Travel ID Privacy Notice

The operators of Travel ID are Austrian Airlines AG, Brussels Airlines SA/NV, Deutsche Lufthansa AG, Eurowings GmbH, EW Discover GmbH and Swiss International Air Lines AG as the “Lufthansa Group airlines” and Miles & More GmbH.

Unless otherwise stated in this Privacy Notice, “we” or “us” or “Travel ID operators” refers to the Lufthansa Group airlines and Miles & More GmbH as the controllers with joint responsibility (“Joint Controllers”) for processing your personal data as defined in Art. 26 of the General Data Protection Regulation of the European Union (“GDPR”).

Further information and contact addresses for the Lufthansa Group airlines and Miles & More GmbH can be found in the respective Privacy Notice for Travel ID operators.

If you have data protection questions in connection with Travel ID, please contact the following:

The data protection officer of Deutsche Lufthansa AG, Miles & More GmbH, Eurowings GmbH and EW Discover GmbH:

Deutsche Lufthansa AG
Data Protection Officer
FRA CJ/D
Lufthansa Aviation Center
Airportring
60546 Frankfurt am Main
Germany

Austrian Airlines AG Data Protection Officer:

Austrian Airlines AG
Legal office – Data Protection
Office Park 2
P.O. Box 100
1300 Vienna Airport
Austria

Swiss International Air Lines AG Data Protection Officer:

Swiss International Air Lines AG
ZRH S/CJ
P.O. Box
8058 Zurich Airport
Switzerland

Brussels Airlines SA/NV Data Protection Officer:

Brussels Airlines
Data Protection Officer
Airport Bld. 26, General Aviation - Ringbaan
1831 Machelen
Belgium

When you register for Travel ID, the only mandatory information we request is your e-mail address, your title, your first and last names, your date of birth and a password. Your country and preferred language settings are transferred automatically, where technically feasible, using the country and language settings you entered on the relevant websites or other touchpoints of the Travel ID operators. This information is required in order to create a Travel ID profile and to use the Travel ID services described in detail below and in the Travel ID Terms and Conditions of Use. You have the option to add further information to your Travel ID profile on a voluntary basis. This may include your address, mobile phone number, payment details or your preferences (e.g. your preferred departure airport).

Based on your activities that you linked in your Travel ID profile, we will display anonymous statistics to you (e.g. your position in the ranking of kilometres flown) and/or so-called badges (e.g. awards when you reach specific targets).

The consent of a parent or guardian is required if you wish to set up a Travel ID profile for your child or your child wishes to do so themselves, and the child is under 18 years of age. After submitting the completed registration form, the parent or guardian will receive an e-mail in which they are asked to give their consent to the creation of a Travel ID profile by confirming the link in the e-mail. All personal data entered is deleted if the parent or guardian does not give their consent within the specified deadline after registration.

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

You also have the option of storing other personal data in your Travel ID profile based on your consent. You can find details about this in the relevant sections of this Privacy Notice.

If necessary to fulfil the contract, we will send you messages about status changes in your Travel ID profile. This includes, among other things, expiry of the validity of your travel documents, payment methods or password uploaded via your Travel ID profile.

If you have not logged into your Travel ID profile for three years, we will ask you to log in again. If we do not find any activities in your Travel ID profile within a further six months, we will delete them (see the section “Deleting your Travel ID profile”).

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

When you visit our websites and use our mobile apps and other touchpoints on the ground and on board our aircraft, our aim is to make it easier and quicker for you to find and use the information that is relevant to you. You therefore have the option of registering there with your Travel ID and being contacted personally, for example receiving information that matches your current flight booking or your Miles & More membership.

If you do not wish to use the login service, you are, of course, free to use the website/touchpoints without logging in. In this case, the respective content will be displayed without being personalised to you.

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

We use the data stored in your Travel ID profile to make the booking process easier for you by using pre-filled forms. This could be data you actively provided during registration or added at some later point, or data you gave as part of a previous booking in relation to your Travel ID and which we automatically take into account for another booking. We also use your data given during your booking to provide you with pre-filled forms for online check-in and at self-service check-in machines, for example. If you fill out other forms, such as during your participation in a contest or when you send customer feedback using one of our electronic feedback forms on the website, the contact details required are also pre-filled using information from your Travel ID profile.

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

Flight bookings are automatically saved and displayed in your Travel ID profile if you make the booking while logged in. If you add a flight booking to your Travel ID profile after this, we check whether the booking is complete and add information you have saved in your Travel ID profile as required. No data will be overwritten without your consent.

The summary of your flight bookings is limited to 10 years and also includes the creation and display of flight statistics, among other things.
If you change your previous customer profile from one of the Lufthansa Group airlines to a Travel ID profile, your past flight bookings from your previous customer profile will also be displayed in your Travel ID profile.

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

We use your data stored in your Travel ID profile to be able to offer you personalised services. We process data that you entered in your Travel ID profile during registration or at a later date, as well as data that we have recorded, for example, as part of the flight bookings made via Travel ID. This also includes flight delays or cancellations and baggage problems. We also process your data from enquiries made to our service centres and from other interactions, e.g. with the crew on board our aircraft.

As a result of this processing, we can improve our complaint management and offer you a targeted service as a Travel ID customer at all our touchpoints. Your enquiries to our Service Centres will appear in your Travel ID profile and can be managed by you there.

The legal basis for processing your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

If you have used products and services of the Travel ID operators using your Travel ID profile, we may wish to contact you about these services, for example, if we have been repeatedly unable to offer you the service promised. We use data for this purpose for example about any problems and customer feedback, the number and severity of the incidents, travel and service preferences and events in your Miles & More membership.

The legal basis for processing your data is our legitimate interest in accordance with Art. 6(1)(1)(f) GDPR.

If you belong to one or more customer groups (e.g. students), you can have your belonging to such a customer group checked and save the confirmation in your Travel ID profile. If you subsequently book a trip while logged in, for example, we can use the customer group status stored in your Travel ID profile to check whether you are authorised to benefit from customer group-specific benefits.

The legal basis for processing your data is provided by your consent granted in accordance with Art. 6(1)(a) GDPR.

You have the right to withdraw your consent to the confirmation of your customer group at any time without affecting the lawfulness of any storage on the basis of this consent before such consent is withdrawn. To do this, you can cancel the confirmation(s) in your Travel ID profile under “Customer groups”.

The entitlement to special terms and discounts is automatically cancelled once they expire.

You may store your travel documents, e.g. passport or visa, in your Travel ID profile. We store this information for you in a separately secured database. If you are logged in and book a trip that requires you have certain travel documents, we will automatically populate your flight booking with the information stored in your Travel ID profile. This process is not carried out if your flight booking already contains your travel documents details.

The legal basis for processing your data is provided by your consent granted in accordance with Art. 6(1)(a) GDPR.

You have the right to withdraw your consent to the use of data from travel documents at any time without affecting the lawfulness of any processing performed on the basis of this consent before such consent is withdrawn. To do this, you can delete your travel documents in your Travel ID profile under “Personal documents”.

Your travel documents will be deleted automatically once they are no longer valid.

We offer you the option of storing your preferred payment methods in your Travel ID profile. You can do this yourself at any time within your Travel ID profile. You also have the option during the booking process of deciding to store in your Travel ID the payment methods you entered for the booking for future purchases.

If you have stored a payment method in your Travel ID profile and make a booking with your Travel ID profile while logged in, we will pre-fill your preferred payment methods or offer you a selection.
You can edit or delete your payment methods at any time.

The legal basis for processing your data is provided by your consent granted in accordance with Art. 6(1)(a) GDPR.

You have the right to withdraw your consent to the storage of your payment methods at any time without affecting the lawfulness of any storage on the basis of this consent before such consent is withdrawn. To do so, you can delete your payment methods in your Travel ID profile under “Payment methods”.

If you have booked a flight, the Lufthansa Group airlines would like to contact you about possible additional services relating to your flight. These additional services may include flight-related services of the Lufthansa Group airlines, such as premium meals or upgrades, but also additional services of partner companies of Lufthansa Group airlines (information about partner companies of the Lufthansa Group airlines): Austrian Airlines, ​Brussels Airlines, Eurowings, Discover Airlines, ​Lufthansa, Swiss International Air Lines), such as rental cars or insurance companies. Data stored about you in your Travel ID profile and with the Lufthansa Group airlines (e.g. flight data, preferences) is processed for this purpose.

The legal basis for processing your data is provided by your consent granted in accordance with Art. 6(1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.

Advertising contact by Travel ID operators

As described in the section “Settings for personalising our offers” in this Privacy Notice, you have the option of giving your consent that we may ascertain your main areas of interest so we can send you information and personalised offers based on this relating to the services of Lufthansa Group airlines and their relevant partner companies (information about partner companies of the Lufthansa Group airlines: ​​Austrian Airlines, ​​Brussels Airlines, ​​Eurowings, Discover Airlines, ​​Lufthansa and ​​SWISS), via digital communication channels (e.g. by e-mail, SMS/MMS, messenger services, search engines, videos and banners), and by telephone or the websites of LHG airlines.

In addition, you can give Miles & More GmbH permission to send you offers relating to possible membership in the Miles & More programme if you are not yet a member of the Miles & More programme.

Since we only want to provide you with information and offers that really interest you, we process the booking information stored with Lufthansa Group airlines with your consent, such as travel route, travel period and booking class, as well as preferences stored in your Travel ID profile. For example, by analysing information regarding your upcoming trip, we may send you special offers or vouchers for additional services for your trip or for services available at your travel destination.

Personalised advertising through customer data matching (CRM Datamatch)

One way to provide you with personalised information and offers tailored to you is to identify you on partner websites or advertiser websites.

For this purpose, we transmit your e-mail address and/or telephone number stored in your Travel ID profile, which was previously encrypted using the SHA 256 hash algorithm recommended by the German Federal Office for Information Security as “cryptographically strong”, to a data clean room. A data clean room is a secure environment isolated from external technical influences for the processing of personal data. Its purpose is to facilitate the exchange of data between advertising companies, in this case the Travel ID operators, and partners or providers of advertising spaces, while as far as possible protecting the privacy of the customers concerned. For this purpose, the partners or advertising companies also provide data from their customers to the data clean room using the same encryption method. As part of data matching, hits (Datamatch) are sent to audiences (groups of people), which in turn can be analysed by the Travel ID operators and used for advertising purposes. Access to the data transferred by us to a data clean room will be granted solely to partners and providers of advertising spaces selected by us and after corresponding data processing contracts have been concluded.

Depending on the technological development and marketer-supported technology, we ensure that stronger and more secure encryption and/or extensions are used.

CRM Datamatch with Google Customer Match

In the case of CRM Datamatch with Google Customer Match, we transfer encrypted data to a data clean room operated by Google in accordance with the procedure described in the section “Personalised advertising through customer data matching (CRM Datamatch)”. In this data clean room, Google compares the data we provide with that of Google Account customers who are encrypted using the same SHA 256 hash algorithm. Matches are then compiled by Google in a list of what are referred to as “audiences”. As soon as this process is completed (max. 48 hours), the encrypted data is deleted. If you belong to such an audience, Google can then identify you when you are surfing using Google platforms and show you our personalised advertising.

Another prerequisite for processing your personal data in Google Customer Match is that you have a Google Account for which you have given Google permission to display personalised advertising. You can amend this setting to suit your preferences under the data protection tab in your Google user account.

The controller for processing personal data within the scope of Google Ads/Google Customer Match as defined in the GDPR is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd is a subsidiary of Google LLC, which has its registered head office in California, USA, and is subject to the laws of that location. It may therefore also be obliged to provide access to data processed outside the USA.

You can find further information about the processing of your personal data by Google in the Google Privacy Notice.

Personalised advertising through customer data matching via Meta

So that we can display personalised advertising to potential new customers or prospects on Meta platforms such as Facebook and Instagram, and measure the performance of our advertising activities, we use Meta Pixel technology in conjunction with Meta Conversion API of the company Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (referred to below as “Facebook”). In so doing we record visits to our websites, your flight searches and bookings, and send these to Facebook in encrypted form using the SHA 256 hash algorithm. Facebook uses this data to identify its own customer groups with similar interests and allows us to display advertising to these customer groups on Facebook and Instagram. We also have the option of presenting offers relating to flight searches to undecided customers.

Meta Platforms Ireland Limited is a subsidiary of Meta Platforms Inc., which has its registered head office in California, USA, and is subject to the laws of that location. It may therefore also be obliged to provide access to data processed outside the EU.
We are joint controllers with Meta for the collection and transfer of data in this process. We have a corresponding agreement with Meta governing our responsibility as joint controllers.

You will find further information about the processing of your personal data at Facebook in the ​Facebook Privacy Notice.

You can contact the Data Protection Officer of Facebook via the online contact form provided by Facebook.

The legal basis for all processing of your data listed in the section “Personalised advertising communication” is provided by the consent you have given for this in accordance with Art. 6(1)(a) GDPR.

This consent is given by you during the registration process or later in your Travel ID profile and can be managed by you at any time in your Travel ID profile.
You can also decide for yourself the extent to which you wish to receive information and individual offers from us by adjusting your communication settings. You may also withdraw your consent to marketing communications for individual areas (such as for the e-mail newsletter) in your Travel ID profile.

If you have a Travel ID profile and your Travel ID profile is not linked to a Miles & More member account, Lufthansa Group airlines will exchange your data with each other in order to offer you the services specified in the Travel ID Terms and Conditions Of Use. Miles & More GmbH will only receive data from you that is required to manage your Travel ID profile (e.g. contact details, date of birth and your voluntarily stored profile data) and will not process this data for its own purposes.

If you have linked your Travel ID profile to your Miles & More member account, the Travel ID operators will exchange your data with each other in order to offer you the services specified in the Travel ID Terms and Conditions of Use. You can decide whether to create this link yourself. Data matching is performed between your Travel ID profile and your Miles & More account when you create the link. Specifically, the data you have stored in both accounts will be transferred as follows:

All master data (such as name, date of birth, postal address, telephone) and preferences (such as preferred departure airport) is automatically transferred from your Miles & More account. The e-mail address will be taken from your Travel ID profile.

The legal basis for transferring your data is the performance of the contract in accordance with Art. 6(1)(b) GDPR.

If you have given Miles & More GmbH your consent as specified in section 12 to receive personalised advertising communication (see the section “Personalised advertising communication”), Miles & More GmbH will also process your flight data (such as your route, travel class, departure airport and destination airport) for this purpose.

Your customer group status is verified by our commissioned processor SheerID, Inc. with its registered office in the USA. Data transfers are carried out based on the EU-U.S. Data Privacy Framework under which SheerID, Inc. is certified with the U.S. Department of Commerce.

Your personal data is also processed in principle within the EU.

When you log into a website or other touchpoint of a Travel ID operator for the first time, you will be asked to enter your access details. In order to recognise you during your session, we set a “log-in” cookie. This cookie allows you to visit websites of other Travel ID operators without having to long into your Travel ID credentials again.

You can also choose actively to enable a “stay logged-in” feature when logged into Travel ID operators’ websites, which means that you will not be required to log in again after ending your session and later re-visiting the website.

We also use cookies for this purpose so that when you return to the website/touchpoint, you will be recognised automatically.

When the “stay logged-in” feature expires, you will be asked to log in again. In addition, you will always be prompted to log in again if you are in the process of carrying out activities which require an enhanced level of security.

The legal basis for processing your data is provided by your consent granted in accordance with Art. 6(1)(a) GDPR.

We process your data to the extent and as long as necessary for the processing purposes described in this Privacy Notice.

If the purpose for which your data was processed no longer applies, this data will be deleted, unless the retention thereof is required for the following purposes:

• Fulfilment of statutory retention periods, which may result from obligations under commercial or tax law; these periods may be for up to ten years
• Assertion, exercise or defence of legal claims

In these cases, the processing of your data is restricted (“blocked”) so that it can no longer be processed for other purposes.

If you no longer wish to use the Travel ID services, you may delete your Travel ID profile at any time. The personal data collected in connection with your use of Travel ID will then be deleted immediately, subject to conflicting statutory retention requirements.

You can delete your Travel ID profile yourself as well as any specific items of data you have provided in your Travel ID profile by logging into your Travel ID profile and performing the deletion there.

We also delete your provisional Travel ID profile if you do not confirm your registration within the period stated in the confirmation e-mail, or if you have had a confirmation e-mail with an activation link sent to you more than three times and do not use it.

We also delete your profile after a specific period of inactivity (see the section “Notification service about your Travel ID profile”).

Your rights

As a data subject, you can exercise the following rights where the respective statutory requirement is met:

• Right of access, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure (“right to be forgotten”), Art. 17 GDPR (see also the section “Deleting your Travel ID profile” in this Travel ID Privacy Notice)
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR (see also the section “Right to object under Art. 21 GDPR” of this Travel ID Privacy Notice)

Insofar we process your data on the basis of consent, you have the right to withdraw this consent at any time without affecting the lawfulness of any processing performed on the basis of this consent before such consent is withdrawn.

To exercise your rights, you can contact the respective Travel ID operators from the section “Who can you contact?” of this Privacy Notice. In order to be able to process your application and identify you, we will process your personal data in accordance with Art. 6(1)(c) GDPR.

In your Travel ID profile, you can also check the current status of most of your master data yourself at any time. Please update your personal data immediately after any changes occur (for example your postal address, e-mail address or telephone number). To delete your Travel ID profile, you can also proceed as described in the section “Deleting your Travel ID profile”.

You also have the right to lodge a complaint with a regulatory authority: Art. 77 GDPR.

Competent regulatory agencies

You will find a list of all data protection authorities responsible for the Travel ID operators below.

The competent supervisory authority for Deutsche Lufthansa AG, EW Discover GmbH and Miles & More GmbH is:

The Officer for Data Protection and Freedom of Information of the State of Hesse
P.O. Box 3163
65021 Wiesbaden
Germany

Tel.: +49 611 14 08 - 0
Fax: +49 611 14 08 - 900 or 901

E-mail: poststelle@datenschutz.hessen.de

The competent supervisory authority for Eurowings GmbH is:

Regional Officer for Data Protection and Freedom of Information
State of North Rhine-Westphalia
P.O. Box 20 04 44
40102 Dusseldorf
Germany

Tel.: +49 211 38 424 - 0
Fax: +49 211 38 424 - 999

E-mail: poststelle@ldi.nrw.de

The competent supervisory authority for Austrian Airlines AG is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

Tel.: +43 52 152 - 0

E-mail: ​dsb@dsb.gv.at

The competent supervisory authority for Swiss International Air Lines AG is:

Swiss Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Bern
Switzerland

Tel.: +41 58 46 24 395
Fax: +41 58 46 59 996

For data processing that is subject to the GDPR:

The Officer for Data Protection and Freedom of Information of the State of Hesse
P.O. Box 3163
65021 Wiesbaden
Germany

Tel.: +49 611 14 08 - 0
Fax: +49 611 14 08 - 900 or 901

E-mail: poststelle@datenschutz.hessen.de

The competent supervisory authority for Brussels Airlines SA/NV is:

Autorité de protection des données
Gegevensbeschermingsautoriteit
Data Protection Authority
Rue de la presse 35, 1000 Brussels
Belgium

Tel.: +32 2 27 44 800

E-mail: contact@apd-gba.be

For reasons arising from your specific situation, you have the right to object at any time to processing of your personal data based on Art. 6(1)(f) GDPR (Lawfulness of Processing).

In the event of an objection, we will no longer process the personal data that concerns you, unless we can prove that there are compelling reasons for the processing that are worthy of protection and that outweigh your interests, rights and freedoms, or if the processing is used to enforce, exercise or defend legal claims.

If the personal data concerning you is processed by us for the purpose of direct marketing, and you object to this processing, the personal data concerning you will no longer be processed for these purposes.

You can object to the processing of your personal data at any time, for example via the contacts specified in the section “Who can you contact?”.

We use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, deletion, or access by unauthorised persons. Our security measures are continuously improved as new technology develops.

In connection with the processing operations described in this Travel ID Privacy Notice, we may disclose your data to the following categories of recipients:

• service providers with whom we cooperate on the basis of a commissioned data processing agreement in accordance with Art. 28(3) GDPR;
• governmental agencies and authorities, e.g. due to police and investigative activities.

In such cases, personal data may be transferred worldwide to third countries or international organisations. For your protection and to protect your personal data, appropriate security precautions will be taken for such data transfers in compliance with and in accordance with the law.

If these transfers are made to a third country for which the EU Commission or competent authority has not issued an adequacy decision, we use standard EU contractual clauses. Information about EU standard contractual clauses is available on the European Union website.

In exceptional cases, transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings or if the transfer is necessary for the execution of a contract.

We review this Travel ID Privacy Notice regularly and will update it as required. We will inform you if there are material changes to this Travel ID Privacy Notice (for example on our websites).