We noticed you are using Internet Explorer 11, this web browser is no longer supported, your experience might be degraded.

Data Privacy Policy of MilesPay

In this Data Privacy Policy, we inform you about the processing of your personal data in connection with the use of MilesPay.

1. Responsible for data protection

MilesPay is operated by Miles & More GmbH, Unterschweinstiege 8, D-60549 Frankfurt am Main (“MMG”) as the party responsible for processing your personal data in accordance with the European Union General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”). Full details of MMG can be found in the imprint. Information on how to contact the Group data protection officer and the responsible supervisory authority can be found at the end of this Data Privacy Policy.

 

In addition, our partner, Mastercard Europe SA, 198A, Chaussée de Tervuren, 1410 Waterloo, Belgium, (“Mastercard”) is responsible for some parts of the processing under data protection law. For more information, please refer to point 2 and point 4 of this Data Privacy Policy. 

2. Your personal data

In the context of using MilesPay, the following personal data is processed:
 

  • For the registration of a required and eligible credit card for MilesPay and for the execution of the redemption of award miles, the following information is processed by our partner Mastercard:
    • Credit card number, date and time of transaction, merchant name, purchase amount in euros, foreign currency information
    • MMG customer number, MMG frequent flyer status, residence (country), language, mileage account balance, desired award miles redemption limit, amount of redeemed award miles

 

  • The following information is processed by MMG for displaying information and for product development purposes:
    • Credit card number, date and time of transaction, merchant name, merchant location, purchase amount in euros, foreign currency information
    • MMG customer number, MMG frequent flyer status, residence (country), language, mileage account balance, desired award miles redemption limit, amount of redeemed award miles

3. Purposes and legal bases of processing

Your personal data is processed by us for the fulfilment of contractual obligations according to Art. 6 para. 1 p. 1 lit. b GDPR.

In addition, we process your data to protect our legitimate interests according to Art. 6 para. 1 p. 1 lit. f GDPR

  • for the purpose of preventing fraud, e.g. credit card misuse, identity deception, obtaining special conditions or tariffs by fraudulent means,
  • for the assertion of legal claims, including collection and defence in legal disputes,
  • for auditing purposes,
  • for data analysis and the compilation of statistics to improve products and services (business interest in the further development of the programme),
  • for IT security purposes (business interest in the security of proprietary systems), and
  • for authentication and fraud prevention (business interest in protecting against material and immaterial damage).

4. Recipients of your data

In order to be able to offer you MilesPay and the related services, based on our contractual obligations or according to our legitimate interests, we use service providers such as service centres or IT service providers as processors according to Art. 28 GDPR. The service providers have been carefully selected and work exclusively according to our instructions. They provide sufficient guarantees for compliance with data protection obligations.

If personal data is transferred to third countries, appropriate safeguards are provided for your protection and the protection of your data in accordance with the legal requirements (in particular, EU adequacy decisions and the application of EU standard contractual clauses; information on EU standard contractual clauses can be found on the websites of the European Union).

In addition, in certain cases, we are legally obliged to provide personal data to German and international authorities (Art. 6 para. 1 sentence 1 lit. c GDPR - legal obligation).

 

Mastercard processes the data mentioned in section 2 in parts as a processor for MMG. As far as payment processing is concerned, Mastercard processes such data as a credit card organisation under its own responsibility. In particular, MMG does not obtain any credit card numbers of members.

 

The data collected by us will not be transmitted to other third parties.

5. Duration of storage

We process your data as long as it is necessary for the fulfilment of our contractual and legal obligations. When the purpose for which your data was processed ceases to apply, it will be deleted, unless its retention is required for the following purposes:

  • Fulfilment of retention periods under commercial and tax law, such as those arising from the German Commercial Code or the German Fiscal Code; these periods are up to 10 years.
  • Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

In these cases, your data will be blocked so that it can no longer be processed for other purposes. 

6. Your data subject rights

6.1 Your rights

As an affected person, you may exercise the following rights if the respective legal requirements are met:

  • Right to information, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure (“right to be forgotten”), Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object to processing, Art. 21 GDPR

To exercise your right, you can use our contact form. In order to process your request and to identify you, please note that we will process your personal data in accordance with Art. 6 (1) p. 1 lit. c GDPR.

In addition, you have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR in conjunction with § 19 of the Federal Data Protection Act (BDSG).

6.2 Responsible supervisory authority

The supervisory authority responsible for MMG is:

 

The Hessian Data Protection Commissioner

P.O. Box 3163

D-65021 Wiesbaden

 

Gustav-Stresemann-Ring 1

D-65189 Wiesbaden

 

Telephone: +49 (0)611 1408-0

Fax: +49 (0)611 1408-900 or -901

Email: poststelle@datenschutz.hessen.de

7. Right to object according to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Art. 6 (1) sentence 1 lit. e or f GDPR.

We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

 

You can object to the processing of your personal data at any time, including via our contact form.

8. Handling of data within the Miles & More programme

Further information on the handling of personal data within the Miles & More programme can be found in the separate Data Privacy Policy of the Miles & More Programme at www.miles-and-more.com/datenschutz.

9. Data security

We use technical and organisational security measures to protect your data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

We store your personal data on servers in Germany, a Member State of the European Union or in contracting states of the Agreement on the European Economic Area. 

10. Updating

We regularly review this Data Privacy Policy and will update it as necessary. We will inform you (e.g. in the app) about significant changes to this Data Privacy Policy.

11. Data protection officer

Lufthansa’s data protection officer is also the data protection officer of Miles & More GmbH. If you have any questions regarding data protection at Miles & More, please contact the Group data protection officer (e.g. by mail to Deutsche Lufthansa AG, Group Data Protection Officer, FRA CJ/D, Lufthansa Aviation Center, Airportring, 60546 Frankfurt/Main or by email to datenschutz@dlh.de).

Status: 1 July 2021