Data protection policy of the Miles & More website, app and communication media

“We” refers to Miles & More GmbH, Unterschweinstiege 8, 60549 Frankfurt am Main (“MMG”), as the body responsible for the processing of your personal data within the meaning of the General Data Protection Regulation of the European Union (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz - “BDSG”).

Where the “operators” are referred to, this makes reference to MMG and Deutsche Lufthansa AG (“Lufthansa”), the operators and issuers of the Miles & More customer loyalty programme (“Miles & More”) for which they are jointly responsible as defined in Art. 26 GDPR. We will gladly make the principle contents of this Joint Controller Agreement available to you on request. Complete information relating to these companies can be found in their respective imprints at www.miles-and-more.com and www.lufthansa.com.

On our website and in our app, we make a variety of functionalities available to you, which require the processing of personal data. These functionalities can only be accessed, for example, by Miles & More members after logging in with their identification details (e.g. a Miles & More card number and PIN or User ID and password).

The following functionalities are available to you as a logged-in Miles & More member:

• Profile view and customisation 
• Award requests
• Use of platforms for spending and earning miles
• Receiving customised information and offers 
• Participation in surveys and competitions

Where the use of functionalities requires you to provide more personal information, this will be identified on our website or in our app. Mandatory information is specifically identified; if mandatory information is not provided, the use of the particular functionality will not be possible.

The legal basis for this processing is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures), as well as Art. 6(1), Subparagraph 1(a) GDPR (Consent), for the display of combined offers we have put together for you, as well as participation in surveys and competitions.

We may also offer you functionalities on our website and in our app, which can be used without logging in, but which nonetheless require the processing of personal data. These functionalities may include but are not limited to:

• Use of the contact form for sending us enquiries or comments

The legal basis for the processing of your data is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures).

You can use our website without actively supplying personal data by registering or logging in to the Miles & More programme. Even in this case, we must process certain information in order to enable your access to our website. 

Our server automatically recognises the following data (so-called log files):

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Device properties, such as the operating system
• Website referrer (information about the website that you accessed immediately before visiting our website)
• Location data (without your permission, only the region)

This data will be processed and retained for 90 days to check security incidents, in order to allow you technically to access the website, as well as to ensure its stability and security. The legal basis for this processing is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest - company interest in technical stability of the website). 

Furthermore, your IP address will be processed in a pseudonymised form in order to protect our website from outside attack (e.g. hacker attack, botnet attacks, other attempted fraud). Your IP address will not be saved with your profile and we cannot trace it back to you personally (without considerable and disproportionate effort). The legal basis for this processing is Art. 6(1), Subparagraph 1(f) GDPR (balancing of interests - company interest in security of the system).   

Furthermore, we use technology for the recognition of your terminal, such as cookies or local storage, for example. Further information about this can be found under Point 3.3.

In order to use the functionalities described under Point 2.1, you can log on to our website with your Miles & More card number and PIN or with your User ID and password. In addition to the data described under Point 3.1, your master, status and program data, as well as other data after a login, will be processed as described in this Data Protection Policy. 

We offer you the option to “remain logged in” to our website. When you select this functionality during the login process, a cookie saves an access token so that you do not have to log in to our website again on a renewed visit and so that we recognise you. We will only ask for your login data again for sensitive, security-relevant functions, such as redeeming miles. If you remove this selection or delete all the cookies in your browser settings, the cookie will be removed and you must log in again. For reasons of security, we do not recommend the use of this functionality on computers or other devices accessible to the public.

We use so-called cookies, local and session storage and web beacons to ensure that our service is as user-friendly as possible.

A “cookie”  is a small text file which a web server (the www.miles-and-more.com web server, for example) sends to your browser when you visit a website. It depends on your browser’s settings as to whether the cookie file is stored or deleted. If the file is stored, our webserver can recognise your terminal. Next time you visit the site or when you switch between functions requiring you to enter a password, the cookie can save you from re-inputting information. This is how cookies make it easier for you to use websites requiring user input.

We use:
 

• “Session cookies”
  These expire at the end of the browser session and can capture your activities during the browser session. They are deleted when you finish your browser session.
• “Permanent cookies”
  These are saved on your terminal between different browser sessions and are able to capture your settings or activities on multiple websites. These are deleted after a predefined period, which can vary according to the cookie. You can, however, delete the cookies at any time in your browser settings.
• Session storage
  Comparable to the use of cookies. In this case, your data is stored in your browser. The data is deleted when you close your browser.
• Local storage
  This is also comparable to the use of cookies. It permits the secure, long-term storage of the information contained. For further details see Point 3.3.2.

Furthermore, we distinguish between the following categories of cookies:
 

• Operationally necessary
  These cookies are absolutely necessary to operate the site and facilitate, for example, login, redeeming miles and security features. Furthermore, these cookies allow us to recognise whether you wish to remain logged in to your profile, so that you can access our services more quickly the next time you visit our website.
• Statistics
  We collect anonymised data for the purpose of statistics and analysis so that we can continue to improve our services and website. These cookies allow us, for example, to determine visitor numbers and the effect of certain pages of our website, as well as to optimise our content. We use Adobe Analytics for this (see Point 5).
• Personalisation
  These cookies are used to show you personalised content tailored to your interests. This makes it possible to present offers that are especially relevant to you.

You can set up your browser to accept or block cookies. Furthermore, you can set it up to delete all cookies at the end of a session or delete individual cookies manually. Please note that if you block or delete certain cookies, the functionalities of our website may be limited or no longer available. In this case, you will not be able to access your personal profile nor receive any content that is tailor-made for you.

It could be that your browser is also already set up to display an alert every time it accepts a cookie. This alert can be very annoying, as every single time a page is called up on our website, the identification cookie has to be sent again. Hence we recommend that you set up your browser to always allow cookies from www.miles-and-more.com. You can specify this setting for single websites on an individual basis.

You can find more information about the use of cookies and how to deactivate cookies at meine-cookies.org and youronlinechoices.com.

Web beacons are small graphic files (also known as “tracking pixels”, “pixel tags” or “clear GIFs”), which may be contained in our websites, apps, applications and newsletters and are normally installed in conjunction with cookies. All of the above-mentioned information about cookies applies also to web beacons. So web beacons will not be installed if you have refused the use of the respective cookies. 

We use the so-called local storage functionality. This means that your data (master data, status data and program data) are stored in the cache of your browser after login and will not be deleted after closing the browser window - unless you delete the cache - and can be retrieved the next time you access the website. By using local storage, we facilitate the correct display of your data when you are surfing our website without slowing the process down unnecessarily or overloading the interfaces. 

If you do not want local storage to be used, you can change your settings accordingly at any time in your browser settings.

The legal basis for the use of operationally relevant cookies as in Point 3.3.1 is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures). The legal basis for Points 3.3.1 and 3.3.2 is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest). For Point 3.3.1, the company’s interest in cookies lies in statistical usage and for the purpose of personalisation in the ongoing development and relevance of the website and programme. For Point 3.3.2, the company’s interest in cookies lies in speeding up processes and avoiding system overload. 

You can access our app as a guest. However, the use of Miles & More specific functionalities are only possible after login with your identification data.

The following data will be collected automatically upon use:

• Domain name
• Date and time of your visit
• Your client file request (file name and URL)
• http response code
• Number of bytes transferred during the session
• IP address of your terminal
• Device properties, such as the operating system
• Interapp referral link (information about the linked app that you called up immediately before visiting our app) 
• Location data (without your permission, only the region)

When you use the app as a guest, we evaluate the data exclusively in an anonymised form for statistical purposes, for example, to determine how many visitors our app has had within a certain period. 

You can fully use the functionalities of our app after entering the requested identification details (Miles & More card number and PIN or User ID and password), or after registering for the Miles & More programme. Your identification details are necessary in order to enable your use of the app’s functions. The legal basis for this processing is Art. 6(1), Subparagraph 1(b) GDPR (Performance of contract and pre-contractual measures). 

Moreover, when the app is used, we may process the data mentioned under 4.1 for the purpose of data analysis. This data is processed in a pseudonymised form and not saved with your profile. The legal basis for this processing is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest -  company interest in evaluation of campaigns and ongoing development of the app and offers). If you have granted us permission to do so, we can collate the data with your profile data. The legal basis for this processing is Art. 6(1), Subparagraph 1(a) GDPR (Consent).

If you give permission in the app for your location to be accessed, you are giving the app permission to access the location services of your mobile device. Your device’s location services use information from mobile, Wi-Fi, and GPS networks and/or iBeacons, in order to determine your approximate location.

Authorisation for the access of your device’s location services is required so that the app can offer you location-based functions, such as the display of offers near you. If you do not allow access, only a restricted display of location-based content will be possible.

Configuration on smartphones with the iOS operating system (Apple iPhone and iPad):

you can also turn the location function’s authorisation on and off later in the iOS settings: to do this, open the app “Settings” in iOS and select the “Data protection” menu option and the sub category “Location services”. In the menu below, you will find all the apps that are installed on your device which have location-based functions. Select the Miles & More app here. In the menu below, you can select whether access to your location should always be allowed or switched off completely.

Configuration on smartphones with the Android operating system (various manufacturers, e.g. Samsung, HTC, Sony, LG): on Android, you can change the settings of the location function at any time according to the device and the version of the operating system. To do this, please go to the app "Settings" on your device. Tap “Security & location” and then “Location” (or only “Location”; “Location” and then “More” in your work profile.) Tap “App level authorisation”. Search for the app you want. Deactivate the location authorisation for the app.

Our app will not make any use of the authorisation without your consent. Location services will only be accessed when you have given your explicit permission in the app. To this end, your permission will be requested by the app after you have registered or logged in. The app will only make use of the access options of location services after you have answered the question with “Allow”.

The legal basis for this processing is Art. 6(1), Subparagraph 1(a) GDPR (Consent).

We use certain analysis procedures both on our website and in our app. The following points explain the analysis procedures and integration.

Adobe Analytics is installed on our website, in our app and our digital communications media. This is a web analysis service from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe Analytics”). 

Adobe Analytics uses cookies, especially 2o7.net and omtrdc.net belonging to the Adobe domain. Adobe Analytics also installs web beacons (see also Point 3.3.1 of the last section): a web beacon is a transparent graphic (usually 1 pixel x 1 pixel) set on digital content and its request is detected by the visitor. Using a web beacon enables us to measure the activities of a visitor when opening a website, app or communication medium with the web beacon.

With Adobe Analytics your IP address is shortened, thus making it anonymous, and it is used only in this anonymised form.

Information acquired by the use of a cookie or web beacon will only be transferred to Adobe’s computing centre located in a European Union member state or in other states which are party to the Agreement on the European Economic Area. Adobe uses this information solely on our behalf and only for the purposes set out above.

If you do not wish to allow the collection and usage of such information by Adobe Analytics using cookies, you can decline it here. In the case of the use of our app, you can prevent this collection by deactivating the button at the end of the data protection provision. Then a corresponding opt-out cookie is installed on your device which contains no tracking data; instead it enables us to recognise your objection and not to allow any more data sharing with the Adobe server for tracking purposes.

In addition, you can generally set up your internet browser to not accept any cookies and by doing so prevent data collection by Adobe Analytics. The same applies to the “do not track” function or the deactivation of graphics displays for the web beacon. Please make sure you are clear about the steps required to carry this out by reading the instructions for your own internet browser, as the relevant settings vary according to each browser supplier.

You can find more information about Adobe Analytics and data protection at Adobe at www.adobe.com/de/privacy.html.

We use the remarketing technology of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; (“Google”). This technology allows us to reach out to users who have already visited our website and shown an interest in our offers by placing targeted ads on the pages of the Google Partner network. Cookies are used to display these ads. With the help of these cookies, the user’s behaviour upon visiting the website can be analysed and then used for targeted product recommendations and interest-based advertising.

If you do not wish to receive interest-based ads, you can deactivate Google’s use of cookies for these purposes by visiting www.google.com/settings/ads. Alternatively, you can deactivate the use of cookies for interest-related advertising via the Network Advertising Initiative, by following the instructions provided at networkadvertising.org/managing/opt_out.asp.

By using our online services, you agree that Google may process the data collected about you in the manner described here and for the purpose specified above. Please note that Google has its own data privacy policies, which are independent from our own. We do not assume any responsibility or liability for these policies and procedures.

On our website, we use so-called “Captchas” from Google (“Google reCAPTCHA”). This is a function which determines whether a person (or in cases of fraud, a computer) has performed a specific operation. “Captcha” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

The Google security check makes particular use of the following information:

• The IP address of your terminal
• Browser properties (e.g. browser type and browser version, screen resolution, language, time and date of access)
• Your Google account (if you are logged in)
• Your surfing behaviour on websites
• Your entry behaviour (e.g. the movement of your mouse on the reCAPTCHA surfaces)
• Where appropriate, tasks involving the identification of images.

You can find more information about data protection at Google at https://policies.google.com/privacy?hl=de&gl=de.

The legal basis for the processing described in Points 5.1 and 5.2 is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest - company interest in the relevance and ongoing development of the website). If you have given your consent, we can collate your data in a pseudonymised form with your master and program data. The legal basis for this processing is Art. 6(1), Subparagraph 1(a GDPR (Consent). The legal basis for this processing under Point 5.3 is Art. 6(1), Subparagraph 1(f) GDPR (legitimate interest - company interest in the security of the system/spam protection) 

On our website and in our app we can integrate functionalities relating to social networks (such as Facebook or Twitter).

We currently use links to offers from Miles & More in social networks. Both our website and our app can be accessed and used without these links. If you use these additional functionalities, please be aware of the following policy about the treatment of personal data:

By linking our website to one of our offers in social networks, e.g. on our Facebook page, our YouTube channel or our Twitter account, this refers to simple links to the pages of current social networks. When you use these links, we do not share any personal information with the providers of these social networks. However, we wish to point out to you that these providers essentially have the possibility of recognising the provenance of a visit. We have no influence over the data processing of these providers. This Data Protection Policy does not extend to the offers of these providers. Further information can generally be found in the respective providers’ data protection policies.

You can reach third-party websites via links from our website which are not operated by us. For example, these may be the websites of partner companies where you can earn miles or where special offers are made available for Miles & More members. We have no influence over the processing of your personal data on such third-party websites; this is dealt with by the relevant website provider. Therefore please read the conditions of use and data protection information on these websites in order to get more precise information about the processing of personal information on these websites.

We check these data protection policies regularly and we will update these as necessary. Where there are significant changes made to this Data Protection Policy, we will inform you (for example, on our website or in our app).