Discover Airlines

Privacy Policy

We look forward to your visit to our website, where we offer you personalized information about our company and our services. We consider transparency and integrity important issues to consider in the processing of your personal data. We observe data protection regulations, namely the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (“BDSG”) and the Telemedia Act (“TMG”).

In this Privacy Policy, we explain what information (including personal data) we process during your visit and use of our above internet offering (“Website”) and what rights you have over your personal information.

1. Responsibilities
The party responsible (under data protection law) for the processing of personal data is EW Discover GmbH ( Hugo-Eckener-Ring 1, FAC Building, 60549 Frankfurt a. M.). Any references to “we” or “us” in these data protection instructions refers in each case to the aforementioned company. If you have any questions or comments about data protection, please send an email to legal4y@lufthansa-group.com or to the Lufthansa Group data protection officer at datenschutz@dlh.de.

2. Which principles do we observe?
In compliance with data protection regulations, we process your personal data only if permitted by law or if you have given your consent. This also
applies to the processing of personal data for advertising and marketing purposes.

We may also collect information on this website that cannot be used by itself to identify you personally. In certain cases, especially when combined
with other data, this information can nonetheless be considered “personal data” as defined by data protection legislation. We may also collect information on this website that does not allow us to identify you, either directly or indirectly; this includes, for example, aggregated information about all users of this website.

3. What data do we process? For what purposes and on what legal basis does this processing take place?
Log Files: When you visit this website, our web server automatically stores data and information about the device and browser you are
using. This information includes the browser type and version used, the operating system, the Internet Service Provider, the IP address
of your device, the date and time of access, the website from which you visited our website, and the pages you visited on our website. We process this technical information in the log files of our systems and do not combine them with other personal data about you. We process technical information in order to enable you to access our website, to ensure the functionality of our website and the security of our IT systems, and to optimize our website. The legal basis for this type of processing is Article 6, Section1 (f) of GDPR and § 15 Section 1 of TMG.

Flight booking: We process this data for the purpose of fulfilling the contract of carriage into which we have entered with you. This processing is based on Article 6 (1b) of the GDPR.

Booking dates: (specifically your first and last name, your date of birth, your billing address and other details on the payment method you selected, and, if applicable, passport/visa information). You can give additional information on a voluntary basis (such as your email address or cell phone number). Required information is designated as such on our website; without this information, the completion of your booking is not possible. We process this data for the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (b) of GDPR. In addition to the means of payment and contact details provided by the customer, the device’s browser data is passed on to payment service providers. The legal basis for this transfer is Article 6 Paragraph 1 Clause 1(c) of the GDPR.

Flight-related mailings: We use your email address for sending flight-related information and offers by email, such as to remind you
of check-in or to offer you additional services for your flight (seat, carry-on luggage, meals, best-in-class seat pitch) as well as to send Private Policy EW Discover GmbH you partner offers. The legal basis for this is Article 6, Section 1 (f) of GDPR as well as Section 7 of UWG.

Passenger Information: If you book a flight for one or more other persons, we will also need the first and last names of these passengers, as well as their dates of birth. This information is also required for completing the booking. We process this data to safeguard our legitimate interest in the execution of the contract of carriage with you; the legal basis for this is Article 6, Section 1 (f) of GDPR. When booking a flight for other persons, please provide this privacy policy to one or more of these persons.

Advanced Passenger Information (API): An increasing number of destination countries (in the future to include member states of the
European Union) require us as an airline to provide data about passengers entering or leaving the country, in some cases even when flying over the country in question. Applicable legal provisions typically stipulate the provision of data about the identity and travel documents (passport, visa) of the passengers and crew members on board. Not all of these data are collected by us at the time of booking; in many cases, the collection of this information takes place shortly before departure, potentially via the “machinereadable area” of recent travel documents. We process these data
exclusively for provision to the authorities of the respective destination country in fulfilment of our legal obligations; the legal basis for this is Article 6, Section 1 (c) of GDPR.

Contact Persons: In accordance with Regulation (EU) 996/2010 on the investigation and prevention of civil aviation accidents and
incidents, there is the possibility for each passenger to name a contact person. This information is linked to the booking and used
exclusively to meet the requirements of the above regulation. The legal basis for processing this data is Article 6, Section 1 (c) of GDPR.

Partner frequent flyer programs: When booking a flight, you can earn reward points/miles from our partner’s frequent flyer programs. For this, we require the corresponding program number (such as Miles & More). Furthermore, we also ask for information required to process your booking. We transfer to our partners the specified program number as well as your first and last name, booking class, route, fare, booking code, seat number and ticket number so that the bonus points/miles can be credited to the respective program. The legal basis for this is Article 6 (1) b) GDPR.

Baggage data: All personal data relating to baggage handling is processed for the purpose of executing the contract of carriage. Additional personal data may be processed (e.g. to track lost baggage etc.). Legal basis is Art. 6 para. 1 lit. b GDPR.

Contact: You can communicate with us via our contact form, the call center, by email or social media, as well as using the form for investigation of a compensation claim pursuant to Article 7 of Regulation (EC) No. 261/04. We collect all the information you provide and keep it only as long as is necessary for the processing of your request. After processing is complete, the data could be kept longer for reasons of evidence. The legal basis for this is Article 6, Section 1 (a) (b) as well as (f) of GDPR.

Further legitimate interests: To the extent necessary, we process your data beyond the above purposes for the protection of our
legitimate interests or the interests of third parties; this is done on the basis of Article 6, Section 1 (f) of GDPR. Our legitimate interests include:
  • the assertion of legal claims and the defense of legal disputes;
  • the prevention and investigation of criminal offences; and
  • the management and further development of our business activities, including risk management.

Cookies and tracking: We use so-called “cookies” or tracking software in order to make our offering as user-friendly as possible. These purposes also reflect our legitimate interest in the data processing. The legal basis for this data processing is Art. 6 (1) a of the GDPR. Cookies are small text files that are stored in your internet browser after you visit our website. A cookie contains a unique string that enables the clear identification of the browser when the website is called up again. Since cookies can be stored on your computer, you have control over their use. You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent. You can delete previously stored cookies at any time (and automatically). In addition, you can set your browser settings to refuse the storage of cookies.

Tracking software collects pseudonymous usage data to be able to clearly identify the browser. Apart from cookies (see above), no other data are stored on your device.

Below you will find a list of all the services we use to place and process cookies:
  • discover-airlines.com (cookie)
    Cookie name: cfm_cookieSettings
    Retention period: 90 days
    Purpose: This essential cookie stores the information that a user of the website has consented to the use of cookies.
    Data transmission to a third country: No
    Type of data collected: Technically required cookie
  • Google Analytics (script, cookie)
    Cookie name: _ga, _gid
    Retention period: 26 m.
    Purpose: Google Analytics is a website analytics tool. We use Google Analytics to collect aggregated, anonymous data. This data helps us understand how customers use our platforms and identify areas for improvement. In addition, the data serves critical platform functions like detecting errors, fraudulent uses and provides operational data. We use this information to improve the quality, effectiveness and performance of our platforms, so that you have the best possible experience.
    The Google Analytics script is used to assign values to the cookies that are needed to collect this information. In order to function, Google Analytics sets cookies on your computer. Google does not have the right to access the data. Google Analytics anonymises your IP address to protect your privacy. No other personal identifiable information is collected.
    Data transmission to a third country: No
    Business Address: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
    Privacy Policy: http://www.google.com/privacy/ You can prevent Google Analytics from collecting and processing your data (including your IP address) by downloading and installing the browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout?hl=en
    Type of data collected: session identifiers, anonymous user identifiers, encrypted user identifiers, flight search details, booking details, device fingerprint, localisation, anonymised IP
  • Floodlight (script, cookie)
    Cookie name: _IDE, _ga, _gcl_au
    Retention period: up to 2 years
    Purpose: To measure the success of our advertising activities using Google technologies, we use a conversion pixel (Floodlight). A conversion pixel is a tiny, transparent image placed on our websites that enables us to track and measure certain actions by website visitors, such as clicks on interaction elements. The pixel is activated when the action takes place and sends this data back to Google’s technology. We use this information to improve our digital marketing campaigns.
    We also use this conversion pixel for retargeting. Retargeting is a kind of online advertising that enables us to reach individuals who have previously interacted with our website. For this purpose, a cookie is placed in your browser which allows us to show you targeted advertising whilst you browse other websites. The aim is to appeal afresh to users who have already shown interest in us or our products.
    Data transmission to a third country: No
    Business Address: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
    Google’s privacy policy: http://www.google.com/privacy/ Further information on Google’s privacy policy in relation to advertising is available at: http://www.google.com/privacy/ads/ You can customize your advertising settings on Google at: http://www.google.com/settings/ads/
    Type of data collected: Session IDs, search details, booking details,encrypted user IDs

4. Who receives my data?
In general, your personal data will be processed within our company. Based on the type of the personal data, it can only be accessed by certain departments/organisational units. They specifically include the departments that are responsible for providing our services and our IT department. A role and authorisation concept ensures that access within our company is limited to the functions and scope that are required for the relevant purpose of processing the data.

We may also transmit your personal data to third parties outside of our company where this is permitted by law. Such external recipients include the following, without limitation:
  • Affiliates, for example Eurowings Aviation, as the operator and provider of the Boomerang Club, to which we transmit personal data for internal administrative purposes within the Lufthansa Group;
  • Service providers we use to provide our services where the transmission is required to perform the contracts executed with us, for example ground handling services, call centres or travel partners;
  • Other airlines (e.g. wet lease partners) and airports along your route or where your flight lands;
  • IT service providers, to operate and maintain our IT infrastructure (e.g. IT maintenance, IT support and development, or cloud and hosting service providers);
  • Credit institutions and payment service providers for billing and payment processing purposes;
  • Shipping service providers, media and marketing agencies (e.g. for market research, advertising communication or campaign management);
  • Advisors or consulting firms (e.g. lawyers, auditors);
  • Collection service providers and lawyers, to collect debts and to enforce claims in court;
  • Public authorities (e.g. customs authorities, the German Federal Aviation Authority, financial authorities, the police, the public prosecutor’s office, supervisory authorities), to the extent we are required to transmit your personal data due to legal obligations (e.g. entry requirements, police and investigation activities or matters concerning aviation security).

5. Is there automated decision-making?
In general we do not use any automated decision making (including profiling) in connection with users of our website, as per Article 22 of
GDPR. If we use such procedures in individual cases, we will inform you separately about this to the legally required extent.

6. Will data be transmitted to countries outside of the EU?
In principle, the processing of your personal data takes place within the EU or the European Economic Area.

If the information provided includes personal data and we do not have a legal obligation of disclosure (such as Advance Passenger Information), we
will ensure that the third country or the recipient in the third country has required a sufficient level of data protection. Where the information provided includes personal data and we do not have a legal obligation to disclose such data (e.g. Advance Passenger Information), we will ensure that the third country or the recipient in the third country (for cookies: USA, Belarus, Singapore, Australia, South Africa, Turkey and China) has the required adequate level of data protection. Alternatively, we may also base the transfer of data on so-called “EU standard contractual clauses” agreed with a recipient or, in the case of US recipients, on compliance with the principles of the so-called “EU-US Privacy Shield”. We will gladly provide you with further information at your request about the applicable guarantees for maintaining an adequate level of data protection; our contact information can be found at the beginning of this privacy policy.

7. How long will my data be saved?
Your personal data will be deleted when it is no longer needed for the aforementioned purposes. However, in some cases, we may be required to store your data until the mandatory retention periods established by the legislator or supervisory authorities, which may be contained in the German Commercial Code, the German Tax Code, or the Anti-Money Laundering Act, and generally are 6 to 10 years, have expired. In addition, we may store your data until the expiry of the statutory limitation periods (i.e., generally for 3 years; but in individual cases for up to 30 years) where this is necessary for the assertion or exercise of, or defense against, legal claims. Afterwards the relevant data are routinely deleted. Even without a legitimate interest, we can continue to store the data if we are legally obligated to do so (for example, to fulfil record-keeping obligations). We also delete your personal data without your involvement as soon as its retention is no longer necessary to fulfil the purpose for which Private Policy EW Discover GmbH it was processed, or in cases where storing your data is otherwise legally inadmissible.

In general:
  • log data is deleted within thirty days, unless further storage is required for lawful purposes such as the detection of misuse and the detection and removal of technical malfunctions;
  • the data processed in connection with flight bookings is deleted at the latest upon the expiry of the statutory retention periods (i.e., after a maximum of 10 years); and
  • The data processed in connection with customer communication is deleted after a maximum of five years (Regulation [EC] No. 261/2004).

8. What rights do I have?
Right to object, according to article 21 GDPR
You have the right, at any time, to object to the processing of personal data concerning you pursuant to Article 6, Section 1 (e) or (f) of GDPR for reasons arising from your particular situation; this also applies to profiling based on these provisions. In the event of your objection, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or if the processing is for the purpose of asserting, exercising, or defending legal claims. If we process the personal data relating to you for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct mail. If you object to the processing for purposes of direct marketing, the personal data related to you will no longer be processed for these purposes.
Regardless of Directive 2002/58/EG, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

Revocation of consent
If you have given us consent (for example, in connection with information by email, you may revoke such consent at any time with future effect. In our email communications, we generally provide a corresponding link in every one of our newsletters. You can also contact us via other methods, e.g. by post, fax or email using any of the contact methods listed on the first page of this Privacy Policy.

Further rights
As the affected person, you have the right:
  • of access by the data subject (Art. 15 GDPR)
  • to rectification(Art. 16 GDPR)
  • to erasure (Art. 17 GDPR)
  • to restriction of processing (Art. 18 GDPR)
  • to data portability (art. 20 GDPR)
  • entitlement to complaint at a data protection supervisory authority (Art. 77 GDPR)
To exercise your rights, please contact the responsible entity: EW Discover GmbH (Hugo-Eckener-Ring 1, FAC Building, 60549 Frankfurt a. M.), at legal4y@lufthansa-group.com or contact the Lufthansa Group data protection at datneschutz@dlh.de .
Follow us on