The legal basis for processing your data is fulfilment of the contract in accordance with Art. 6(1)(b) EU-GDPR.
 

You also have the option to save additional personal data in your Travel ID on the basis of your consent. You can find details in the relevant sections of this Privacy Policy.

If necessary to fulfil the contract, we will send you messages about status changes in your Travel ID profile. This includes, among other things, expiry of the validity of your travel documents, payment methods or password uploaded via your Travel ID profile.
 

If you have not logged into your Travel ID profile for three years, we will ask you to log in again. If we do not see any activity in your Travel ID profile within another six months, we will delete it (see paragraph “Deletion of your Travel ID profile”).
 

The legal basis for processing your data is fulfilment of the contract in accordance with Art. 6(1)(b) EU-GDPR.

We want to make it easier and quicker for you to find and use the information that is relevant to you when you visit our websites or use our mobile apps and other contact points on the ground or on board our aircraft. You therefore have the option of logging in with your Travel ID to have a more personalised experience and receive information that matches your current flight booking, for example.
 

If you do not wish to use the login service, you are of course free to use the websites/contact points without logging in. In this case, the respective content will be displayed to you in a non-personalised manner.
 

The legal basis for processing your data is the performance of a contract in accordance with Art. 6(1)(b) EU GDPR.

We use the data you enter in your Travel ID profile to make the booking process easier for you through pre-populated forms. This can be data you actively provided during registration or added at some later point, or data you gave as part of a previous booking in relation to your Travel ID and which we automatically take into account for another booking. We also use your data given during your booking to provide you with pre-populated forms for online check-in and at self-service check-in machines, for example. If you fill out other forms, such as during your participation in a lucky draw or when you send customer feedback using one of our electronic feedback forms on the website, the necessary contact details required are also pre-populated from your Travel ID profile.
 

The legal basis for processing your data is fulfilment of the contract in accordance with Art. 6(1)(b) EU-GDPR.

For a summary of bookings made with Travel ID operators, any bookings made since registering your Travel ID will be displayed in your Travel ID profile. If you switch from a Lufthansa Group airline profile to a Travel ID profile, any bookings from your previous customer profile will also be displayed in your Travel ID profile.
 

Things like flight statistics are also created and displayed in your bookings summary. Bookings made while logged in will be automatically stored in your Travel ID profile. Any bookings added to your Travel ID profile will be checked for completeness, and further information will be added from your Travel ID profile, as required. No data will be overwritten without your consent.

Your Travel ID profile shows your bookings for the last ten years.
 

The legal basis for processing your data is the performance of a contract in accordance with Art. 6(1)(b) EU GDPR.

We use the data you stored in your Travel ID profile to be able to offer you personalised services. We process the data you stored in your Travel ID profile during registration or at a later date, as well as the data we recorded, for example for flight bookings made via Travel ID. This includes flight delays or cancellations, as well as any problems with your baggage. We also process your data from enquiries to our Service Centre and other interactions, for example with the crew on board our aircraft.
 

The processing of such data helps us to improve our complaints management system and offer you a personalised service as a Travel ID customer at all our contact points. Any enquiries made to our Service Centres can be viewed and managed in your Travel ID profile.
 

The legal basis for processing your data is the performance of a contract in accordance with Art. 6(1)(b) EU GDPR.

If we were repeatedly unable to offer you the promised service, we may wish to contact you electronically or by post, or by having our staff contact you in person. For this purpose, we use data on irregularities and customer concerns, as well as the number and severity of the incidents.
 

The legal basis for processing your data is our justified interest in accordance with Art. 6(1)(f) EU-GDPR.

If you belong to one or more customer groups (e.g. students), you can have your group membership verified and store confirmation of such membership in your Travel ID profile. If you then book a trip while logged in, for example, we can use the customer group status stored in your Travel ID profile to check whether you are entitled to claim specific customer group benefits.

The legal basis for processing your data is the consent granted by you in accordance with Art. 6(1)(a) EU GDPR.

You have the right to withdraw your consent to the storage of your customer group confirmation at any time, without affecting the lawfulness of any processing performed on the basis of this consent and before such consent was withdrawn. You can do this by deleting the confirmation(s) in your Travel ID profile under “Customer groups”.

Your entitlement to special conditions and reductions will be automatically deleted when they are no longer valid.

You have the option to save your preferred payment methods in your Travel ID profile. You can add these at any time to your Travel ID profile. You also have the option to decide during booking if you would like to save the payment method you entered for the booking in your Travel ID to pay for future purchases.

If you saved a payment method in your Travel ID and you make a booking while logged into your Travel ID profile, we will pre-populate your preferred payment methods or offer you a choice of payment methods.
 

You have the option to edit or delete your payment methods at any time.

The legal basis for processing your data is provided by the consent granted by you in accordance with Art. 6(1)(a) EU-GDPR.

You have the right to withdraw your consent to save your payment methods at any time, without affecting the lawfulness of any processing performed on the basis of this consent and before such consent was withdrawn. You can do this by deleting your payment methods in your Travel ID profile under “Payment Methods”.

If you have booked a flight, the Lufthansa Group airlines would like to contact you about possible additional services related to your flight. These additional services can be flight-related services of the Lufthansa Group airlines, such as premium meals or upgrades, but also additional services of partner companies of the Lufthansa Group airlines, such as rental cars or insurance (information on partner companies of the Lufthansa Group airlines, i.e., Austrian Airlines, Brussels Airlines, Eurowings, Discover Airlines, Lufthansa, Swiss International Air Lines). To do this we will process data about you that is stored in your Travel ID profile and at Lufthansa Group airlines (such as flight data, preferences).
 

The legal basis for processing your data is provided by the consent granted by you in accordance with Art. 6(1)(a) EU-GDPR.
 

You issue this consent during the registration process or later in your Travel ID profile, and this can be managed by you at any time in your Travel ID profile.

You have the option, as described in the paragraph "Settings for personalising our offers" in this Privacy Policy, to grant your consent to the determination of your main areas of interest, and based on this, to send information and personalised offers on the services of the Lufthansa Group airlines and their respective partner companies (information on partner companies of the Lufthansa Group airlines, i.e., Austrian Airlines, Brussels Airlines, Eurowings, Discover Airlines, Lufthansa, Swiss International Air Lines) via digital communication channels (e.g., by email, SMS/MMS, Messenger services, search engines, videos, banners), by telephone or on the websites of LHG airlines.
 

In addition, you can give Miles & More GmbH consent to send you offers relating to your possible membership in the Miles & More programme if you are not yet a member of the Miles & More programme.
 

Since we only want to provide you with information and offers that really interest you, with your consent, we thus process the booking information stored with the Lufthansa Group airlines, such as travel route, travel period and booking class, as well as preferences stored in your Travel ID profile. For example, by analysing information regarding your forthcoming trip, we may send you special offers or vouchers for additional services for your trip or for services available at your travel destination.

One way to provide you with personalised information and offers tailored to you is to identify you on websites of partners or advertisers.
 

To do this, we transfer the email address and/or phone number saved in your Travel ID profile, which is encrypted with the SHA 256 algorithm that is recommended by the German Federal Security Office as “cryptographically strong”, to what is known as a “Data Clean Room”. A Data Clean Room is a secure environment isolated from external technical influences for processing personal data. It aims to facilitate the exchange of data between advertising companies, in this case the Travel ID operators, and partners or providers of advertising spaces, while protecting the privacy of the respective customers as much as possible. For this purpose, the partners or advertising companies also supply data of their customers to the Data Clean Room using the same encryption method. As part of a data comparison, hits (data matches) are sent to so-called audiences (person groups), which in turn can be analysed by the Travel ID operators and addressed for advertising purposes. Access to the data we provide to a Data Clean Room is only granted by us to selected partners and advertising space providers, and after the conclusion of corresponding data processing contracts.
 

Depending on technological development and marketer support technology, we ensure that stronger and more secure encryptions and/or extensions are used.

If there is a CRM Datamatch with Google Customer Match, we transmit encrypted data to a Data Clean Room operated by Google in accordance with the procedures described in the paragraph “Individualised advertising through customer data comparison (CRM Datamatch)”. In this Data Clean Room, Google compares the data we provide with those of Google Account customers which are encrypted using the same SHA 256 hash algorithm. Matches are summarised by Google in a list of what are referred to as “audiences”. As soon as this process is completed (max. 48 hours), the encrypted data is deleted. If you belong to such an audience, Google can identify you when you are surfing using Google platforms and show you our personalised advertising.
 

A prerequisite for processing your personal data in Google Customer Match is that you possess a Google account, where you have given Google permission to display personalised advertising. You can change this setting to suit your preferences under the privacy tab in your Google user account.
 

The controller for processing personal data within the framework of Google Ads/Google Customer Match and within the meaning of the EU GDPR is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd is a subsidiary of Google LLC, which has its head office registered in California, USA, and is subject to the laws of that location, and may therefore may also have to grant access to data processed outside of the USA.
 

You can find further information about processing your personal data by Google in the Google Privacy Policy.

The legal basis for all processing of your data listed under the paragraph "Individualised Advertising Communication" is provided by the consent granted by you in accordance with Art. 6(1)(a) EU-GDPR.
 

You issue this consent during the registration process or later in your Travel ID profile, and this can be managed by you at any time in your Travel ID profile.
 

You can decide for yourself the extent to which you wish to receive information and individual offers from us by adjusting your communication settings. You may withdraw your consent to marketing communications also for individual areas (such as for the email newsletter only) in your Travel ID profile.

If you have a Travel ID profile and your Travel ID profile is not linked to a Miles & More member account, the Lufthansa Group airlines will exchange your data among each other in order to offer you the services specified in the Travel ID Terms and Conditions of Use. Miles & More GmbH will only receive data from you that is required to manage your Travel ID profile (e.g., contact details, date of birth and your voluntarily stored profile data) and will not process this data for its own purposes.
 

If you have linked your Travel ID profile to your Miles & More member account, the Travel ID operators will exchange your data among each other in order to offer you the services specified in the Travel ID Terms and Conditions of Use. You decide for yourself whether to make the connection. If you make such a connection, data synchronisation is performed between your Travel ID profile and your Miles & More account. In detail, the data filed by you in both accounts is carried over as follows:
 

All master data (such as name, date of birth, postal address, telephone) and preferences (such as preferred departure airport) are automatically transferred from your Miles & More account. The email address will be taken from your Travel ID profile.
 

The legal basis for the transfer of your data is fulfilment of the contract in accordance with Art. 6(1)(b) EU-GDPR.
 

If you have given Miles & More GmbH your consent to individual advertising communication (see paragraph “Individualised Advertising Communication”), Miles &More GmbH will also process your flight data (such as your route, travel class, departure airport, destination airport) for this purpose.

Your customer group status is verified by SheerID, Inc., our data processor based in the USA. Data is transferred based on the EU-US Data Privacy Framework under which SheerID, Inc. is certified with the U.S. Department of Commerce.

Furthermore, your personal data is always processed within the EU.

When you log in to a website or other contact point of a Travel ID operator for the first time, you will be prompted to enter your access details. In order to recognise you during your session, we set a "log-in" cookie. This cookie allows you to be logged in automatically when visiting websites of other Travel ID operators without having to enter your login credentials again.
 

You also have the option of actively selecting a “stay logged-in” feature on the websites of the Travel ID operators where you have already logged in, so that after finishing your session, you will not be required to log in again when re-visiting the website.
 

For this purpose, we also use a cookie that automatically recognises you when you visit the website/touch point again.
 

When the “stay logged-in” feature expires, you will be asked to log in again. In addition, you will always be prompted to log in again if you are in the process of carrying out activities which require an enhanced level of security.
 

The legal basis for processing your data is provided by the consent granted by you in accordance with Art. 6(1)(a) EU-GDPR.

We process your data to the extent and as long as necessary for the processing purposes described in this Privacy Policy.
 

If the purpose for which your data was processed no longer applies, this data will be deleted, unless its retention is required for the following purposes:

• fulfilment of statutory retention periods, which may result from obligations under commercial or tax law; these periods may amount to up to ten years
• enforcement, exercise or defence of legal claims

In these cases, processing your data will be restricted (“blocked”) so that it can no longer be processed for other purposes.

If you no longer wish to use the Travel ID services, you may delete your Travel ID profile at any time. The personal data collected in connection with your use of Travel ID will then be deleted immediately, subject to conflicting statutory retention requirements and obligations.
 

You can delete your Travel ID profile and any specific items of data you have provided in your Travel ID profile yourself by logging into your Travel ID profile and deleting it there.
 

We also delete your provisional Travel ID profile if you do not confirm your registration within the period stated in the confirmation email, or if you have had a confirmation email with an activation link sent to you more than three times without using it.
 

We also delete your profile after a specified period of inactivity (see paragraph “Notifications to your Travel ID profile”).

We process your data to the extent and for as long as necessary for the processing purposes described in this Data Protection Notice.

If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:

• Fulfilment of statutory retention periods, which may result from obligations under commercial or tax law; these periods may last up to ten years
• Assertion, exercise or defence of legal claims

In these cases, the processing of your data is restricted (“blocked”) so that it can no longer be processed for other purposes.

As the data subject, you can exercise the following rights where the respective statutory conditions exist:

• right of access, Art. 15 GDPR
• right to rectification, Art. 16 GDPR
• right to deletion (“right to be forgotten”, Art. 17 GDPR (see also paragraph “Deletion of your Travel ID profile” of this Travel ID Privacy Policy)
• right of restriction of processing, Art. 18 GDPR
• right of data portability, Art. 20 GDPR
• right to object, Art 21 GDPR (see also paragraph “Right to Object pursuant to Art. 21 GDPR” of this Travel ID Privacy Policy)

Insofar as we process your data on the basis of consent, you have the right to withdraw this consent at any time without affecting the lawfulness of any processing performed on the basis of this consent before such consent was withdrawn.
 

To exercise your rights, you can contact the respective Travel ID operators from the “Who Can You Contact” section of this Privacy Policy. In order to process your application and identify you, we will process your personal data in accordance with Article 6(1)(c) GDPR.
 

In your Travel ID profile, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example your postal address, email address or telephone number). To delete your Travel ID profile, you can also proceed as described in the paragraph “Deletion of your Travel ID profile”.
 

You also have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR.

You will find a list of all data protection authorities responsible for the Travel ID operators below.
 

The competent supervisory authority for Deutsche Lufthansa AG, Discover Airlines GmbH and Miles & More GmbH is:
 

The Officer for Data Protection and Freedom of Information of the State of Hesse

PO box 3163

65021 Wiesbaden

Germany
 

Tel: +49 - 611 - 14 08 - 0

Fax: +49 - 611 - 14 08 - 900 or - 901
 

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Eurowings GmbH is:
 

Regional Officer for Data Protection and Freedom of Information

State of North Rhine-Westphalia

PO box 20 04 44

40102 Dusseldorf

Germany
 

Tel.: +49 - 211 - 38 424 - 0

Fax: +49 - 211 - 38 424 - 999
 

Email: poststelle@ldi.nrw.de

The competent supervisory authority for Austrian Airlines AG is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

Tel: ​+43 - 52 -152 - 0

Email: ​dsb@dsb.gv.at

The competent supervisory authority for Swiss International Air Lines AG is:

Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Bern
Switzerland

Tel: +41 - 58 - 46 24 395
Fax: +41 - 58 - 46 59 996

For data processing that is subject to the GDPR:
 

The Officer for Data Protection and Freedom of Information of the State of Hesse

PO box 3163

65021 Wiesbaden

Germany
 

Tel: +49 - 611 - 14 08 - 0

Fax: +49 - 611 - 14 08 - 900 or - 901
 

Email: poststelle@datenschutz.hessen.de

The competent supervisory authority for Brussels Airlines SA/NV is:

Autorité de protection des données

Gegevensbeschermingsautoriteit

Data Protection Authority

Rue de la presse 35, 1000 Brussels
Belgium

Tel: +32 - 2 - 27 44 800

Email: contact@apd-gba.be

For reasons arising from your specific situation, you have the right to object at any time to the processing of personal data concerning you based on Art. 6(1)(f) GDPR.
 

In the event of an objection, we will no longer process the personal data concerning you, unless we can prove that there are compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.
 

If the personal data concerning you is processed by us for the purpose of direct marketing and you object to this processing, the personal data concerning you will no longer be processed for these purposes.
 

You can object to processing your personal data at any time, for example using the contacts named in the “Who can you contact” section.

We use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, deletion or access by unauthorised persons. Our security measures are being improved continuously as new technology develops.

In connection with the processing operations described in this Travel ID Privacy Policy, we may disclose your data to the following categories of recipients:

• service providers with whom we cooperate on the basis of an order processing agreement pursuant to Art. 28(3) GDPR;
• government agencies and authorities, e.g. on the basis of police and investigative activities.

In such cases, personal data may be transferred to third countries or international organisations worldwide. For your protection and the protection of your personal data, appropriate security measures will be taken for such data transfers in accordance with and pursuant to the law.
 

If these transfers take place in a third country for which the EU Commission or the competent authority has not issued an adequacy decision, we use the EU standard contractual clauses. You can find information about the EU standard contractual clauses on the website of the European Union.
 

In exceptional cases, the transfer to countries without adequate protection may also be permissible in other cases, e.g., based on consent, in connection with legal proceedings or if the transfer is necessary for the execution of a contract.