Data protection notice of Discover Airlines

The data protection officer responsible for the processing of personal data is:

EW Discover GmbH
Hugo-Eckener-Ring 1
FAC Building
60549 Frankfurt am Main

Insofar as “we” or “us” is mentioned in this data protection notice, this refers to the aforementioned company. For questions and information on the topic of data protection, in connection with our website or the services offered there, please contact
legal4y@lufthansa-group.com or the group data protection officer of the Lufthansa Group at datenschutz@dlh.de.

If you contact us by email, the correspondence will not be encrypted.

In compliance with the data protection regulations, we only process personal data if a legal regulation allows us to do so or if consent has been given. This also applies to the processing of personal data for advertising and marketing purposes. On this website, we may also collect information which, in itself, does not allow us to directly identify you. In certain cases, especially when combined with other data, this information may nevertheless be considered “personal data” as defined by data protection law. Furthermore, we may also collect information on this website that does not allow us to identify you directly or indirectly; this is the case, for example, with summarized information about all users of this website.

Log files: When you visit this website, our web server automatically stores data and information from the end device and browser you use. This includes information about the browser type and the version used, the operating system, the internet access provider, the IP address of your end device, the date and time of access, the website from which you are visiting our website and the pages you have visited on our website. We process this technical information in the log files of our systems and do not combine it with other personal data about you. We process the technical information to allow you to access our website, to ensure the functionality of our website and the security of our IT systems, and to optimize our website.

Flight booking: We process data for the execution of the completed contract of carriage. The legal basis is Article 6 para. 1b) GDPR.

Booking data: (in particular: first/last name, invoice address, email, payment method details and, if applicable, passport/visa information) We process this data to implement the contract of carriage concluded with you; the legal basis is Article 6 para. 1b GDPR. In addition to the specified payment method data and contact details of the customer, browser data of the used device is forwarded to payment service providers. The legal basis for the transmission is Article 6 para. 1 S.1. lit. c GDPR.

Flight-related mailings: We use the e-mail address provided by you to send flight-related information and offers, e.g., to remind you of the check-in, to offer you additional services for the flight (seat, item of baggage, meals, more legroom) and to send you partner offers. The legal basis is Article 6 para. 1f GDPR and §7 UWG.

Passenger information: If a flight is (also) booked for one or more other persons, we also need the first and last name of these passengers, as well as the e-mail address and cellphone number of at least one passenger from the travel group. This information is also required to complete the booking. We need this information in order to fulfill our obligations under the contract of carriage, to issue a boarding pass and to inform you about any flight schedule changes that occur. The legal basis is Art. 6 para. 1 b) GDPR. When booking a flight for one or more additional people, please provide the person or persons in question with this data protection notice.

Advanced Passenger Information (API): An increasing number of destination countries (perspectively also member states of the European Union) obligate us as an airline to transmit passenger data on arrival or departure, in some cases even when merely flying over the respective country. The corresponding statutory regulations generally include the transmission of data on the identity and travel documents (passport, visa) of the passengers and crew members taken on board. Not all of this data is collected by us at the time of booking; the collection is often made shortly before departure, possibly via the “machine-readable section” of newer travel documents. We process this data exclusively for transmission to the authorities of the respective destination country in compliance with our legal obligations; the legal basis is Article 6 para. 1 c) GDPR.

Points of contact: In application of Regulation (EU) 996/2010 on the investigation and prevention of accidents and disruptions in civil aviation, it is possible to name a point of contact who should be informed if necessary. This information is linked to the booking and is used exclusively to fulfill the aforementioned regulation. The legal basis for the processing of this data is Article 6 para. 1 c) GDPR.

Frequent flyer programs: For flight bookings, award points/miles can be collected from frequent flyer programs of our partners. We need the respective program number (e.g., Miles & More number) for this. We also ask for the information which is required to process the booking. We send our partners the program number provided as well as the last name, first name, booking class, flight route, airfare, booking code, seat number and ticket number so that the award points/miles can be credited to you in the respective program. The justification is Article 6 para. 1 b) GDPR.

Baggage data: All personal data relating to baggage handling will be processed to execute the contract of carriage. In addition, additional personal data may be processed (e.g., to find lost items of baggage, etc.). The legal basis for this is Art. 6 para. 1 lit. b GDPR.

Contact: You can contact us via our contact form, the call center, by e-mail, social media and via the form for checking a compensation claim pursuant to Article 7 VO 261/04 Data Protection Notice EW Discover GmbH. We collect all data provided and store it to the extent necessary for the processing of your request. If necessary, data may be stored longer after completion of the processing for reasons of securing evidence. The legal basis is Article 6 paragraph 1 a), b) and f) GDPR.

Other legitimate interests: Where required, we also process your data for purposes beyond the aforementioned purposes, for example in order to safeguard our legitimate interests or the interests of third parties; this is done on the basis of Article 6 para. 1 f) GDPR. Our legitimate interests include:

• the assertion of legal claims and the defense in legal disputes
• the prevention and solving of criminal offenses
• the management and further development of our business activities, including risk management
• the improvement of our services, e.g., by temporarily storing e-mail addresses for quality purposes with regard to our contact form

Cookies and tracking: In order to make our offers as user-friendly as possible, we use so-called “cookies” or “tracking software.” The legal basis for this data processing is Art. 6 para. 1 lit. a GDPR. Cookies are small text files that are stored in the internet browser you use after our website is accessed. A cookie contains a characteristic string that enables a unique identification of the browser when a website is opened again. Since cookies can be stored on your computer, you have control over their use. You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent to you. You can delete cookies that have already been stored at any time. (You can also do this automatically.) In addition, you can generally refuse the storage of cookies via your browser settings.

Tracking software collects pseudonymous usage data to enable a definitive identification of the browser. No data is stored on your end device during this process except for cookies (see above).

All services that we use to set and process cookies can be found in our Cookie policy.

You can adjust your consent via the link “Change cookie settings,” at the bottom of each page.

Your personal data will generally be processed within our company. Depending on the type of personal data, only certain departments/organizational units have access to your personal data. This includes, in particular, the specialist departments involved in providing our services and our IT department. Based on a role and authorization concept, access within our company is limited to those functions and the scope required for the respective processing purpose.

We may also transmit personal data to third parties outside our company to the extent permitted by law. These external recipients may, in particular, include:

• service providers we use to provide our services, insofar as the transmission is necessary to fulfill the contracts concluded with us, such as ground handling services, call centers or travel partners;
• other airlines (e.g., wet lease partners) and airports that are part of your itinerary or are destinations of your flight;
• IT service providers for the operation and maintenance of our IT infrastructure (e.g., IT maintenance, IT support and development or cloud and hosting providers)
• credit institutions and providers of payment services for billing and processing of payments;
• shipping service providers, media and marketing agencies (e.g., for market research, advertising communication or campaign management);
• consultants or consulting companies (e.g., attorneys, auditors);
• debt collection service providers and attorneys in order to collect claims and enforce claims in court;
• public bodies (e.g., customs, aviation federal office, tax authorities, police, public prosecutors’ office, supervisory authorities), insofar as we are obligated to transmit your personal data due to legal obligations (e.g., entry regulations, police and investigation activities or in questions of aviation security).

In connection with the operation of our website, we generally do not use automated decision-making (including profiling) in accordance with Article 22 GDPR. If we use such procedures in individual cases, we will inform you separately about this in the legally intended scope.

The processing of your personal data is generally carried out within the EU or the European Economic Area. In certain cases, information may be transmitted to recipients in so-called “third countries.” “Third countries” are countries outside the European Union or the Agreement on the European Economic Area, in which a level of data protection comparable to that in the European Union cannot necessarily be assumed.

If the transmitted information also includes personal data and we are not obligated to provide information due to a legal obligation (such as Advance Passenger Information), we will ensure before such a transfer that the appropriate level of data protection required is guaranteed in the respective third country or with the recipient in the third country. This can, in particular, be derived from a so-called “adequacy decision” of the European Commission, which determines an adequate level of data protection for a specific third country as a whole. Alternatively, we may also base the data transfer on the so-called “EU Standard Contractual Clauses” agreed with a recipient or — in the case of recipients in the USA — on compliance with the principles of the so-called “EU-US Privacy Shield.” On request, we are happy to provide you with further information on the suitable and appropriate guarantees for complying with an appropriate level of data protection.

Your personal data will be deleted as soon as it is no longer required for the stated purposes. However, we may need to continue to store your data until the expiry of the retention obligations and periods issued by the legislature or supervisory authorities, which may arise from the Commercial Code, the Tax Code and the Money Laundering Act and generally amount to six to ten years. In addition, we may retain your data until the expiry of the statutory limitation periods (i.e., as a rule three years; in individual cases, however, up to 30 years), insofar as this is necessary for the assertion, exercise or defense of legal claims. After that, the relevant data will be routinely deleted.

Even without a legitimate interest, we can continue to store the data if we are legally obliged to do so (for example, to fulfill obligations to preserve records). We also delete the personal data without any assistance as soon as it is no longer required for the fulfillment of the processing purpose or if the storage is otherwise legally inadmissible.

As a rule:

• The log data is deleted within 30 days, provided that further storage is not required for legally intended purposes, such as the detection of misuse and the detection and elimination of technical malfunctions.
• The data processed in connection with a flight booking is deleted after the expiry of the statutory retention periods (max. ten years) at the latest.
• The data processed in connection with customer communication is deleted after a maximum of five years (Regulation (EC) No. 261/2004).

In the following data protection notice, we inform you about the processing of your personal data in relation with your use of Travel ID: ​Travel ID data protection notice

Additional mailings: If you have given us your consent, we will use your email address and relevant flight data to send you offers as well as offers from partners (such as upgrades, flight-related services, feedback). The legal basis for this is Article 6 para. 1 a GDPR. Your consent can be revoked at any time via the unsubscribe link.

To use self services, request general information or to learn about future travel destinations, you may contact us via our chat service on our website or via specified messenger services. If needed or depending on the complexity of your request, your request can also be handled by one of our service agents as part of a live chat.

In order for you to use our services, e.g., rebooking your flight/getting a refund for it or getting answers to questions about products and services related to your trip, we request personal data (e.g., your booking number) from you that is required for the respective purpose.

If you have registered with your Travel ID profile, we can also offer you a personalized service based on the information stored in your Travel ID profile, e.g., displaying a selection of your bookings. Further details on the processing of your data within the framework of Travel ID use can be found in the Travel ID data protection notice.

For contact via WhatsApp, we have arranged contract data processing with WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Ireland. WhatsApp encrypts the communication end-to-end. Therefore, information disclosed in the chat cannot be viewed by WhatsApp. Information on the processing of personal data when using WhatsApp can be found in WhatsApp’s privacy policy.

The processing of your personal data is generally done within the EU.

Our Inflight Entertainment program offers a wide range of movies, music, magazines and much more. Via the free FlyNet portal section, you can access tips and the latest weather report for your destination, shop in the Lufthansa WorldShop and find out about flight connection services. Here, we only process personal data (internet log data) that is required for the display and functioning of the website. Via the FlyNet program, we also offer you internet access on our flights, subject to an additional charge. You can purchase the access package that suits you directly from our partner Deutsche Telekom in the FlyNet portal.

The legal basis for the processing of your personal data is the contract of carriage concluded with you.

To customize our Inflight Entertainment program and FlyNet services, you can also log in with your Travel ID profile.

Right to object according to Art. 21 GDPR
You have the right to object at any time to the processing of the personal data concerned, which is based on Article 6 para. 1 e) or f) GDPR, for reasons arising from a special situation; this also applies to profiling based on these provisions. In the event of an objection, we will no longer process the personal data in question unless we can prove compelling legitimate grounds for processing that outweigh the interests, rights and freedoms; or the processing serves to assert, exercise or defend legal claims. If we process the personal data in question for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data in question for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct advertising purposes, the personal data in question will no longer be processed for these purposes. It is possible to exercise the right of objection in connection with the use of information society services — regardless of Directive 2002/58/EC — by means of automated procedures, using technical specifications.

Withdrawal of consent
If you have given us consent (e.g., regarding information by email), such consent can be revoked at any time with effect for the future. In our email information, we generally provide a corresponding link in each of our newsletters. Otherwise, you are welcome to contact us, e.g., by sending a message by mail, fax or e-mail, via one of the contact channels listed on the first page of this data protection notice.

Additional rights
The data subject has the right:

• to information (Art. 15 GDPR);
• to correction (Art. 16 GDPR)
• to deletion (Art. 17 GDPR)
• to the restriction of processing (Art. 18 GDPR)
• to data transfer (Art. 20 GDPR)
• to lodge a complaint with the supervisory authority (Art. 77 GDPR)