The Lufthansa Data Protection Officer is also responsible for questions related to data protection at MMG. Please contact us if you have any questions about data protection: e.g. by post: Konzern-Datenschutzbeauftragte(r), FRA CY, 60546 Frankfurt/Main or by e-mail: 027021059029047057025035061059071000027043035001027029.
If you contact us via email the communication will be unencrypted.
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).
We process personal data to fulfil our contractual obligations as per Article 6 Paragraph 1 Subparagraph 1(b) GDPR. This includes in particular:
Our company regularly checks and monitors your creditworthiness when contracts are concluded and also, in certain cases where there is a legitimate interest, the creditworthiness of existing customers. To do this, we work together with Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss, from whom we receive the necessary data. We therefore share your name, address and date of birth with Creditreform Boniversum GmbH. The information pursuant to Art. 14 of the EU General Data Protection Regulation on the data processing taking place at Creditreform Boniversum GmbH can be found here:
For consumers: information pursuant to EU-GDPR | Boniversum | https://www.boniversum.de/en/eu-gdpr/information-required-under-the-eu-gdpr-for-consumers
We also process your data to protect our legitimate interests as per Article 6 Paragraph 1 Subparagraph 1(f) GDPR
Based on your consent, we process your data in accordance with Article 6 Paragraph 1 Subparagraph 1(a) GDPR for specific purposes, in particular:
You can withdraw your consent at any time. This also applies to the withdrawal of declarations of consent issued to us before the GDPR came into force (i.e. before 25 May 2018). The withdrawal of consent is only effective for the future and shall not affect the lawfulness of data processed up to the point of withdrawal. For further information, please see the „How can you withdraw your consent?“ section.
You can use our website without directly providing any personal data (such as your name, postal address or email address). In this case we also have to collect and store specific information so that you can access our website.
You can use our website without directly providing any personal data (such as your name, postal address or email address). In this case we also have to collect and store specific information so that you can access our website.
1.1 Logfiles
When you visit our website, our internet server automatically records the domain name or IP address of the requesting computer, as well as the date and time of access, client file request (file name and URL), HTTP response code, browser type, the website from which you are visiting and the number of bytes transferred in the course of the connection. These data are deleted as soon as you end your visit to our website. For legal purposes - particularly detecting misuse and identifying and resolving technical malfunctions - we save the logfiles from your web server and application server, including your IP address, for 90 days.
1.2 Cookies / Web Beacons
“Cookies” are small text files that a web server (e.g. the web server of www.miles-and-more.com) sends to your browser when you visit a website. Depending on your browser settings, cookie files will either be saved or rejected. If such a cookie is saved, our web server will be able to recognise your end device. During subsequent visits to the same website, and when switching between features that require entering a password, the cookie reduces the amount of the information you need to input. Cookies thus make it easier to use websites that require user input.
Web beacons are small graphic files (also designated “pixel tags” and “clear GIFs”), which may be present in our web pages, applications and newsletters. They are generally used in conjunction with cookies to identify users and user behaviour. The above statements about cookies apply correspondingly to web beacons; specifically web beacons will not be used if you have deactivated the corresponding cookies.
We use:
Furthermore, we differentiate between the following categories of cookies:
You can view our cookie guidelines here.
Cookie selection in Consent Manager
When you visit our platform for the first time, a so-called “consent manager” opens in a pop-up window. In this consent manager, you can select which category of cookies you want to accept. You can change your selection at any time by clicking on the “Cookie settings” at the bottom of the page. Changing the settings will not automatically delete the cookies. To do this, please see the following instructions.
Cookie browser settings
You can configure your browser so that cookies are accepted or blocked. In addition, you can specify that all cookies are deleted at the end of a session or you can delete cookies manually on an individual basis. Please note that if you block or delete specific cookies, certain features of our website may only be available on a limited basis or not at all. In particular, you will not be able to access your personal profile and you will not receive content that has been tailored to you personally.
Your browser may already be configured in such a way that a warning message is displayed each time it receives a cookie. This notification can be very disruptive, as the identification cookie must be resent every time you access each individual page of our website. We therefore recommend that you configure your browser so that cookies from www.miles-and-more.com are always accepted. You can individually configure this setting for each website you visit.
Below you will find general guidance on how to manage cookies in the case of the most common browsers:
Google Chrome1.3 Web analysis
1.3.1 Web analysis with etracker
We use services provided by etracker GmbH (Hamburg, Germany) on our website to analyse usage data (www.etracker.com). Cookies make it possible to undertake a statistical analysis of the use of this website by visitors and to display usage-orientated content or advertising. Please note that etracker cookies do not contain any information that could be used to identify a user.
etracker only processes and stores the data it collects on behalf of the provider of this website in Germany and is therefore subject to the stringent German and European data privacy laws and standards. In this regard, etracker has been independently audited, certified and awarded the ePrivacyseal, a data privacy seal of approval.
The legal foundation for the data processing is Article 6 Paragraph 1(f) (legitimate interest) of the EU General Data Protection Regulation (GDPR). Our legitimate interest lies in optimising our online offering and web presence. As the private sphere of our visitors is particularly important to us, their IP addresses are anonymised by etracker at the earliest point in time possible, and login or device identifiers are converted to a code that is unique but cannot be assigned to an individual. etracker does not use this data in any other way, combine it with other data or pass it on to third parties.
1.3.2 Web analysis with Adobe Analytics
Our website, app and digital communication media use Adobe Analytics, a web analysis service provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland („Adobe Analytics“).
Adobe Analytics use cookies, in particular the 2o7.net and omtrdc.net domains that belong to Adobe. Adobe Analytics also uses web beacons (cf. Point 1.2, last paragraph). A web beacon is a transparent graphic (usually 1 pixel x 1 pixel) that is placed on digital content and can be used to identify access to this content by visitors. It enables us to determine the activities of visitors who open a website, app or communication medium with the web beacon.
Adobe Analytics abbreviates and thus anonymises your IP address, which is then only used in this anonymised form.
The information obtained via cookie or web beacon is only transmitted to an Adobe data centre located in a member state of the European Union or in other contracting states of the Agreement on the European Economic Area. Adobe only uses this information on our behalf and only for the aforementioned purposes.
If you do not want us to collect and use such information via cookies through Adobe Analytics, you can object to this here. When using our app, you can object to this information being collected by deactivating the button at the end of the privacy policy. A corresponding opt-out cookie is then placed on your device. This cookie does not contain any values suitable for tracking, but merely makes it possible to recognise your objection so that no data is transmitted to Adobe servers for tracking purposes.
You can also set your internet browser so that it does not accept any cookies and thus prevent Adobe Analytics from collecting data. The same applies to the „Do Not Track“ function or the deactivation of the graphic display for web beacons. Please clarify the steps required to do this in the operating instructions for your internet browser, as the relevant settings differ between browser providers.
Further information on Adobe Analytics and data privacy at Adobe can be found at www.adobe.com/uk/privacy.html.
1.3.3 Google Shopping Ads
We use Google Shopping Ads, an online advertising programme provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Via this service, we show you advertisements in the Google search engine or on third-party websites when you, as a user, enter certain search terms on Google. Furthermore, targeted advertisements can be displayed based on the user data available from Google (e.g. location data and interests). As the website operator, we can evaluate this data quantitatively; for example, by analysing which search terms have led to our advertisements being displayed and how many advertisements have led to corresponding clicks.
The use of this service is based on your consent in accordance with Art. 6 Para. 1 lit. a GDPR and Section 25 Para. 1 TTDSG (German Telecommunications and Telemedia Data Protection Act). This consent can be withdrawn with effect for the future at any time. You can give and withdraw your consent in our Cookie Consent Manager by using the "Cookie Settings" link at the bottom of each page.
If you have a Google account, you can also object to personalised advertising using the following link: https://www.google.com/settings/ads/onweb/. Further information can be found in Google's privacy policy at https://policies.google.com/technologies/ads?hl=en.
It is possible that Google may also use the data about your usage behaviour that it collects via our website for its own purposes or for the purposes of other Google customers (e.g. to show personalised third-party advertisements). Any such further processing of the data, as well as the processing of the data after it has been transferred by us to Google, will be carried out by Google Ireland Limited as the sole data controller. In this context, Google Ireland Limited may store data about you in the USA in its role as the data controller. With regard to the USA, the European Court of Justice has ruled that the level of data protection there does not correspond to the level within the EU. In particular, it cannot be ruled out that US security authorities may access your data without you having adequate legal redress against this.
1.4 Functionalities
We provide various functionalities on our website for which we must collect personal data or other information. For example, these functionalities can be made accessible only to Miles & More members who log in using their identification details (e.g. Miles & More card number and PIN or user name and password) or to registered customers after login.
As a Miles & More member or registered customer you can access your customer profile via our website where you can, among other things, view and amend your saved personal data. For example, you can save, view and amend the following data in your customer profile: name, address, contact details, payment data, orders, language settings etc. As a Miles & More member you can also view the status of your mileage account and request specific awards. If more personal data is needed to use the functions, this will be indicated on our website accordingly. Mandatory information is highlighted separately; it is not possible to use the relevant function without providing the mandatory information.
On our website, we can also offer you functionalities that can be used without logging in as a Miles & More member or registered customer. We must nevertheless collect personal data or other information for this, e.g. if you take part in a survey or competition on this website or if you send us questions or feedback. Without your further consent, we will only collect, process and use such data and information to the extent required for the relevant functionality (e.g. for answering your question or processing your feedback). Detailed information on how data is collected during competitions can be found in the entry terms and conditions for the relevant competition.
1.5 Links and data collection on third party websites
You may be directed via links on our website to third-party websites that are not operated by us. For example, they may be websites operated by partner companies with whom you can earn miles or who have special offers for Miles & More members or where you can find information about products and services. We have no influence over the collection, processing and use of your personal data on such third party websites. This is performed by the providers of the relevant website. Please therefore read the terms of use and privacy policies for these websites for more specific information on how they collect, process and use (personal) information.
If you have granted your consent under the heading Newsletter on our website to receiving the newsletter - until you either revoke this consent or until MMG stops sending the newsletter - we would like to give you the following information: The legal foundation for the processing is your consent as per Article 6 Paragraph 1(a) GDPR. Your consent applies to the processing of the following personal data provided voluntarily:
Your consent applies to the use of your email address for sending the newsletter to the stated address. The newsletter provides information about Worldshop offers and issues.
You can withdraw your consent to receiving the newsletter at any time. Further information can be found under the „How can you withdraw your consent?“ section.
For statutory or contractual requirements, we have indicated in the input masks on our website the fields that you must complete so that we can execute the desired contract or service.
For example, we collect the following data when you register or place an order:
If you are already a Miles & More member and are logging in for the first time using your Miles & More service card number/user name and your PIN/password, we will import your details from your Miles & More profile and create a customer account.
Your personal data will be deleted as soon as it is no longer required for the stated purposes. Furthermore, previous orders will be deleted from active customer accounts after four years. Inactive customer accounts will be deleted in full after four years.
However, we might have to store your data until the expiration of retention obligations and periods issued by the legislator or regulatory authority, which might be specified in the commercial code and fiscal code and generally amount to between six and ten years. Furthermore, we can store your data until the expiration of statutory limitation periods (i.e. generally three years; in some cases also up to 30 years) if this is required for asserting, exerting or defending legal claims. The corresponding data is then routinely deleted.
In order to offer you our products and services on the basis of our contractual obligations or legitimate interests, we use service providers and third parties such as service centres, payment providers, logistics, postal and courier companies or IT service providers. If these service providers are processors as per Article 28 GDPR, they will have been carefully selected and work solely in accordance with our instructions. They provide sufficient guarantees for complying with data privacy obligations.
It may be the case that personal data is transferred to third countries or international organisations. To protect you and your personal data, appropriate guarantees are provided for such data transfers in accordance with and consistent with legal requirements.
If these transfers do not have a legal foundation, or take place in a country for which the EU Commission has not issued an adequacy decision, we shall use the standard EU contractual clauses. Information on standard EU contractual clauses can be found on the European Union websites via the link (in german) [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF].
Furthermore, we are legally obligated in certain cases to make personal data available to German and international authorities as per Article 6 Paragraph 1(c) GDPR in conjunction with local and international regulations and conventions.
The legal foundations for the transfer of data to other third parties and processors are Article 6 Paragraph 1(b) GDPR (executing your purchase contract), Article 6 Paragraph 1(a) GDPR (consent), Article 6 Paragraph 1(f) GDPR (legitimate interest) and Article 28 GDPR.
As a data subject, you can exercise the following rights if the relevant legal requirement applies:
You can use our „GDPR information enquiry“ contact form to exercise your rights. In order to handle your application and identify you, please note that we will process your personal data as per Article 6 Paragraph 1(c) GDPR.
You can update most of your master data in your customer profile on our website at any time. If there are any changes in your personal data (e.g. your postal address, email address or telephone number), please update your customer profile to reflect this.
You also have the right to lodge a complaint with a supervisory authority as per Article 77 GDPR in conjunction with Section 19 BDSG.
The supervisory authority responsible for MMG is:
Der Hessische Datenschutzbeauftragte
PO Box 3163
65021 Wiesbaden
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Telephone: +49 (0)611/1408-0
Fax: +49 (0)611/1408-900 or -901
e-mail: 051049057059057059029043043029000027021059029047057025035061059071001035029057057029047001027029
If you have granted your consent to us processing your personal data, we would like to point out that you can withdraw this consent at any time.
If you have granted your consent to receiving our newsletter, you can withdraw this consent via the „Unsubscribe“ link in the newsletter.
In all other cases, or if you are having problems withdrawing your consent on this website, you can contact the person responsible for data protection.
Please note that withdrawing your consent only has effect for the future and has no influence on the lawfulness of processing performed in the past. In some cases we are entitled, despite your withdrawal, to further process your personal data on a different legal basis, e.g. for performance of a contract.
You have the right to object, on grounds relating to your particular situation, at any time to your personal data being processed as per Article 6 Paragraph 1(e) or (f) GDPR.
We shall no longer process your personal data unless we can demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is required for establishing, exerting or defending legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to your personal data being processed for such marketing.
If you object to your personal data being processed for direct marketing, it will no longer be processed for this purpose.
In connection with the use of information society services - notwithstanding Directive 2002/58/EC - you have the opportunity to exercise your right to object by automated means using technical specifications.
You can object to the processing of your personal data at any time (e.g. via our contact form) as described in the „What are your data protection rights?“ section.