Data protection policy for the Miles & More website, app and communication media

“We” refers to Miles & More GmbH, Flughafen Frankfurt Tor 21, Airportring, Geb. 322, D-60546 Frankfurt am Main (“MMG”), as the body responsible for the processing of your personal data within the meaning of the General Data Protection Regulation of the European Union (“GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”).

Any reference to the “operators” refers to MMG and Deutsche Lufthansa AG (“Lufthansa”), the operators and issuers of the Miles & More customer loyalty programme (“Miles & More”) for which they are jointly responsible as defined in Art. 26 GDPR. We’d be happy to provide you with the key provisions of this Joint Controller Agreement on request. Full details of these companies can be found in their legal notices at www.miles-and-more.com and www.lufthansa.com.

On our website and in our app, we provide you with various features that require the processing of personal data. These features can only be accessed, for example, by Miles & More members after logging in with their credentials (e.g. Miles & More service card number and PIN or user ID and password).

The following features are available to you as a logged-in Miles & More member:

• Profile view/customisation
• Award requests
• Use of platforms for redeeming and earning miles
• Customised information and offers
• Participation in surveys or lucky draws

Insofar as the use of certain features requires the provision of additional personal data, this will be clearly indicated on our website or in our app. Required fields are clearly marked; without this information, you will not be able to use the relevant feature.

The legal basis for processing your personal data when using basic Miles & More programme features (e.g. profile management, award requests, earning and redeeming miles) is Art. 6(1)(1)(b) GDPR (implementation of the membership agreement).

Furthermore, if we provide you with information and offers tailored to your interests or enable you to participate in surveys or lucky draws, your data will be processed on the basis of your consent in accordance with Art. 6(1)(1)(a) GDPR. You can withdraw any consent given at any time with future effect; the lawfulness of data processed until the withdrawal remains unaffected.

We may also offer you features on our website and in our app which can be used without logging in, but which nonetheless require the processing of personal data. These features may include, but are not limited to:

• Use of the contact form for sending us enquiries or comments

The provision of the data requested in the contact form is necessary in order to process and respond to your enquiry.

The legal basis for processing is Art. 6(1)(1)(b) GDPR, insofar as your enquiry relates to the conclusion or implementation of a contract.

In all other cases, processing is based on our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR in the processing of enquiries.

You can use our website without actively providing personal data by registering or signing up for the Miles & More programme. The collection of this data is technically necessary to enable access to the website; it is not possible to use the website without processing this data.

Our server automatically records the following data (in the form of log files):

• Domain name
• Date and time of your visit
• Your client file request (file name and URL) HTTP response code
• Number of bytes transferred during the session
• IP address of your terminal
• Terminal properties, such as the operating system
• Website referrer (information about the website that you accessed immediately before visiting our website)
• Location data (region only if no consent given)

This data is processed and retained for 90 days to check security incidents, to allow you to technically access the website, and to ensure its stability and security. The legal basis for processing is our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR in the secure and stable operation of our website.

Furthermore, your IP address will be processed in a pseudonymised form in order to protect our website from outside attack (e.g. hacker attacks, botnet attacks, other attempted fraud). Your IP address will not be saved with your profile, and we cannot trace it back to you personally (without considerable and disproportionate effort). The legal basis for this processing is our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR in the security of our information technology systems.

We also use technologies to recognise your device, such as cookies or local storage. Further information about this can be found under section 3.3.

In order to use the features described under section 2.1, you can log in to our website with your Miles & More service card number and PIN or with your user ID and password. In addition to the data described under section 3.1, your master, status and programme data – as well as other data – will be processed as described in this data protection policy after logging in.

We offer you the option to “stay logged in” to our website. When you select this option during the login process, a cookie stores an access token so that we can recognise you and you don’t have to log in again when you return to our website. We will only ask you to re-enter your login credentials for sensitive, security-relevant features, such as redeeming miles. If you deselect this option or delete all the cookies in your browser settings, the cookie will be removed and you will have to log in again. For security reasons, we do not recommend using this feature on computers or other devices accessible to the public.

To make our website as user-friendly as possible, we use what are known as cookies and similar tracking methods. You can find more detailed information about this under Cookies and similar technologies.

You can access our app as a guest. However, certain Miles & More features are only available after logging in with your access data.

The following data is automatically recorded when you use the app:

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• HTTP response code
• Number of bytes transferred during the session
• IP address of your terminal
• Terminal properties, such as the operating system
• Inter-app referral link (information about the linked app you accessed immediately before visiting our app)
• Location data (region only if no consent given)

When you use the service as a guest, we evaluate this data exclusively in a pseudonymised form for statistical purposes, for example to determine how many visitors our app has had within a certain period. The legal basis for this processing is Art. 6(1)(1)(f) GDPR (legitimate interest – the company’s interest in ongoing development of the website, app and offers).

You can use the full functionality of our app by entering the requested access data (Miles & More service card number and PIN or user ID and password) or by registering for the Miles & More programme. Your access data is required to enable you to use the app’s features. Without this data, it is not possible to use the app as a logged-in member. The legal basis for this processing is Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures).

Irrespective of this, when you use the app, we process the data listed in section 4.1 in pseudonymised form for the purposes of analysing and developing the app. This data is not associated with your user profile. The legal basis for this is our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR in the analysis and further development of the app.

This pseudonymised data will only be merged with your profile data if you have given us your consent to do so. The legal basis for this processing is your consent pursuant to Art. 6(1)(1)(a) GDPR. You can withdraw this consent with future effect at any time.

When you allow the app to access your location, you are giving the app permission to access your mobile device’s location services. Your device’s location services use information from mobile, Wi-Fi and GPS networks and/or iBeacons in order to determine your approximate location. The provision of location data is voluntary and has no impact on the basic use of the app.

Permission for your device’s location services to be accessed is required so that the app can offer you location-based features, such as the display of offers near you. If you do not grant access, location-based content can only be displayed to a limited extent.

Configuration on smartphones with the iOS operating system (Apple iPhone and iPad):
you can also switch location permissions on or off in the iOS settings at a later time. Simply open the iOS app “Settings”, and select the menu item “Privacy & Security” and then the sub-item “Location Services”. In the next menu, you will find all the apps installed on your device that have location-based features. Select the Miles & More app. In the following menu, you can select whether access to your location should always be allowed or switched off completely.

Configuration on smartphones with the Android operating system (various manufacturers such as Samsung, HTC, Sony and LG): you can change Android location settings at any time, depending on the device and the version of the operating system. To do so, please go to the app “Settings” on your device. Tap “Security & Location” and then “Location” (or just “Location”; in your work profile, tap “Location” and then “Advanced”). Tap “App-level permissions”. Search for the app you want. Turn off location permissions for the app.

Our app will not make use of this permission without your consent. Location services will only be accessed if you have given your explicit permission in the app. The app will ask for your permission once you have registered or logged in. The app will only access location services if you answer the question with “Allow”.

The legal basis for processing is your consent pursuant to Art. 6(1)(1)(a) GDPR. You can withdraw your consent at any time with future effect by turning off the location permission in your device’s settings.

We use certain analytics tools both on our website and in our app. The following explains the analytics tools used and their applications.

Our website, app and digital communication media use Adobe Analytics, a web analytics service provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe Analytics”).

Adobe Analytics uses cookies, especially from the 2o7.net and omtrdc.net domains belonging to Adobe. Adobe Analytics also uses web beacons (see also section 3.3.1, last paragraph). A web beacon is a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on digital content and detects when such content is accessed by the visitor. Using a web beacon enables us to measure the activities of a visitor opening a website, app or communication medium with the web beacon.

With Adobe Analytics, your IP address is truncated, making it anonymous, and then only used in this anonymised form.

Information acquired by a cookie or web beacon will only be transferred to an Adobe data centre located in a Member State of the European Union or in other states which are party to the Agreement on the European Economic Area. Adobe uses this information solely on our behalf and only for the purposes set out above.

If you do not wish to allow the collection and usage of such information by Adobe Analytics using cookies, you can object to this here. When using our app, you can opt out of such data collection by deactivating the button at the end of the data protection policy. An opt-out cookie will then be placed on your device. This contains no tracking values, but is merely used to signal your objection and to ensure that no further data is transmitted to Adobe’s servers for tracking purposes.

You can also generally configure your web browser to decline all cookies, thereby preventing Adobe Analytics from collecting data. The same applies to the “do not track” feature or to disabling the display of images for the web beacon. Please refer to the instructions for managing features for your specific web browser, as settings vary across programs.

You can find more information about Adobe Analytics and Adobe data protection at www.adobe.com/privacy.html.

On our website, we use what are known as “CAPTCHAs” from Google (“Google reCAPTCHA”). This is a feature which determines whether a specific action was performed by a human or, improperly, by a computer. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

This Google security check is primarily based on the following information:

• The IP address of your terminal
• Browser properties (e.g. browser type and browser version, screen resolution, language, time and date of access)
• Your Google account (if you are logged in)
• Your browsing activity on websites
• Your input activity (e.g. the movement of your mouse on reCAPTCHA fields)
• Where appropriate, tasks involving the identification of images

You can find more information about Google data protection at https://policies.google.com/privacy?hl=de&gl=xx.

The legal basis for processing described in sections 5.1 (Adobe Analytics) and 5.2 (Google reCAPTCHA) for the purposes of website analysis, optimisation and security is Art. 6(1)(1)(f) GDPR (legitimate interest in website development, system security and protection against misuse).

The pseudonymised data processed during the analysis will only be merged with your master and programme data if you have given us your consent to do so. The legal basis for this processing is your consent pursuant to Art. 6(1)(1)(a) GDPR. You can withdraw this consent with future effect at any time.

On our website and in our app we can integrate functionalities relating to social networks (such as Facebook or Twitter).

We currently use links to offers from Miles & More in social networks. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following policy about the treatment of personal data:

By linking our website to one of our offers in social networks, e.g. on our Facebook page, our YouTube channel or our Twitter account, this refers to simple links to the pages of current social networks. When you use these links, we do not share any personal information with the providers of these social networks. However, we wish to point out to you that these providers essentially have the possibility of recognising the provenance of a visit. We have no influence over the data processing of these providers. This Data Protection Policy does not extend to the offers of these providers. Further information can generally be found in the respective providers’ data protection policies.

Our website uses Google Remarketing. Google Remarketing is an online marketing program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We use the remarketing feature within Google Ads. With the help of this feature, we can show you ads that are relevant to your interests on other websites/apps within the Google advertising network. For this, we analyse your surfing behaviour on our website, e.g. which offers you have viewed. This enables us to continue to show you personalised ads even after you have visited our website, both on the Google online search engine itself (Google Ads) and on other websites/apps. Google stores a cookie in your browser for this purpose when you visit Google services or websites in the Google advertising network. This cookie is used to track your visits. The cookie is used only to clearly identify your web browser and not to identify you personally.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG). You may revoke your consent at any time with effect for the future. You can give your consent in our Cookie Consent Manager and revoke it at any time using the “Cookie Settings” link at the bottom of each page.

Google may use the data collected together with other data it collects about you to personalise ads in its own network. If you have a Google account, you may also object to personalised ads using the following link: https://www.google.com/settings/ads/onweb/. You can find further information in Google’s privacy policy at https://policies.google.com/technologies/ads?hl=de.

We’d like to send you offers tailored to your interests. We therefore define groups into which you may fall based on your user behaviour.

Using SHA-256 encryption, which is recommended by the German Federal Office for Information Security as being “cryptographically strong”, we generate an attribute based on your email address. We forward this list of cryptographic attributes to Google.

Using Google Customer Match, Google then compares the cryptographic attributes provided with the attributes that it creates from its own Google account customers using the same encryption method. Matches are then added by Google to a list of what are referred to as audiences. As soon as this process is completed (max. 48 hours), the cryptographic data is deleted. If you belong to such an audience, Google can then identify you when you are surfing on Google platforms and show you our personalised ads.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG). You may revoke your consent at any time with effect for the future. You can give your consent in our Cookie Consent Manager and revoke it at any time using the “Cookie Settings” link at the bottom of each page.

Another prerequisite for the processing of your personal data in Google Customer Match is that you have a Google account in which you have given Google permission to display personalised advertising. You can change this setting to suit your preferences under the privacy tab in your Google user account.

Google may use the data collected together with other data it collects about you to personalise ads in its own network. If you have a Google account, you may also object to personalised ads using the following link: https://www.google.com/settings/ads/onweb/. You can find further information in Google’s privacy policy at https://policies.google.com/technologies/ads?hl=de

Google may also use the data collected on your user behaviour through our website for its own purposes or for those of other Google customers (e.g. to display personalised third-party advertising).

In these instances, Google Ireland Limited is the sole data controller responsible for this type of processing of your data as well as processing of the data after we have transferred it to Google.

Google Ireland Ltd is a subsidiary of Google LLC, which is headquartered in and subject to the laws of California, USA and may therefore also have to grant access to data processed outside of the USA. Google Ireland Ltd may also use Google LLC as a service provider, and also transfer data to the USA in this context.

In relation to the USA, the European Court of Justice has determined that the level of data protection there does not match the level within the EU. In particular, there is a possibility that US security agencies may gain access to your data, without there being an adequate legal remedy available to you.

On our website and in our app, we can integrate features relating to social networks (such as Facebook or Twitter).

We currently only use links to Miles & More offers on social networks. Both our website and our app can be accessed and used without these links. If you use these additional features, please be aware of the following information regarding how your personal data is handled:

When our website links to one of our social media channels, e.g. to our Facebook page, YouTube channel or Twitter account, these are simple links to the pages of the social network in question. When you use these links, we do not share any personal data with the providers of these social networks. Please be aware, however, that these providers generally have the ability to identify at least the referral source when such links are used. We have no influence over the data processing of these providers. This data protection policy does not cover these providers’ networks. Further information can generally be found in the respective providers’ data protection policies.

You can reach third-party websites which are not operated by us via links on our website. These may include, for example, partner websites where you can earn miles or where special offers are made available for Miles & More members. We have no influence over the processing of your personal data on such third-party websites; this is handled by the relevant website provider. Please therefore read the terms of use and the privacy information on these websites for more detailed information concerning the processing of personal data on these websites.

We process your data for as long as it is required to fulfil our contractual and statutory obligations. If the purpose for which your data was processed no longer applies, such data is deleted, unless the retention thereof is required for the following purposes:

• To fulfil retention periods under commercial and tax law, such as those arising from the German Commercial Code (Handelsgesetzbuch) or the German Fiscal Code (Abgabenordnung); these periods can be up to ten years.
• To retain evidence as part of the provisions on limitation periods. Under Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), these limitation periods can be up to 30 years, with the standard limitation period being three years.

In order to be able to offer you our services, we use service providers such as service centres, web hosts and other IT service providers as data processors in accordance with Art. 28 GDPR. These service providers will have been carefully selected and will only act in accordance with our instructions. They will provide sufficient guarantees that they will comply with their obligations under data protection law.

We also receive data from other third parties within the scope of data processing, insofar as these third parties have commissioned us to process data. This occurs, for example, in the context of processing customer service enquiries for programme partners.
Insofar as personal data is transmitted to third countries, appropriate safeguards are provided for the protection of your personal data in accordance with the statutory regulations (in particular the EU adequacy decision and the use of EU standard contractual clauses; you can find information about EU standard contractual clauses on the websites of the European Union), Art 45, 46 GDPR.

The legal bases for the transmission of data to processors are the legal bases stipulated in section 3 of this data protection policy, in conjunction with Art. 28 GDPR.
Furthermore, we are legally obliged in certain cases to make personal data available to German and international authorities pursuant to Art. 6(1)(1)(c) GDPR (legal obligation).

As the data subject, you can exercise the following rights where the respective statutory conditions exist:

• Right of access, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure (“right to be forgotten”), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

You may use our contact form to exercise your right. In order to deal with your request and identify you, please note that we will process your personal data in accordance with Art. 6(1)(1)(c) GDPR.

You can also check the current status of most of your master data yourself at any time in your customer profile on our website. Please update your personal data immediately after any changes occur (for example, your address, email address or telephone number).

You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR in conjunction with Section 19 of the Federal Data Protection Act (Bundesdatenschutzgesetz).

The competent supervisory authority for MMG and Lufthansa is:

The Data Protection Commissioner of Hesse
PO Box 3163
D-65021 Wiesbaden

Gustav-Stresemann-Ring 1
D-65189 Wiesbaden

Tel.: 06 11 14 080
Fax: 06 11 14 08 900 or 06 11 14 08 901
Email: [email protected]

You have the right to object at any time, on grounds pertaining to your particular situation, to any processing of your personal data which is based on Art. 6(1)(e) or (f) GDPR.

We will then no longer process your personal data, unless we can demonstrate compelling legitimate grounds for such processing which outweigh your interests, rights and freedoms, or such processing is required for the establishment, exercise or defence of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes.

If you object to the processing of your personal data for direct marketing purposes, this data shall no longer be processed for such purposes.

In connection with the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You can object to the processing of your personal data at any time, for example by using our contact form as described in section 11 of the data protection policy.

When processing your data, we use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security measures are being improved continuously as new technology develops.
We store your personal data on servers in Germany, in another European Union Member State or in another state that is party to the Agreement on the European Economic Area.

We review this data protection policy regularly and update it as necessary. If significant changes are made to this data protection policy, we will inform you (for example on our website or in our app).