Data Privacy Policy of MilesPay

MilesPay is operated by Miles & More GmbH, Unterschweinstiege 8, D-60549 Frankfurt am Main (“MMG”) as the party responsible for processing your personal data in accordance with the European Union General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”). Full details of MMG can be found in the imprint. Information on how to contact the Group data protection officer and the responsible supervisory authority can be found at the end of this Data Privacy Policy.

In addition, our partner, Mastercard Europe SA, 198A, Chaussée de Tervuren, 1410 Waterloo, Belgium, (“Mastercard”) is responsible for some parts of the processing under data protection law. For more information, please refer to point 2 and point 4 of this Data Privacy Policy. 

In the context of using MilesPay, the following personal data is processed:
 

• For the registration of a required and eligible credit card for MilesPay and for the execution of the redemption of award miles, the following information is processed by our partner Mastercard:
  • Credit card number, date and time of transaction, merchant name, purchase amount in euros, foreign currency information
  • MMG customer number, MMG frequent flyer status, residence (country), language, mileage account balance, desired award miles redemption limit, amount of redeemed award miles

• The following information is processed by MMG for displaying information and for product development purposes:
  • Credit card number, date and time of transaction, merchant name, merchant location, purchase amount in euros, foreign currency information
  • MMG customer number, MMG frequent flyer status, residence (country), language, mileage account balance, desired award miles redemption limit, amount of redeemed award miles

Your personal data is processed by us for the fulfilment of contractual obligations according to Art. 6 para. 1 p. 1 lit. b GDPR.

In addition, we process your data to protect our legitimate interests according to Art. 6 para. 1 p. 1 lit. f GDPR

• for the purpose of preventing fraud, e.g. credit card misuse, identity deception, obtaining special conditions or tariffs by fraudulent means,
• for the assertion of legal claims, including collection and defence in legal disputes,
• for auditing purposes,
• for data analysis and the compilation of statistics to improve products and services (business interest in the further development of the programme),
• for IT security purposes (business interest in the security of proprietary systems), and
• for authentication and fraud prevention (business interest in protecting against material and immaterial damage).

We process your data as long as it is necessary for the fulfilment of our contractual and legal obligations. When the purpose for which your data was processed ceases to apply, it will be deleted, unless its retention is required for the following purposes:

• Fulfilment of retention periods under commercial and tax law, such as those arising from the German Commercial Code or the German Fiscal Code; these periods are up to 10 years.
• Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

In these cases, your data will be blocked so that it can no longer be processed for other purposes. 

As an affected person, you may exercise the following rights if the respective legal requirements are met:

• Right to information, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure (“right to be forgotten”), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object to processing, Art. 21 GDPR

To exercise your right, you can use our contact form. In order to process your request and to identify you, please note that we will process your personal data in accordance with Art. 6 (1) p. 1 lit. c GDPR.

In addition, you have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR in conjunction with § 19 of the Federal Data Protection Act (BDSG).

The supervisory authority responsible for MMG is:

The Hessian Data Protection Commissioner

P.O. Box 3163

D-65021 Wiesbaden

Gustav-Stresemann-Ring 1

D-65189 Wiesbaden

Telephone: +49 (0)611 1408-0

Fax: +49 (0)611 1408-900 or -901

Email: poststelle@datenschutz.hessen.de

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Art. 6 (1) sentence 1 lit. e or f GDPR.

We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

You can object to the processing of your personal data at any time, including via our contact form.

Further information on the handling of personal data within the Miles & More programme can be found in the separate Data Privacy Policy of the Miles & More Programme at www.miles-and-more.com/datenschutz.

We use technical and organisational security measures to protect your data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

We store your personal data on servers in Germany, a Member State of the European Union or in contracting states of the Agreement on the European Economic Area. 

We regularly review this Data Privacy Policy and will update it as necessary. We will inform you (e.g. in the app) about significant changes to this Data Privacy Policy.