Miles & More Programme Data Protection Policy

The operators and issuers of Miles & More are Miles & More GmbH, Unterschweinstiege 8, D-60549 Frankfurt am Main, Germany (“MMG”) and Deutsche Lufthansa AG, Linnicher Strasse 48, D-50933 Cologne, Germany (“Lufthansa”). Unless stated otherwise in this Data Protection Policy, “we” or “us” refers to Lufthansa and MMG as the bodies jointly responsible (“Joint Controllers”) for the processing of your personal data within the meaning of Article 26 of the General Data Protection Regulation of the European Union (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”). For this purpose, we have concluded a Joint Controller Agreement. We will gladly answer any further questions you may have in this regard. Further information about MMG and Lufthansa can be found in their respective legal notices at www.miles-and-more.com and www.lufthansa.com.

In this Data Protection Policy, we also make a distinction between the Lufthansa Group, our co-issuing partners and partner companies, so that we can make it more transparent for you which processes are carried out with the assistance of which company, and who has access to your data, to what extent and for what purpose (further details in Section 4 of this Data Protection Policy).

In order to make a Miles & More membership possible for you, we collect personal data from you in the application form. These data consist in particular of your last name, first name, gender, address and domicile. Furthermore, certain processes require you to provide additional compulsory information so that we can complete your registration and any subsequent processes, such as sending out a confirmation email and registering your Miles & More member account for two-factor authentication. This may also include data such as your date of birth, email address and mobile phone number. Furthermore, along with your application or in the course of your Miles & More membership, you can communicate other data to us on a voluntary basis, for example, an additional telephone number, your academic title or  flight-related preferences (departure airport, seat, food preferences). To save you additional trouble in entering these data, we extract some information directly from the application form or when processing it. This includes the date of your registration and your preferred language for correspondence. All these data collected about you are called your “master data”.

In order to manage the status assigned by Lufthansa or co-issuing partners (such as Frequent Traveller, Senator or HON Circle Member), we also store data required to manage this status, such as the type of status or the number of status or HON Circle miles you have earned (“status data”).

When you open your mileage account, we give you a Miles & More card number. Your Miles & More card number is part of your master data. It is used to identify you clearly as a member.

Your Miles & More card number may change in the course of your membership. There are various triggers for this, such as when you achieve a particular status or lose your card. By using a unique identification number in the background, we can continue to arrange for miles to be credited to your account and/or for you to redeem miles. This unique identification number is generated exclusively by the system and is used in all identification processes. If you lose your card, this also allows us to block your card number without you having to re-register.

When you earn or redeem miles as part of Miles & More, we record your “programme data”.

When you earn miles, the programme data include all the information required for a mileage credit and the administration, ongoing development and marketing of Miles & More. This includes information about the Miles & More partner companies, with whom you earn miles, as well as information about the services and number of miles earned on which your mileage credit is based.

When you quote your Miles & More card number to an airline company to earn miles, the programme data also include other information, in particular information about the flight route, the flight date, the flight number, the price, the airline operating the flight and the booking class.

When you earn miles with another Miles & More partner company, the programme data include information about the services requested that relate to miles, i.e. in particular the products purchased or services used, such as the price, quantity, goods category, time of purchase, time of execution or place of rental/stay.

When you earn miles with a Miles & More Credit Card, the programme data include details of the amount spent with the Miles & More Credit Card. If you have given additional consent to your bank, further data may also be collected. You can find details about this in Section 7 of this Data Protection Policy.

When you redeem miles, the programme data consist of details of the awards requested as well as the number of miles used (with a flight, the specific type of flight award, the flight route, the flight date and other information relating to the booking; and with another award, e.g. the type of award and product information such as the price, quantity, goods category, time of purchase, time of execution or place of rental/stay).

By processing these data, we can track account movements (in particular for fraud prevention), and ensure that the mileage credit is correct, that detailed information is provided when requested, and that any possible complaints you may make are processed promptly. If you give your consent, the data described above may also be used for advertising purposes (you can find more detailed information about this in Section 5 of this Data Protection Policy).

When you use our website, app or other communications media, such as email, we also process your data as described in Section 3 of the “Miles & More Website, App & Communications Media” Data Protection Policy.

When you communicate with our service centres, we also process the data you have given us in order to deal with your enquiry and to improve our services.

We process your personal data, i.e. master, programme and status data, as well as other data described above in the context of Miles & More, in particular for the performance of contracts and for pre-contractual measures pursuant to Art. 6(1)(1)(b) GDPR, in order to

• process your application for membership of Miles & More, to be able to send you your Miles & More card and other contractual information about Miles & More,
• enable you to earn and redeem miles (also retroactively), in particular to be able to credit the miles earned by you with operators and Miles & More partner companies to your mileage account and be able to debit the miles used when you request an award,
• enable us to check at all times that when you earn miles, the correct number of miles is credited, and that when you debit the account for an award, the correct number of miles is calculated,
• send you other contractual information relating to your status when you fulfil the appropriate criteria of your Miles & More status card,
• inform you about current extensions or modifications to Miles & More,
• process your enquiries (by phone, in writing or online).

We also process your personal data in order to safeguard our legitimate interests and after careful balancing of the interests concerned pursuant to Art. 6(1)(f) GDPR,

• to enforce legal claims, including debt collection and to defend ourselves in the event of legal disputes (company interest in legal defence and law enforcement),
• to keep your data up to date. To achieve this, we use an update service, which makes your new contact data available to us in the event of changes to your contact data (company interest in maintaining contact with members),
• to be able to inform you by text message about relevant developments with regard to flights booked using your Miles & More card number details (company interest in customer satisfaction and timely information about flight delays and cancellations),
• in order to observe the preferences saved in your profile (company interest in the best possible service for customers),
• to administer, further develop and market Miles & More (company interest in the competitiveness and relevance of the programme),
• to simplify the registration process for our online stores (Worldshop, SWISS Shop). To achieve this, the registration form will be pre-filled for you after you have entered your Miles & More card number and PIN (company interest in the consistency and validity of data),
• for the purposes of data analysis and the preparation of statistics to improve products and services (company interest in ongoing development of the programme),
• for the purpose of IT security (company interest in the security of its own systems),
• for the purposes of authentication and fraud prevention (company interest in protection from material or immaterial damage),
  
• to legitimise and clearly identify you (for example if you no longer have access to your Miles & More member account).

We also process your data so that we can send you individually compiled offers relating to Miles & More, providing you have given us your separate consent to do so; this way we can send you information that is relevant to you. The legal basis for this processing is Art. 6(1)(1)(a) GDPR (consent). You can find further details under Section 5 of this Data Protection Policy.

We are obliged to observe statutory commercial and tax retention periods. Furthermore, in individual cases, we are also obliged to cooperate with various national and international authorities (tax and law enforcement authorities). The legal basis for this processing is Art. 6(1)(1)(c) GDPR (legal obligation).

The operators of Miles & More can appoint selected partner companies in certain countries which may market Miles & More as their own programme (“co-issuing partners”). The co-issuing partners are

• Air Dolomiti
• Austrian Airlines
• Brussels Airlines
• Croatia Airlines
• Eurowings
• Frankfurt Airport
• LOT Polish Airlines
• Luxair
• Swiss International Air Lines

We may share data with these co-issuing partners for the administration, ongoing development and marketing of Miles & More as their own programme, as described in Section 3, in the following cases:

• If you have registered with Miles & More via a co-issuing partner, your master data, Miles & More card number or a unique username, as well as your programme data relating to the co-issuing partner’s services, may be shared with the co-issuing partner.
• If the co-issuing partner is an airline and your residence is located within the home market of this co-issuing partner, we may share your master data, Miles & More card number and programme data with the co-issuing partner.
• If the co-issuing partner is an airline and you take flights operated by this co-issuing partner, we may share your master data and programme data with the co-issuing partner.
• If you have gained a status with a co-issuing partner, in addition to the master data and the programme data related to the services provided by the co-issuing partner, your status data may also be shared with the co-issuing partner.

The co-issuing partners send us the programme data set out in Section 3 of this Data Protection Policy in order to enable us to credit miles. The legal basis for processing is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures).

With Miles & More partner companies (including co-issuing partners and Star Alliance airlines), your personal data will only be transferred if and insofar as you have requested a service via us from a Miles & More partner company (for example an award) (Art. 6[1][1][b] GDPR), or insofar as you have given your consent (for example in the context of a login) (Art. 6[1][1][a] GDPR). This also applies to the “Hotels & Cars” platform powered by Points and the “Gift Cards by cadooz” platform powered by cadooz. In this context, please note the relevant Data Protection Policy of the partner concerned.

Some of our partners give you the option to authenticate yourself as a Miles & More member on their partner website by entering your Miles & More card number and PIN in order to see special offers for Miles & More members and to redeem miles, where applicable. In these instances, the partner sends us the service card number and PIN you have entered for comparison. When the data are correct, we will confirm this. We also automatically send your mileage account balance to partners who allow you to redeem miles. This is necessary so that you can see the partner’s offers and redeem your miles. The legal basis for processing is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures).

If you contact us with a programme-related enquiry, for example because you are waiting for a mileage credit after a transaction with a Miles & More partner company, we may forward your enquiry to our partner company for prompt processing. The legal basis for the forwarding of your query in this case is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures).

Miles & More partner companies forward the programme data listed in Section 2.3 of this Data Protection Policy to us in order to allow the allocation of mileage credits.

You can find a summary of our partners here.

Airlines within the Lufthansa Group (as listed at www.miles-and-more.com/mitherausgeber) have combined their customer loyalty activities. This means that the member’s master data and the status and programme data obtained by a Lufthansa Group airline are managed in a joint database for all Lufthansa Group airlines. Without your separate consent, these data may be processed and used in an anonymised form (that is, with no possibility of a particular member being identified) for analysis purposes, and for the management, ongoing development and marketing of Miles & More. If you have given your consent, the data may also be used on a personal basis for marketing purposes (also see Section 5 of this Data Protection Policy).

In addition, your master data and programme data are shared with companies belonging to the Lufthansa Group for the purpose of fraud prevention (Art. 6[1][1][f] GDPR) and for the issuance of status cards (Art. 6[1][1][b] GDPR).

In order to be able to offer you our products and services, we use service providers, such as service centres, printers, letter shops and IT service providers, as processors in accordance with Art. 28 GDPR. These service providers have been carefully selected and work exclusively to our instructions. They will provide sufficient guarantees to comply with their obligations under data protection law.

We also receive data from other third parties as part of commissioned processing, where such third parties have commissioned us to process data. This occurs, for example, in the context of processing customer service enquiries for programme partners.

For the protection of your personal data, appropriate safeguards are provided in the event of such personal data transmissions in accordance with the statutory regulations (in particular EU adequacy decisions and the use of EU standard contractual clauses; you can find information about EU standard contractual clauses on the European Union website).

The legal bases for the transmission of data to processors are the legal bases stipulated in Section 3 of this Data Protection Policy, in conjunction with Art. 26 GDPR.

Furthermore, in certain cases we are legally obliged to make personal data available to German and international authorities, Art. 6(1)(1)(c) GDPR (legal obligation).

We give you the option to give MMG and Lufthansa separate consent for the processing of the following:

• Preparation and sending of information about your mileage account balance and our Miles & More newsletter
• Combined offers we have put together for you to earn and redeem miles in exchange for services from operators, co-issuing partners and Miles & More partner companies
• Market research surveys/customer satisfaction questionnaires to improve Miles & More and the offers from operators, co-issuing partners and Miles & More partner companies

Consent may include the following communication channels:

• Email
• Messenger services
• Telephone

Information and offers, such as the Worldshop catalogue, the Lufthansa Exclusive or Woman’s World, may be sent by post unless you object to receiving such information and offers.

Moreover, we can give you the option of giving separate consent to individual co-issuing partners for processing the following:

• Market research surveys/customer satisfaction questionnaires – your opinion on the respective co-issuing partners (including partner companies, where applicable) and their offers and services
• Information and offers from the respective co-issuing partners and their partner companies, where applicable
• Regular information from the respective co-issuing partners and their partner companies, where applicable, about special offers and valuable tips, especially relating to the airline, vehicle manufacturing, financial services, hotels, transport, lifestyle, shopping and telecommunications sectors
• Information about services and products from selected airline partners

Consent may include the following communication channels:

• Email
• Messenger services
• Telephone

Information and offers may be sent by post unless you object to receiving such information and offers.

Further details about consent with our co-issuing partners can be found in the respective data protection policies. For the airlines of the Lufthansa Group (Swiss International Air Lines, Austrian Airlines and Lufthansa), details can be found under

• Deutsche Lufthansa
• Swiss International Air Lines
• Austrian Airlines
  

You can give all the consents referred to above, for example, in your application for membership of Miles & More on our website or any Miles & More communications medium. You can also give those parts of your consent that relate to the co-issuing partners to them via their own communication channels.

If you give us your consent, we can assess your  personal data (incl. data reconciliation) in order to provide you with relevant and tailor-made personalised information about the Miles & More programme via all communication channels. For example, we can use your place of residence, age, status level and your most recent mileage credits to adapt the offers for earning/redeeming miles in the Miles & More newsletter to your needs. If we refer in our consent to “personal data”, we understand this term to mean all the types of data defined in Section 2 of this Data Protection Policy.

If you have given your consent to one of the co-issuing partners, the latter may evaluate all the data it has about you in order to send you personalised information that is uniquely relevant and customised to your interests. This includes data from the Miles & More programme shared under Section 4 of this Data Protection Policy, as well as the data it collects itself, such as flight data.

Further details about data usage with our co-issuing partners can be found in the respective data protection policies. For the airlines of the Lufthansa Group (Swiss International Air Lines, Austrian Airlines and Lufthansa), details can be found under

• Deutsche Lufthansa
• Swiss International Air Lines
• Austrian Airlines

The legal basis for processing the data is Art. 6(1)(1)(a) GDPR (consent).

You can edit your communication settings in your customer profile on www.miles-and-more.com at any time, and/or withdraw and/or restrict your consent in full or in part (e.g. by telephone at the Miles & More Service Centre). In addition, you can deactivate push notifications on mobile end devices in the respective Miles & More app.

You can also withdraw your consent to the receipt of the Miles & More newsletter and other marketing communications sent by email at any time, at the bottom of the respective email.

If you do not give your consent, you will not receive information from MMG and Lufthansa Group airlines. You can find information about your mileage account balance (including early reminders about mileage expiry) in your customer profile at www.miles-and-more.com.

MMG and Lufthansa can send you legally relevant information about the Miles & More programme (such as changes to the terms and conditions of participation), irrespective of whether you have given or withdrawn your consent. The legal basis for processing the data in this case is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures).

If you also have an ID profile with one of the Lufthansa Group airlines, a link to your Miles & More profile may also be required as part of this. This is used in particular to make you clearly identifiable via the various profiles. The background for this in particular is that we cannot manage your consent to the Lufthansa Group in aggregated form without clear identification and wish to save you having to enter or change your data several times in different profiles. If you do not create a link, we must point out that unfortunately we are unable to carry over the settings activated in the individual profiles into the other profiles (in particular about your consents).

The legal basis is Art. 6(1)(1)(a) GDPR (consent). You can find further details about linking here.

When you apply for a Miles & More Credit Card, additional personal data are collected by the issuing bank (for example your profession, marital status and income). These supplementary data are processed and used exclusively by the issuing bank and are not shared with the operators or co-issuing partners. We only receive the programme data arising from the use of the Miles & More Credit Card, as well as your Miles & More card number, and other master data that is required for the allocation of the programme data to you as a member, in order to make earning miles possible for you. The legal basis for processing the data in this case is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures). If you have given further consent to the issuing bank, the issuing bank may also share additional personal data with us, such as the time and place the card was used and a description of the sales, which we will use for the purposes stated in this Data Protection Policy. The legal basis for sharing this data is Art. 6(1)(1)(a) GDPR (consent).

With regard to the Lufthansa Miles & More Credit Card (“credit card”), Miles & More GmbH, Unterschweinstiege 8, D-60549 Frankfurt am Main, Germany (“MMG”) and the Deutsche Kreditbank AG, Taubenstrasse 7-9, D-10117 Berlin, Germany (“DKB”) are jointly responsible for certain processing operations (“Joint Controllers”) within the meaning of Art. 26 GDPR. MMG and the DKB have concluded a Joint Controller Agreement for this purpose. The joint processing of personal data here relates in particular to the provision of the credit card and all related processing activities, as well as mileage crediting. MMG is primarily responsible here for all areas relating to the member and mileage programme. For example, it links the credit card with the Miles & More mileage account in order to make earning miles possible. The DKB, on the other hand, is primarily responsible for all areas relating to the issue of credit cards and the specific banking services associated with them. It concludes the contract and issues the credit card.

You can assert your rights under the GDPR both against MMG and the DKB. To this end, it is necessary for the Joint Controllers to be able to exchange information relating to your enquiries if this is necessary for their reply.

It is also possible for you to log in to selected third-party websites using your Miles & More access data. We would like to make it more convenient for you to log in to third-party websites with your familiar access data and not to have to remember new login details. In all cases, your access data stays within the MMG system.

Your Miles & More login is provided to you for the following purposes, among others, and on the basis of the following legal bases:

• to earn/redeem miles (Art. 6[1][1][b] GDPR – performance of a contract and pre-contractual measures)
• to register on a partner website (Art. 6[1][1][a] GDPR – consent)
  
• to pre-populate other forms on partner websites (Art. 6[1][1][a] GDPR – consent)

When you use your Miles & More login, the third-party website will link you to our Miles & More website, where you can log in as usual. In each case, a notification will be displayed informing you which data may be accessed by the third party and for what purpose in your case. To register on the third-party website, you must consent to the transfer of your data to the third party. We will store your consent so you no longer need to grant it the next time you log in to the third-party website. The third party will then be granted a limited access key to our system, which will enable access to your relevant personal data for the required purpose. The access key is valid for a limited period, unless you give your consent to an access key with no time limit.

You can manage your settings in this regard at any time on the Miles & More website, and you can withdraw your consent with future effect via your Miles & More profile. In this case, all access keys to your data issued to the partner company will be revoked.

When you log in to third-party websites, MMG will learn which sites interest you and can use this information for the administration, ongoing development and marketing of Miles & More. The legal basis for this processing is Art. 6(1)(1)(f) GDPR (company interest in the competitiveness and relevance of the programme). MMG does not receive any personal data from the partner company.

The third party concerned has sole responsibility for the lawful processing and the security of your data.

We process your data as long as it is required to fulfil our contractual and statutory obligations. It must be noted here that membership of the Miles & More programme is for an indefinite period and is set up for several years until cancellation or the ending of the programme.
If the purpose for which your data were processed no longer applies, such data is deleted, unless the retention thereof is required for the following purposes:

• to fulfil retention periods under commercial and tax law that derive from the German Commercial Code (Handelsgesetzbuch) or the German Tax Code (Abgabenordnung); these periods can be up to 10 years,
• to retain evidence as part of the provisions on limitation periods. Under Sections 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods can be up to 30 years, whereas the standard limitation period is three years.

In these cases, your data are blocked so that they cannot be processed for other purposes.

As the data subject, you can exercise the following rights where the respective statutory conditions exist:

• Right of access, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure (“right to be forgotten”), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

You may use our contact form to exercise your right. So that we can process your application and identify you, please note that we will use your personal data in accordance with Art. 6(1)(c) GDPR.

In your customer profile on our website, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example your postal address, email address or telephone number).

You also have the right to lodge a complaint with a supervisory authority: Art. 77 GDPR in conjunction with Section 19 BDSG.

The competent supervisory authority for MMG and Lufthansa is:

The Data Protection Commissioner of Hesse
PO Box 3163
D-65021 Wiesbaden

Gustav-Stresemann-Ring 1
D-65189 Wiesbaden

Tel.: 06 11 - 14 080
Fax: 06 11 - 14 08 900 or 14 08 901
Email: poststelle@datenschutz.hessen.de

For reasons arising from your specific situation, you have the right to object to the processing of your personal data at any time based on Art. 6(1)(e) or (f) GDPR.

We will no longer process the personal data that concerns you, unless we can prove that there are compelling reasons for the processing that are worthy of protection and that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.

If the personal data concerning you is processed for the purpose of direct advertising, you have the right to submit an objection to the processing of your personal data for the purposes of such advertising at any time.

If you object to processing for the purposes of direct advertising, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You can object to the processing of your personal data at any time, for example by using our contact form as described in Section 10 of the Data Protection Policy.

When processing your data, we use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, destruction, or access by unauthorised persons. Our security measures are updated on a continuous basis as new technology develops.
We store your personal data on servers in Germany, in a European Union member state or in states which are party to the Agreement on the European Economic Area.

We check this Data Protection Policy regularly and will update it as necessary. Where there are significant changes made to this Data Protection Policy, we will inform you (for example on our website or in our app).