Miles & More website, app & communications media Data Protection Policy

“We” refers to Miles & More GmbH, Unterschweinstiege 8, 60549 Frankfurt am Main (“MMG”), as the body responsible for the processing of your personal data within the meaning of the General Data Protection Regulation of the European Union (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz - “BDSG”).

Where the “operators” are referred to, this makes reference to MMG and Deutsche Lufthansa AG (“Lufthansa”), the operators and issuers of the Miles & More customer loyalty programme (“Miles & More”) for which they are jointly responsible as defined in Art. 26 GDPR. We will gladly make the principle contents of this Joint Controller Agreement available to you on request. Complete information relating to these companies can be found in their respective imprints at www.miles-and-more.com and www.lufthansa.com.

On our website and in our app, we make a variety of functionalities available to you, which require the processing of personal data. These functionalities can only be accessed, for example, by Miles & More members after logging in with their identification details (e.g. a Miles & More card number and PIN or User ID and password).

The following functionalities are available to you as a logged-in Miles & More member:

• Profile view and customisation 
• Award requests
• Use of platforms for spending and earning miles
• Receiving customised information and offers 
• Participation in surveys or lucky draws

Where the use of functionalities requires you to provide more personal information, this will be identified on our website or in our app. Mandatory information is specifically identified; if mandatory information is not provided, the use of the particular functionality will not be possible.

The legal basis for this processing is Art. 6(1) b) GDPR (performance of contract and pre-contractual measures), as well as Art. 6(1) a) GDPR (consent), for the display of offers we have prepared for you, as well as participation in surveys and lucky draws.

We may also offer you functionalities on our website and in our app, which can be used without logging in, but which nonetheless require the processing of personal data. These functionalities may include but are not limited to:

• Use of the contact form for sending us enquiries or comments

The legal basis for the processing of your data is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures).

You can use our website without actively supplying personal data by registering or logging in to the Miles & More programme. Even in this case, we must process certain information in order to enable your access to our website. 

Our server automatically recognises the following data (so-called log files):

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Device properties, such as the operating system
• Website referrer (information about the website that you accessed immediately before visiting our website)
• Location data (without your permission, only the region)

This data will be processed and retained for 90 days to check security incidents, in order to allow you technically to access the website, as well as to ensure its stability and security. The legal basis for this processing is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest - company interest in technical stability of the website). 

Furthermore, your IP address will be processed in a pseudonymised form in order to protect our website from outside attack (e.g. hacker attack, botnet attacks, other attempted fraud). Your IP address will not be saved with your profile and we cannot trace it back to you personally (without considerable and disproportionate effort). The legal basis for this processing is Art. 6(1), Subparagraph 1(f) GDPR (balancing of interests - company interest in security of the system).   

Furthermore, we use technology for the recognition of your terminal, such as cookies or local storage, for example. Further information about this can be found under Point 3.3.

In order to use the functionalities described under Point 2.1, you can log on to our website with your Miles & More card number and PIN or with your User ID and password. In addition to the data described under Point 3.1, your master, status and program data, as well as other data after a login, will be processed as described in this Data Protection Policy. 

We offer you the option to “remain logged in” to our website. When you select this functionality during the login process, a cookie saves an access token so that you do not have to log in to our website again on a renewed visit and so that we recognise you. We will only ask for your login data again for sensitive, security-relevant functions, such as redeeming miles. If you remove this selection or delete all the cookies in your browser settings, the cookie will be removed and you must log in again. For reasons of security, we do not recommend the use of this functionality on computers or other devices accessible to the public.

To ensure our service is as user-friendly as possible, we use so-called cookies and other tracking methods. You can find more detailed information about this at Cookies and similar technologies.

You can access our app as a guest. However, use of the Miles & More specific functionalities is only possible after you log in with your access data.

The following data will be collected automatically upon use:

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Device properties, such as the operating system
• Interapp referral link (information about the linked app that you called up immediately before visiting our app) 
• Location data (without your permission, only the region)

When you use the service as a guest, we evaluate this data exclusively in an anonymised form for statistical purposes, for example, to determine how many visitors our app has had within a certain period. The legal basis for this processing is Art. 6(1) f) GDPR (legitimate interest - company interest in the improvement of the website).

You can use the full functionality of our app after entering the requested access data (Miles & More card number and PIN or User ID and password), or after registering for the Miles & More programme. Your access data is required to enable you to use the app’s functions. The legal basis for this processing is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures).

Moreover, when the app is used, we may process the data mentioned under 4.1 for the purpose of data analysis. This data is processed in a pseudonymised form and not saved with your profile. The legal basis for this processing is Art. 6(1) f) GDPR (legitimate interest - company interest in evaluation of campaigns and ongoing development of the app and offers). If you have granted us permission to do so, we can collate the data with your profile data. The legal basis for this processing is Art. 6(1), Subparagraph 1(a) GDPR (Consent).

If you give permission in the app for your location to be accessed, you are giving the app permission to access the location services of your mobile device. Your device’s location services use information from mobile, Wi-Fi, and GPS networks and/or iBeacons, in order to determine your approximate location.

Authorisation for the access of your device’s location services is required so that the app can offer you location-based functions, such as the display of offers near you. If you do not allow access, only a restricted display of location-based content will be possible.

Configuration on smartphones with the iOS operating system (Apple iPhone and iPad):
you can also turn the location function’s authorisation on and off later in the iOS settings: to do this, open the App “Settings” in iOS and select the “Data Protection” menu option and the sub category “Location services”. In the menu below, you will find all the apps that are installed on your device which have location-based functions. Select the Miles & More App here. In the menu below, you can select whether access to your location should always be allowed or switched off completely.

Configuration on smartphones with the Android operating system (various manufacturers, e.g. Samsung, HTC, Sony, LG): on Android, you can change the settings of the location function at any time according to the device and the version of the operating system. To do this, please go to the app "Settings" on your device. Tap “Security & location” and then “Location” (or only “Location”; “Location” and then “More” in your work profile.) Tap “App level authorisation”. Search for the app you want. Deactivate the location authorisation for the app.

Our app will not make any use of the authorisation without your consent. Location services will only be accessed when you have given your explicit permission in the app. To this end, your permission will be requested by the app after you have registered or logged in. The app will only make use of the access options of location services after you have answered the question with “Allow”.

The legal basis for this processing is Art. 6(1), Subparagraph 1(a) GDPR (Consent).

We use certain analysis procedures both on our website and in our app. The following points explain the analysis procedures and integration.

Adobe Analytics is installed on our website, in our app and our digital communications media. This is a web analysis service from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe Analytics”). 

Adobe Analytics uses cookies, especially 2o7.net and omtrdc.net belonging to the Adobe domain. Adobe Analytics also installs web beacons (see also Point 3.3.1 of the last section): a web beacon is a transparent graphic (usually 1 pixel x 1 pixel) set on digital content and its request is detected by the visitor. Using a web beacon enables us to measure the activities of a visitor when opening a website, app or communication medium with the web beacon.

With Adobe Analytics your IP address is shortened, thus making it anonymous, and it is used only in this anonymised form.

Information acquired by the use of a cookie or web beacon will only be transferred to Adobe’s computing centre located in a European Union member state or in other states which are party to the Agreement on the European Economic Area. Adobe uses this information solely on our behalf and only for the purposes set out above.

If you do not wish to allow the collection and usage of such information by Adobe Analytics using cookies, you can decline it here. In the case of the use of our app, you can prevent this collection by deactivating the button at the end of the data protection provision. Then a corresponding opt-out cookie is installed on your device which contains no tracking data; instead it enables us to recognise your objection and not to allow any more data sharing with the Adobe server for tracking purposes.

In addition, you can generally set up your internet browser to not accept any cookies and by doing so prevent data collection by Adobe Analytics. The same applies to the “do not track” function or the deactivation of graphics displays for the web beacon. Please make sure you are clear about the steps required to carry this out by reading the instructions for your own internet browser, as the relevant settings vary according to each browser supplier.

You can find more information about Adobe Analytics and data protection at Adobe at www.adobe.com/privacy.html.

We use the remarketing technology of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; (“Google”). This technology allows us to reach out to users who have already visited our website and shown an interest in our offers by placing targeted ads on the pages of the Google Partner network. Cookies are used to display these ads. With the help of these cookies, the user’s behaviour upon visiting the website can be analysed and then used for targeted product recommendations and interest-based advertising.

If you do not wish to receive interest-based ads, you can deactivate Google’s use of cookies for these purposes by visiting www.google.com/settings/ads. Alternatively, you can deactivate the use of cookies for interest-related advertising via the Network Advertising Initiative, by following the instructions provided at networkadvertising.org/managing/opt_out.asp.

By using our online services, you agree that Google may process the data collected about you in the manner described here and for the purpose specified above. Please note that Google has its own data privacy policies, which are independent from our own. We do not assume any responsibility or liability for these policies and procedures.

On our website, we use so-called “Captchas” from Google (“Google reCAPTCHA”). This is a function which determines whether a person (or in cases of fraud, a computer) has performed a specific operation. “Captcha” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

The Google security check makes particular use of the following information:

• The IP address of your terminal
• Browser properties (e.g. browser type and browser version, screen resolution, language, time and date of access)
• Your Google account (if you are logged in)
• Your surfing behaviour on websites
• Your entry behaviour (e.g. the movement of your mouse on the reCAPTCHA surfaces)
• Where appropriate, tasks involving the identification of images.

You can find more information about data protection at Google at https://policies.google.com/privacy?hl=en&gl=en.

The legal basis for the processing described in Points 5.1 and 5.2 is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest - company interest in the relevance and ongoing development of the website). If you have given your consent, we can collate your data in a pseudonymised form with your master and program data. The legal basis for this processing is Art. 6(1), Subparagraph 1(a GDPR (Consent). The legal basis for this processing under Point 5.3 is Art. 6(1) f) GDPR (legitimate interest - company interest in the security of the system/spam protection)

On our website and in our app we can integrate functionalities relating to social networks (such as Facebook or Twitter).

We currently use links to offers from Miles & More in social networks. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following policy about the treatment of personal data:

By linking our website to one of our offers in social networks, e.g. on our Facebook page, our YouTube channel or our Twitter account, this refers to simple links to the pages of current social networks. When you use these links, we do not share any personal information with the providers of these social networks. However, we wish to point out to you that these providers essentially have the possibility of recognising the provenance of a visit. We have no influence over the data processing of these providers. This Data Protection Policy does not extend to the offers of these providers. Further information can generally be found in the respective providers’ data protection policies.

You can reach third-party websites via links from our website which are not operated by us. For example, this may include the websites of partner companies where you can earn miles, or where special offers are made available for Miles & More members. We have no influence over the processing of your personal data on such third-party websites; this is dealt with by the relevant website provider. Therefore please read the conditions of use and data protection information on these websites in order to get more precise information about the processing of personal information on these websites.

We process your data as long as it is required to fulfil our contractual and statutory obligations. If the purpose for which your data were processed no longer applies, such data is deleted, unless the retention thereof is required for the following purposes:

• to fulfil retention periods under commercial and tax law that derive from the Commercial Code or the Tax Code; these periods can be up to 10 years
• to retain evidence as part of the provisions on limitation periods. Under §§ 195 ff. of the Civil Code (Bürgerliches Gesetzbuch - BGB), these limitation periods can be up to 30 years, whereas the standard limitation period is three years.

To be able to offer you our services, we use service providers, such as service centres, web hosting services or other IT service providers as processors, in accordance with Art. 28 GDPR. These service providers have been carefully selected and work exclusively to our instructions. They provide sufficient guarantees to comply with their obligations under data protection law.

We also receive data from other third parties as part of commissioned processing where such third parties have commissioned us to process data. This occurs, for example, in the context of processing customer service enquiries for programme partners.
In the event that personal data is transmitted to third countries, appropriate safeguards for the protection of your personal data are provided in accordance with the statutory requirements (in particular EU adequacy decisions and the use of EU standard contractual clauses. You can find information about EU standard contractual clauses on the European Union websites), and pursuant to Art. 45, 46, GDPR.

The legal bases for transmitting personal data to data processors are listed in section 3 of the legal bases of this Data Protection Policy, in conjunction with Art. 26 GDPR.
Furthermore, in certain cases we are legally obliged to make personal data available to German and international authorities (Art. 6(1) c) GDPR (legal obligation).

As the data subject you can exercise the following rights where the respective statutory conditions exist:

• Right to information, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to deletion (“right to be forgotten”), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

You can use our contact form to exercise your right. So that we can process your request and identify you, please note that we will process your personal data in accordance with Art. 6 (1) subsection 1 c) GDPR.

In your customer profile on our website, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example, your postal address, email address or telephone number).

You also have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR in conjunction with § 19 BDSG.

The competent supervisory authority for MMG and Lufthansa is:

The Data Protection Commissioner of Hesse
Postfach 3163
65021 Wiesbaden

Gustav-Stresemann-Ring 1
65189 Wiesbaden

Tel: 0611/1408-0
Fax: 0611/1408-900 or -901
E-mail: poststelle@datenschutz.hessen.de

For reasons arising from your specific situation, you have the right to submit an objection to the processing of your personal data based on Art. 6 (1) e) or f) GDPR at any time.

We will no longer process the personal data that concern you, unless we can prove that there are compelling reasons for the processing that are worthy of protection and that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.

If the personal data concerning you is processed to operate direct advertising, you have the right to submit an objection against the processing of your personal data for the purposes of such advertising at any time.

If you object to processing for the purposes of direct advertising, the personal data concerning you will no longer be processed for these purposes.

You have the option of exercising your right of objection in connection with the use of the services of the information company using an automated procedure - notwithstanding Directive 2002/58/EC - in which technical specifications are used.

You can object to the processing of your personal data at any time, for example by using our contact form as described in section 10 of the Data Protection Policy.

We use technical and organisational security measures to protect your data that we process against accidental or deliberate manipulation, loss, deletion or access by unauthorised persons. Our security measures are being improved continuously as new technology develops.
We store your personal data on servers in Germany, in a European Union member state or in states which are party to the Agreement on the European Economic Area.

We check these data protection policies regularly and we will update these as necessary. Where there are significant changes made to this Data Protection Policy, we will inform you (for example, on our website or in our app).